Getting AWS CloudTrail alerts via SNS Endpoint

Logging and auditing have been an essential part of troubleshooting application and infrastructure performance. You can instantly spot areas of risk to ensure quick correction and prevention of issues. In this blog, we will explore the AWS CloudTrail service and discuss how integrating it with Squadcast can help you route alerts to the right users for quick and efficient incident response.

Let's get started.

What is AWS CloudTrail and why is it important?

AWS CloudTrail is an Auditing and Logging service for Amazon Web Services (AWS) accounts. It tells you who performed what actions on your resources and when. It enables governance, compliance, operational auditing, and risk auditing. With this service, you can log, monitor, and retain account activity associated with actions across your AWS infrastructure. It gives you the event history of your AWS account activity, like actions taken through:

• AWS Management Console
• AWS SDKs
• Command-Line and other AWS services

This event history can help you during security analysis, resource change tracking, and troubleshooting. Validated log files are invaluable in ensuring the security of resources that run on the cloud.

It is the single most important logging service in AWS as it lets you log and identify all the important activities in an AWS account like,

• Who performed the action (Principle type, Source IP/Service, user agent)
• When it occurred (Date and Time)
• Where it occurred (Region)
• What occurred (API actions performed)
• Resources affected (configuration/parameter info)
• Results of action (success/error associated with result info)

Here is an example of how the event log looks in AWS,

You can get notifications when CloudTrail publishes new log files. This is possible by configuring CloudTrail to send updated information to an Amazon SNS topic whenever a new log file has been sent. Doing so enables you to respond quickly to critical operational events. Let us quickly take a look at Amazon SNS Service, before we jump to the integration part.

What is Amazon Simple Notification Service (SNS)?

It is a managed service offering message delivery from publishers to subscribers. Publishers use this service to communicate asynchronously with subscribers by sending messages to a 'topic'. A topic is a logical access point and communication channel. To receive published messages, users/consumers can subscribe to an SNS topic, using a supported endpoint type.

This service can fan out alerts to millions of subscribers, and it offers capabilities like,

• App to app messages
• App to person messages
• Use of FIFO topics
• Message archiving, filtering, and analytics

Let us now go ahead and see how we can integrate CloudTrail with Squadcast to route alerts via an SNS endpoint.

Setting up CloudTrail-Squadcast Integration

Using AWS CloudTrail Logs via SNS as an Alert Source

Step1: From the navigation bar in Squadcast, on the top left corner pick the applicable Team from the Team-picker and select Services. Next, click on Alert Sources for the applicable Service.

Step2: Search for AWS CloudTrail Logs via SNS from the Alert Source drop-down and copy the Webhook URL, we will be using it in the following steps.

Please Note: For an Alert Source to turn active (indicated by a green dot - Receiving alerts against the name of the Alert Source in the drop-down), you can either generate a test alert or wait for a real-time alert to be generated by the Alert Source.

An Alert Source is active if there is a recorded incident via that Alert Source for the Service in the last 30 days.

Create CloudTrail logs Endpoint in AWS SNS

Now log in to your AWS account and proceed to SNS.

Step1: Click on “Create topic”. Fill in the details as per your requirements and then click on “Create topic”.

Step2: Now inside the topic, click on “Create subscription”. Select the protocol as “HTTPS” and in the endpoint enter the Alert Source Endpoint Webhook URL obtained from the Step 2 of the previous bit. Finally, click on “Create subscription”.

The “Subscription ID” for the subscription should change to “Confirmed” immediately from “Pending Confirmation”. Click on the refresh button to verify the same.

Then you can configure your CloudTrail log alerts and assign this topic as the notification option and you are good to go.

AWS CloudTrail is a highly effective AWS service for cloud logging and auditing. integrating it with Squadcast can help you leverage various incident response and SRE features of Squadcast to keep your systems reliable.

‍

Squadcast is an incident management tool that’s purpose-built for SRE. Get rid of unwanted alerts, receive relevant notifications and integrate with popular ChatOps tools. Work in collaboration using virtual incident war rooms and use automation to eliminate toil.