Analysis of Cloudtrail Data using AWS Quicksight to Know about Count of AccessDenied

2021.10.22

AWS

Is a secure cloud service platform that offers compute power, database storage. content delivery, network, and other functionality to help businesses scale and grow. It is one of the first cloud vendors to start services in the year 2006. It offers all the 3 service models namely IAAS, PAAS, and SAAS. Some of the notable domains in AWS are Compute, Migration, Storage, Network and Content Delivery, Management Tools, Database, Messaging, Security and Identity Compliance, and many more.

Amazon S3

Simple and popular AWS Service for storage. Replicates data by default across multiple facilities. It charges per usage. It is deeply integrated with AWS Services. Buckets are logical storage units. Objects are data added in the bucket. S3 has a storage class on object level which can save money by moving less frequently accessed objects to colder storage class.

AWS Cloudtrail

It is an AWS service that enables governance, compliance, operational auditing, and risk auditing of AWS account. It can log, continuously monitor, and retain account activity related to actions across AWS Infrastructure.

Amazon Athena

A serverless solution, which has an effective data-processing tool. It has high availability by default and doesn't store data. It gives the ability to do SQL queries on top of files stored in S3.

AWS Quicksight

Amazon QuickSight is a scalable, serverless, embeddable, machine-learning-powered business intelligence (BI) service that’s built for the cloud. With QuickSight, you can create and publish interactive BI dashboards that include insights that are powered by machine learning. QuickSight dashboards can be accessed from any device, and you can embed them into your applications, portals, and websites.

Demo

Configuring Cloudtrail Click on trail Making below changes, keep others as default and click next

Choosing Event Types Management Events: Capture management operations such as start instance, delete an instance, create a bucket, delete the bucket, and many similar events.

Data Events: logs existing resources, like someone deletes a bucket, changes configurations of resource, and many similar events.

Insights Events: It identifies unusual activity. Events related to your account are unusual in different parts of the file bucket.

Clicking Data Event Source Cloudtrail store's the events in the above AWS Service

Clicking Next Review and Create Trail Checking S3 Creating IAM User Configuring IAM User Assign Permissions and click next Review and Create User
Copy URL
Login as the User Created Try Changing in Cloudtrail, permission denied
Log out of the user-created and log back as admin user
Go to S3 cloudtrail Go to your region and date to check your file, clicking on one of file's It is very difficult to understand from the above file, hence we use Athena below to simplify below.

The easiest way to work with the Athena table is through Cloudtrail

Go to event history of cloudtrail and click Athena table Click the above created S3Cloudtrail bucket

An Athena Table is created with the above cloudtrail

Go to Quicksight

If it is a new account then you have to click signup and choose your plan, this is pretty basic so clicking on standard is enough for the article. Give it an appropriate name, email address and give access to Amazon S3 buckets of Athena and Cloudtrail.

Click on data sets click on athena Click on custom Sequel, write down the query, and click on confirm query Visualisation result of denied count