AWS CloudTrail
AWS CloudTrail records activities performed on the management console of AWS accessing any AWS resource—for example, an EC2 instance created or terminated, changes to the VPC settings, and so on. Any activity on the management console of AWS is recorded as an event within CloudTrail.
CloudTrail consolidates detailed action log events in a centralized location and provides a comprehensive and unified view of account’s activity, making it easier to search, analyze, download, and respond to account activity across your AWS infrastructure. It also identifies what actions were performed by which user and any other details that help DFIR teams analyze and respond to an incident in AWS.
CloudTrail logs can be integrated into CloudWatch to query activities and perform further analysis. We will discuss CloudWatch in the next section.
The following screenshot demonstrates an example of a CloudWatch dashboard:
Figure 4.8 –...