Hello team, the way you enabled root detection is through cloudtrail by enabling cloudtrail logs and then creating an cloudwatch event -> metric filter -> alarm and then using SNS for notification.
Would one be able to do this by just creating a cloudwatch rule and specifying "Service Name" == cloudtrail, "Event Type== AWS API Call via CloudTrail and then using specific operation that looks through cloudtrail logs for root activity? I am not sure what the specific operation would be but maybe something similar to the metric filtering you used in the video.
Also, cloudtrail and cloudwatch logs are very similar as they both keep logs. What is reason for enabling cloudwatch logs under cloudtrail? The only reason i can think of is to react from specific calls but i feel like this can be done just by enabling cloudwatch rules using detail-type "AWS API Call via CloudTrail".
1 Answers
You can receive notifications when root user login using the CloudWatch event as well. More information from the below link: https://aws.amazon.com/blogs/mt/monitor-and-notify-on-aws-account-root-user-activity/
I think if you just need to know when the root user was log in, metric filter may be better since use of CloudWatch event might be overkill.
The CloudTrail and CloudWatch Logs are different. You use the CloudTrail to record all API activities in your AWS account; the CloudTrail is enabled by default, and records API activities for past 90 days in the event history. If you want to search/view your API activities longer than 90 days, you have to create a trail, and configure the trail to deliver the log data to either S3 or Cloud Watch Logs. You use the CloudWatch Logs to store your log data where you can specify the retention period for the log data, metric filters…
I am not sure to understand why in the blog post you shared, we use a lambda function – where we can directly setup within CloudWatch a SNS message ?