AWS CloudTrail Audit & Security

🎯 Mục tiêu Task 14: Setup AWS CloudTrail cho audit trail - GHI LẠI MỌI API CALL & EVENT

🔍 CloudTrail Overview

Task 14 enable comprehensive audit logging:

  • 🔍 Management Events: Mọi API call trên AWS account
  • 📁 Data Events: S3 file access + DynamoDB queries
  • 🚨 Security Monitoring: Detect unauthorized access
  • 📊 Compliance: Support PCI DSS, ISO 27001
  • 🔗 CloudWatch Integration: Real-time alerts

Audit Flow: AWS API Calls → CloudTrail → S3 Storage → CloudWatch Analysis → Security Alerts

Prerequisites

  • ✅ S3 bucket cho log storage
  • ✅ CloudWatch Logs (Task 12)
  • ✅ Active AWS services để audit

1. CloudTrail Setup (10 minutes)

1.1. Create S3 Bucket for CloudTrail Logs

# Tạo dedicated bucket cho CloudTrail
aws s3 mb s3://vinashoes-cloudtrail-logs-ap-southeast-1 --region ap-southeast-1

# Apply bucket policy cho CloudTrail access

Bucket Policy cho CloudTrail:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::vinashoes-cloudtrail-logs-ap-southeast-1"
    },
    {
      "Sid": "AWSCloudTrailWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::vinashoes-cloudtrail-logs-ap-southeast-1/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}

1.2. Tạo CloudTrail

CloudTrail Console → Create trail:

Trail Configuration:
  Trail name: "vinashoes-audit-trail"
  ✅ Apply trail to all regions
  ✅ Apply trail to all accounts in organization (nếu có)
  
Storage Location:
  ✅ Create new S3 bucket
  S3 bucket: "vinashoes-cloudtrail-logs-ap-southeast-1"
  S3 key prefix: "audit-logs/"
  
Log File Validation:
  ✅ Enable log file integrity validation
  
KMS Encryption:
  ⚠️ Optional: Enable để encrypt logs

2. Event Configuration (15 minutes)

2.1. Management Events

Capture tất cả management API calls:

Management Events:
  ✅ Read events
  ✅ Write events
  
Include:
  - EC2 instances start/stop
  - ECS service updates
  - API Gateway changes
  - IAM policy modifications
  - S3 bucket operations
  - DynamoDB table changes

2.2. Data Events Setup

📊 Data Events cho E-commerce

Critical data events cần monitor:

  • S3 Product Images: Detect unauthorized file access
  • DynamoDB Tables: Track sensitive data queries
  • S3 CI/CD Artifacts: Monitor deployment files

Configure S3 Data Events:

S3 Data Events:
  ✅ Read events
  ✅ Write events
  
S3 Resources:
  - arn:aws:s3:::vinashoes-product-images/*
  - arn:aws:s3:::vinashoes-cicd-artifacts/*
  
Operations Tracked:
  - GetObject (file downloads)
  - PutObject (file uploads)
  - DeleteObject (file deletions)

Configure DynamoDB Data Events:

DynamoDB Data Events:
  ✅ Read events
  ✅ Write events
  
DynamoDB Resources:
  - arn:aws:dynamodb:ap-southeast-1:ACCOUNT:table/User
  - arn:aws:dynamodb:ap-southeast-1:ACCOUNT:table/Product
  - arn:aws:dynamodb:ap-southeast-1:ACCOUNT:table/Order
  
Operations Tracked:
  - GetItem, Query, Scan
  - PutItem, UpdateItem, DeleteItem

3. CloudWatch Integration (10 minutes)

3.1. CloudWatch Logs Integration

Send CloudTrail events tới CloudWatch:

CloudWatch Logs Configuration:
  ✅ Send events to CloudWatch Logs
  
Log Group:
  Name: "/aws/cloudtrail/vinashoes-audit"
  Retention: 30 days
  
IAM Role:
  Create new role: "CloudTrail_CloudWatchLogs_Role"

CloudWatch Logs IAM Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:ap-southeast-1:ACCOUNT:log-group:/aws/cloudtrail/vinashoes-audit:*"
    }
  ]
}

3.2. Security Monitoring Filters

Tạo metric filters cho security events:

# 1. Root account usage
aws logs put-metric-filter \
  --log-group-name "/aws/cloudtrail/vinashoes-audit" \
  --filter-name "RootAccountUsage" \
  --filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' \
  --metric-transformations \
    metricName=RootAccountUsageCount,metricNamespace=Security,metricValue=1

# 2. Unauthorized API calls  
aws logs put-metric-filter \
  --log-group-name "/aws/cloudtrail/vinashoes-audit" \
  --filter-name "UnauthorizedApiCalls" \
  --filter-pattern '{ $.errorCode = "AccessDenied" || $.errorCode = "UnauthorizedOperation" }' \
  --metric-transformations \
    metricName=UnauthorizedApiCallCount,metricNamespace=Security,metricValue=1

# 3. IAM policy changes
aws logs put-metric-filter \
  --log-group-name "/aws/cloudtrail/vinashoes-audit" \
  --filter-name "IAMPolicyChanges" \
  --filter-pattern '{ $.eventName = AttachUserPolicy || $.eventName = DetachUserPolicy || $.eventName = PutUserPolicy || $.eventName = CreatePolicy || $.eventName = DeletePolicy }' \
  --metric-transformations \
    metricName=IAMPolicyChangeCount,metricNamespace=Security,metricValue=1

4. Security Monitoring (10 minutes)

4.1. Critical Security Alarms

Setup alarms cho security events:

# Root Account Usage Alarm
Alarm Configuration:
  Alarm name: "Security-RootAccountUsage"
  Description: "Root account được sử dụng"
  
Metric:
  Namespace: "Security"
  MetricName: "RootAccountUsageCount"
  
Threshold:
  Comparison: "GreaterThanOrEqualToThreshold"
  Threshold: 1
  Period: 300 seconds
  Evaluation: 1 out of 1
  
Actions:
  - Send SNS notification immediately
  - Trigger security response procedure

# Unauthorized Access Alarm
Alarm Configuration:
  Alarm name: "Security-UnauthorizedAccess"
  Description: "Phát hiện unauthorized API calls"
  
Metric:
  Namespace: "Security"  
  MetricName: "UnauthorizedApiCallCount"
  
Threshold:
  Comparison: "GreaterThanThreshold"
  Threshold: 5
  Period: 300 seconds

4.2. SNS Topic cho Security Alerts

Tạo SNS topic cho security notifications:

# Tạo SNS topic
aws sns create-topic --name vinashoes-security-alerts

# Subscribe email
aws sns subscribe \
  --topic-arn arn:aws:sns:ap-southeast-1:ACCOUNT:vinashoes-security-alerts \
  --protocol email \
  --notification-endpoint [email protected]

# Subscribe SMS (optional)
aws sns subscribe \
  --topic-arn arn:aws:sns:ap-southeast-1:ACCOUNT:vinashoes-security-alerts \
  --protocol sms \
  --notification-endpoint +84987654321

5. CloudTrail Insights (5 minutes)

5.1. Enable CloudTrail Insights

🤖 CloudTrail Insights

AI-powered anomaly detection:

  • Unusual API activity: Phát hiện spike bất thường
  • Error rate increases: Identify potential attacks
  • Resource access patterns: Detect data exfiltration

Enable Insights cho management events:

CloudTrail Insights Configuration:
  ✅ Enable insights for management events
  
Insights Type:
  ✅ API call rate insights
  ✅ API error rate insights
  
Cost:
  $0.35 per 100,000 events analyzed

6. Audit Dashboard (10 minutes)

6.1. CloudWatch Dashboard for Security

Tạo security monitoring dashboard:

{
  "widgets": [
    {
      "type": "metric",
      "properties": {
        "metrics": [
          ["Security", "RootAccountUsageCount"],
          [".", "UnauthorizedApiCallCount"],
          [".", "IAMPolicyChangeCount"]
        ],
        "period": 300,
        "stat": "Sum",
        "region": "ap-southeast-1",
        "title": "Security Events"
      }
    },
    {
      "type": "log",
      "properties": {
        "query": "SOURCE '/aws/cloudtrail/vinashoes-audit'\n| fields @timestamp, sourceIPAddress, userIdentity.type, eventName\n| filter eventName like /Delete/\n| sort @timestamp desc\n| limit 20",
        "region": "ap-southeast-1",
        "title": "Recent Delete Operations"
      }
    }
  ]
}

6.2. Common Security Queries

CloudWatch Logs Insights queries:

-- Failed login attempts
fields @timestamp, sourceIPAddress, userIdentity.userName, errorMessage
| filter eventName = "ConsoleLogin" and errorMessage exists
| stats count() as failures by sourceIPAddress
| sort failures desc

-- S3 bucket policy changes  
fields @timestamp, sourceIPAddress, userIdentity.userName, eventName
| filter eventName like /Bucket/ and eventName like /Policy/
| sort @timestamp desc

-- ECS service modifications
fields @timestamp, sourceIPAddress, userIdentity.userName, eventName, responseElements
| filter eventName like /UpdateService/ or eventName like /CreateService/
| sort @timestamp desc

-- DynamoDB data access patterns
fields @timestamp, sourceIPAddress, eventName, responseElements.itemCount
| filter eventName = "Scan" or eventName = "Query" 
| stats count() as queries, sum(responseElements.itemCount) as totalItems by sourceIPAddress
| sort queries desc

✅ Task 14 Hoàn Thành!

📋 Checklist Deliverables

Component Status Details
✅ CloudTrail Setup ACTIVE All regions coverage
✅ Management Events LOGGING Complete API audit trail
✅ Data Events CONFIGURED S3 + DynamoDB monitoring
✅ CloudWatch Integration ACTIVE Real-time log analysis
✅ Security Alarms MONITORING Root usage + unauthorized access
✅ Insights ENABLED Anomaly detection

🔒 Security Coverage

🎉 Complete Audit & Security Monitoring!

Audit Trail:

  • Management Events: Every AWS API call logged
  • Data Events: S3 file access + DynamoDB queries
  • Multi-region: Complete coverage across all regions
  • Integrity: Log file validation enabled

Security Monitoring:

  • Real-time alerts: Unauthorized access detection
  • Anomaly detection: AI-powered insights
  • Compliance ready: PCI DSS, ISO 27001 support
  • Incident response: Automated notifications

Analysis Capabilities:

  • CloudWatch integration: Query và visualize events
  • Security dashboard: Real-time security overview
  • Historical analysis: 90-day retention in S3

🚨 Critical Security Events Monitored

High Priority Alerts:
  - Root account usage
  - Unauthorized API calls (5+ in 5 minutes)
  - IAM policy changes
  - S3 bucket policy modifications
  - ECS service updates outside business hours

Medium Priority:
  - Bulk DynamoDB scans
  - Cross-region API calls
  - New IAM user creation
  - S3 bucket access from unknown IPs

Compliance Events:
  - Data access patterns
  - Admin privilege usage
  - Configuration changes
  - Delete operations

💡 Security Best Practices

🎯 Production Security Tips

Log Management:

  1. Retention: 90 days trong S3, 30 days trong CloudWatch
  2. Encryption: Enable KMS encryption cho sensitive logs
  3. Access control: Restrict CloudTrail log access

Monitoring Strategy:

  1. Real-time: Critical events trigger immediate alerts
  2. Daily reviews: Automated summary reports
  3. Weekly analysis: Trend analysis và anomaly review

Incident Response:

  1. Automated response: Block suspicious IPs via Lambda
  2. Escalation: Security team notification procedures
  3. Documentation: Maintain incident response playbook

Cost Optimization:

  1. Data events: Enable only cho critical resources
  2. Log lifecycle: Transition old logs to cheaper storage
  3. Insights: Monitor cost vs. security benefit

🔧 Common Security Scenarios

Investigation Examples

Scenario 1: Unauthorized ECS changes

-- Find who modified ECS services
fields @timestamp, sourceIPAddress, userIdentity.userName, eventName, requestParameters
| filter eventName like /ECS/ and (eventName like /Update/ or eventName like /Delete/)
| sort @timestamp desc

Scenario 2: Data exfiltration detection

-- Large DynamoDB scans
fields @timestamp, sourceIPAddress, eventName, responseElements.scannedCount
| filter eventName = "Scan" and responseElements.scannedCount > 1000
| stats count() as largeScanCount by sourceIPAddress
| sort largeScanCount desc

Scenario 3: Privilege escalation

-- IAM permission changes
fields @timestamp, sourceIPAddress, userIdentity.userName, eventName, requestParameters.policyDocument
| filter eventName like /Policy/ and requestParameters.policyDocument like /\*/
| sort @timestamp desc

Compliance Reporting

PCI DSS Requirements:

  • Requirement 10: All access to system components logged
  • Requirement 10.2: Automated audit trails
  • Requirement 10.3: Audit trail entries include required elements

ISO 27001 Controls:

  • A.12.4.1: Event logging procedures
  • A.12.4.2: Protection of log information
  • A.12.4.3: Administrator và operator logs

🎉 Complete Security & Observability Stack!

📊 End-to-End Monitoring Architecture

Complete Stack Overview:
  Task 11: CI/CD Pipeline + Automation
  Task 12: CloudWatch Logs + Metrics + Alarms
  Task 13: X-Ray Distributed Tracing
  Task 14: CloudTrail Audit + Security
  
Benefits:
  ✅ Complete visibility into infrastructure
  ✅ Real-time performance monitoring  
  ✅ End-to-end request tracing
  ✅ Security audit trail
  ✅ Compliance-ready logging

🚀 Production-Ready AWS Microservices Platform with Complete Observability! 🚀

🧹 Dọn Dẹp Tài Nguyên

7.1. Xóa CloudTrail Trail

Dừng và xóa CloudTrail trail:

# Dừng ghi log trước
aws cloudtrail stop-logging --name vinashoes-audit-trail

# Xóa trail
aws cloudtrail delete-trail --name vinashoes-audit-trail

7.2. Xóa S3 Bucket

Xóa lưu trữ log CloudTrail (đảm bảo bucket trống trước):

# Liệt kê và xóa tất cả objects trong bucket
aws s3 rm s3://vinashoes-cloudtrail-logs-ap-southeast-1 --recursive

# Xóa tất cả delete markers và versions (nếu versioning được bật)
aws s3api delete-objects --bucket vinashoes-cloudtrail-logs-ap-southeast-1 --delete "$(aws s3api list-object-versions --bucket vinashoes-cloudtrail-logs-ap-southeast-1 --query='{Objects: Versions[].{Key:Key,VersionId:VersionId}}')"

# Xóa bucket
aws s3 rb s3://vinashoes-cloudtrail-logs-ap-southeast-1

7.3. Dọn Dẹp Tài Nguyên CloudWatch

Xóa log group, metric filters, và alarms:

# Xóa CloudWatch log group
aws logs delete-log-group --log-group-name "/aws/cloudtrail/vinashoes-audit"

# Xóa metric filters
aws logs delete-metric-filter --log-group-name "/aws/cloudtrail/vinashoes-audit" --filter-name "RootAccountUsage"
aws logs delete-metric-filter --log-group-name "/aws/cloudtrail/vinashoes-audit" --filter-name "UnauthorizedApiCalls"
aws logs delete-metric-filter --log-group-name "/aws/cloudtrail/vinashoes-audit" --filter-name "IAMPolicyChanges"

# Xóa CloudWatch alarms
aws cloudwatch delete-alarms --alarm-names "Security-RootAccountUsage" "Security-UnauthorizedAccess"

7.4. Xóa SNS Topic

Xóa topic thông báo bảo mật:

# Liệt kê subscriptions và unsubscribe nếu cần
SUBSCRIPTION_ARN=$(aws sns list-subscriptions-by-topic --topic-arn arn:aws:sns:ap-southeast-1:ACCOUNT:vinashoes-security-alerts --query 'Subscriptions[0].SubscriptionArn' --output text)
if [ "$SUBSCRIPTION_ARN" != "None" ]; then
  aws sns unsubscribe --subscription-arn $SUBSCRIPTION_ARN
fi

# Xóa SNS topic
aws sns delete-topic --topic-arn arn:aws:sns:ap-southeast-1:ACCOUNT:vinashoes-security-alerts

7.5. Xóa IAM Role

Xóa CloudTrail CloudWatch role:

# Detach policies
aws iam detach-role-policy --role-name CloudTrail_CloudWatchLogs_Role --policy-arn arn:aws:iam::aws:policy/service-role/AWSCloudTrail_CloudWatchLogs_Role

# Xóa role
aws iam delete-role --role-name CloudTrail_CloudWatchLogs_Role

7.6. Dọn Dẹp CloudWatch Dashboard

Xóa dashboard giám sát bảo mật:

aws cloudwatch delete-dashboards --dashboard-names "Vinashoes-Security-Monitoring"

⚠️ Thứ Tự Dọn Dẹp:

  1. Dừng CloudTrail logging
  2. Xóa trail
  3. Làm trống và xóa S3 bucket
  4. Xóa tài nguyên CloudWatch
  5. Xóa SNS topic
  6. Xóa IAM role
  7. Xóa dashboard

💰 Phân Tích Chi Phí

8.1. Tổng Quan Giá CloudTrail

Cấu trúc giá AWS CloudTrail:

Thành Phần Dịch Vụ Miễn Phí Trả Phí Ước Tính Chi Phí
Management Events 1 trail miễn phí - $0/tháng
Data Events (S3) - $0.10 cho 100,000 events $2-10/tháng
Data Events (DynamoDB) - $0.10 cho 100,000 events $1-5/tháng
CloudTrail Insights - $0.35 cho 100,000 events $5-20/tháng
S3 Storage 5GB miễn phí $0.023/GB $5-15/tháng
CloudWatch Logs 5GB miễn phí $0.50/GB ingested $10-30/tháng
CloudWatch Metrics 10 metrics miễn phí $0.30/metric $3-10/tháng
CloudWatch Alarms - $0.10/alarm $2-5/tháng
SNS Notifications 1,000 miễn phí $0.50/100,000 $1-3/tháng

8.2. Chi Tiết Chi Phí Hàng Tháng

Ước tính chi phí cho nền tảng e-commerce:

Chi Phí Cơ Bản CloudTrail:
  Management Events: MIỄN PHÍ (không giới hạn)
  Data Events (S3): $5/tháng (500K events)
  Data Events (DynamoDB): $2/tháng (200K events)
  Insights: $10/tháng (300K events được phân tích)
  
Lưu Trữ & Giám Sát:
  S3 Storage: $8/tháng (350GB logs)
  CloudWatch Logs: $15/tháng (30GB ingested)
  CloudWatch Metrics: $5/tháng (15 custom metrics)
  CloudWatch Alarms: $3/tháng (30 alarms)
  
Thông Báo:
  SNS: $2/tháng (400K notifications)
  
Tổng Chi Phí Hàng Tháng: $50/tháng

8.3. Chiến Lược Tối Ưu Chi Phí

Giảm chi phí CloudTrail:

Chiến Thuật Tối Ưu:
  1. Data Events Chọn Lọc:
     - Bật chỉ cho S3 buckets quan trọng
     - Giám sát chỉ các bảng DynamoDB có lưu lượng cao
     
  2. Giữ Log:
     - CloudWatch: Giữ 30 ngày
     - S3: Chuyển sang lưu trữ rẻ hơn sau 30 ngày
     
  3. Insights Chọn Lọc:
     - Bật chỉ cho tài khoản production
     - Giám sát chỉ trong giờ làm việc
     
  4. Tối Ưu Metric Filters:
     - Sử dụng ít filters hơn, cụ thể hơn
     - Kết hợp events liên quan thành metrics đơn

8.4. Phân Tích ROI

Lợi Ích Bảo Mật vs Chi Phí:

Loại Lợi Ích Giá Trị Tác Động Chi Phí
Tuân Thủ Kiểm Toán PCI DSS, ISO 27001 Vô Giá
Phát Hiện Sự Cố Tiết kiệm giờ trong điều tra $50K+ mỗi sự cố
Ngăn Ngừa Rò Rỉ Dữ Liệu Ngăn ngừa mất mát tiềm năng $100K+ mỗi vụ rò rỉ
Hiệu Suất Hoạt Động Giám sát tự động Tiết kiệm 20 giờ/tuần
Phí Bảo Hiểm Giảm tỷ lệ với audit trail Giảm 10-20%

Tính Toán ROI:

  • Chi Phí Hàng Năm: $600 (50/tháng × 12)
  • Lợi Ích Hàng Năm: $150K+ (ngăn ngừa sự cố + hiệu suất)
  • ROI: 25,000% (lợi ích ÷ chi phí)

8.5. Giám Sát Chi Phí

Theo dõi chi tiêu CloudTrail:

# Kiểm tra chi phí CloudTrail
aws ce get-cost-and-usage \
  --time-period Start=2024-01-01,End=2024-01-31 \
  --granularity MONTHLY \
  --metrics BlendedCost \
  --group-by Type=DIMENSION,Key=SERVICE \
  --filter '{
    "Dimensions": {
      "Key": "SERVICE",
      "Values": ["AWS CloudTrail"]
    }
  }'

# Giám sát chi phí lưu trữ S3
aws ce get-cost-and-usage \
  --time-period Start=2024-01-01,End=2024-01-31 \
  --metrics BlendedCost \
  --group-by Type=DIMENSION,Key=AZ \
  --filter '{
    "Dimensions": {
      "Key": "SERVICE", 
      "Values": ["Amazon Simple Storage Service"]
    }
  }'

💡 Thực Tiễn Quản Lý Chi Phí Tốt Nhất

Cảnh Báo Ngân Sách:

  • Đặt CloudWatch billing alarms cho ngưỡng $100/tháng
  • Giám sát tăng trưởng lưu trữ S3 hàng tuần

Tối Ưu:

  • Xem xét data events hàng tháng về tính cần thiết
  • Lưu trữ log cũ sang Glacier để giảm 70% chi phí
  • Sử dụng CloudTrail Insights chỉ khi cần

Cân Nhắc Mở Rộng:

  • Đa tài khoản: Chi phí tăng theo số tài khoản
  • Lưu lượng cao: Data events có thể tăng chi phí đáng kể
  • Toàn cầu: Cross-region trails thêm chi phí tối thiểu

🚀 Production-Ready AWS Microservices Platform with Complete Observability! 🚀