VMware Tanzu Observability offers easy integration with Amazon Web Services (AWS) CloudTrail, enabling operators to view events that are related to governance, compliance, and operational and risk auditing for your AWS account. This post walks you through the process of integrating CloudTrail Service with Tanzu Observability Wavefront to take advantage of these consolidated features.
AWS CloudTrail is a service that helps you enable governance, compliance, and operational and risk auditing for your AWS account. Actions taken by a user, role, or AWS are recorded as events in AWS CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, AWS Software Development Kits, and APIs.
VMware Tanzu Observability is a high-performance streaming analytics platform that supports observability (e.g., metrics, histograms, traces/spans, events). All actions (by users, roles, AWS) are recorded in CloudTrail as events and can be fetched by Wavefront and observed from the common observability platform for auditing purposes.
Integrating CloudTrail Service with Tanzu Observability Wavefront
-
Customers need to create a trail on the AWS account that will take logs from all of the AWS regions and push them to an AWS S3 Bucket. See “Creating a Trail.”
-
The CloudTrail events Wavefront collects do not include events that are related to Get, List, or Describe events.
-
Once the trail is available and the bucket is created, AWS Integration in Wavefront is configured with the required details to pull the events from CloudTrail.
-
On the AWS setup page
- Provide the bucket name that was used to create the trail.
- AWS provides a default prefix for the folder where CloudTrail event logs get stored in a bucket: “AWSLogs.” However, customers can also provide their own prefixes and events can be stored in S3bucketName/AWSLogs/<prefix>/
- Provide the prefix name if you provided one during the trail creation, otherwise leave this empty.
- Provide the region value where the bucket was created.
-
Once the information is provided on the setup page, Wavefront starts pulling the data/events from AWS in five minute intervals (as a default).
6. The events from CloudTrail can be viewed using Browse→ Events
- Auditing AWS via Wavefront: Suppose an Amazon Elastic Compute Cloud (EC2) instance is terminated on AWS. The customer can audit the termination using Events in Wavefront as shown in the image below. The event details can be further checked by clicking on View System Event.
- Auditing creation of resources on AWS: The resources created on AWS can be audited with CloudTrail in Wavefront. For example, if somebody created an RDS instance on AWS, the customer can view the details of the instance on the Events page in Wavefront as shown in the image below.
Detailed event information for RDS
Details captured in the Event:
{"requestId":"33a67a70-3d38-4xxxxxx","networkInterface":{"networkInterfaceId":"eni-0c1e6cddaxxxx","subnetId":"subnet-ac9xxxx","vpcId":"vpc-5e6xxx","availabilityZone":"us-east-1f","description":"RDSNetworkInterface","ownerId":"358321xxx","requesterId":"9207153xxx1","requesterManaged":true,"status":"pending","macAddress":"16:cb:20::xx:xx::xx","privateIpAddress":"x.x.x.x","privateDnsName":"ip-x.x.x.x.ec2.internal","sourceDestCheck":true,"interfaceType":"interface","groupSet":{"items":[{"groupId":"sg-2998df4d","groupName":"default"}]},"privateIpAddressesSet":{"item":[{"privateIpAddress":"x.x.x.x","privateDnsName":"ip-x-x-x-x.ec2.internal","primary":true}]},"ipv6AddressesSet":{},"tagSet":{}}}
-
This integration provides metrics to monitor the CloudTrail events using an out-of-the-box AWS CloudTrail dashboard (which can be found under AWS Dashboards). The dashboard for CloudTrail can be viewed as shown in the image below.
Using the Tanzu Observability platform, customers have a consolidated platform for auditing their AWS accounts. This helps customers take action on events that are triggered based on the activities in their AWS accounts.
About the Author
More Content by Kanika Bathla