100 Days of AWS

100 Days of AWS 25
- Lecture1.1
  
  Day 1 – AWS IAM User
- Lecture1.2
  
  Day 2 – Restricting users to specific AWS region
- Lecture1.3
  
  Day 3 – Restricting users to disable CloudTrail or Creating IAM Users
- Lecture1.4
  
  Day 4 – AWS Security Token Service(STS)
- Lecture1.5
  
  Day 5- AWS Organizations - Part 1
- Lecture1.6
  
  Day 6- AWS Organizations - Part 2(Service Control Policies)
- Lecture1.7
  
  Day 7- Delegate Access Across AWS Accounts Using IAM Roles
- Lecture1.8
  
  Day 8- Pushing System logs and Custom Metrics using CloudWatch agent
- Lecture1.9
  
  Day 9- Using CloudWatch Logs(Metric Filters) to create a Simple Monitoring system that alerts for any unauthorized access
- Lecture1.10
  
  Day 10- AWS CloudWatch Events to monitor resource changes
- Lecture1.11
  
  Day 11 - Using AWS CloudWatch to create a Billing alarm
- Lecture1.12
  
  Day 12 - Integrating AWS Chatbot with Slack- ChatOps for AWS
- Lecture1.13
  
  Day 13 - Getting an alert when someone deletes any object in the S3 bucket
- Lecture1.14
  
  Day 14 - Monitor performance of EKS Cluster using CloudWatch Container Insights
- Lecture1.15
  
  Day 15 – Introduction to AWS Config
- Lecture1.16
  
  Day 16- Stop/Start EC2 instance on a scheduled basis to save cost
- Lecture1.17
  
  Day 17- AWS Secret Manager
- Lecture1.18
  
  Day 18- Automate the EBS Snapshot and AMIs creation using Amazon Data Lifecycle Manager
- Lecture1.19
  
  Day 19- Backup Solution using S3, Glacier and VPC Endpoint
- Lecture1.20
  
  Day 20- AWS System Manager - Part 1
- Lecture1.21
  
  Day 21- AWS System Manager - Part 2
- Lecture1.22
  
  Day 22- Introduction to AWS CLI
- Lecture1.23
  
  Day 23- Introduction to Boto3
- Lecture1.24
  
  Day 24- Boto3 Concepts(Waiter, Meta, and Paginator)
- Lecture1.25
  
  Day 25- Rotating IAM Keys on a regular basis using Boto3

Day 3 – Restricting users to disable CloudTrail or Creating IAM Users

Welcome to Day 3of 100 Days of AWS. The topic for today is restricting users to disable CloudTrail or Creating IAM Users.

This is one of the common tasks we used to encounter as a part of our daily job where we don’t want our user to disable/stop logging to CloudTrail or creating IAM user.

What Is AWS CloudTrail?

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

It’s enabled when the account is created(for 7 days)
When activity occurs in your AWS account, that activity is recorded in a CloudTrail event.
Entries can be viewed in Event History(for 90 days)
Event logs can be aggregated across accounts and regions.

NOTE

Historically CloudTrail was not enabled by default
It won’t logs events like SSH/RDP only API call.

As you can see CloudTrail is important for admin perspective as it recorded activity occurs in your AWS account. At the same time we didn’t want to give any user permission to create IAM account.

This can be achieved using Service Control Policy(SCP). For more about SCP please check the following link https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

"Version": "2012-10-17",

"Statement": [

"Action": [

"cloudtrail:StopLogging",

"cloudtrail:DeleteTrail",

"iam:CreateUser"

],

"Resource": "*",

"Effect": "Deny"

Terraform Code: https://github.com/100daysofdevops/100daysofAWS/tree/main/Day%203-%20Restricting%20users%20to%20disable%20CloudTrail%20or%20Creating%20IAM%C2%A0Users

100 Days of AWS 25

Day 3 – Restricting users to disable CloudTrail or Creating IAM Users

Leave A Reply Cancel reply

Login with your site account

Register a new account

Modal title