Understanding AWS CloudTrail Network Activity Logs for VPC Endpoints
AWS CloudTrail now supports Amazon VPC endpoint network activity events. This functionality records and monitors AWS API activity on VPC endpoints, improving data perimeter and detective controls.
In the past, it was challenging to identify possible efforts at data exfiltration and illegal access to your network’s resources via VPC endpoints. There was no built-in way to record denied actions or identify instances of external credentials being used at a VPC endpoint, even though VPC endpoint policies could be set up to block access from external accounts. In order to inspect and analyse TLS traffic, you frequently had to create proprietary solutions, which may be expensive to operate and defeat the purpose of encrypted communications.
You may now choose to log all AWS API activity that goes via your VPC endpoints with this new feature. Both control plane and data plane operations moving through a VPC endpoint are captured by CloudTrail, which logs these events as a new event type called network activity events.
CloudTrail’s network activity events offer a number of important advantages:
- Complete visibility: Record every API operation that passes across VPC endpoints, even if it isn’t started by an AWS account.
- Find out when credentials from outside your company are gaining access to your VPC endpoint with external credential detection.
- Prevent data exfiltration by identifying and looking into possible illegal data movement attempts.
- Improved security monitoring: Without having to decrypt TLS data, you can learn about any AWS API activity at your VPC endpoints.
- Visibility for regulatory compliance: By monitoring all API activity that passes through, you can better meet regulatory standards.
Getting started with VPC endpoint logging using network activity events
You can select Trails in the navigation pane of the AWS CloudTrail console to enable network activity events. To make a new one, select Create trail. Select an Amazon Simple Storage Service (Amazon S3) bucket to hold the event logs and type a name into the Trail name field. When you establish a trail in CloudTrail, you can store my trail’s event logs in an existing Amazon S3 bucket or create a new one.
You have two choices if you select Enabled for Log file SSE-KMS encryption: Select Existing to select an existing AWS Key Management Service (AWS KMS) key, or select New to establish a new one. You must enter an alias in the AWS KMS alias area if you selected New. CloudTrail applies the policy for you and uses this KMS key to encrypt your log files. Amazon S3 and the KMS key need to be located in the same AWS region. You can use an existing KMS key for this example.
CloudTrail will start recording network activity events for my VPC endpoints once it is configured. You can examine AWS CloudTrail network activity events by retrieving pertinent logs using the CloudTrail UI, AWS Command Line Interface (AWS CLI), and AWS SDK. CloudTrail Lake can also be used to record, store, and examine network activity events. You can use Amazon Athena to query and filter these events according to particular criteria if you’re using Trails. You can optimise your network architecture in AWS, maintain security, and adhere to regulations by routinely analysing these occurrences.
Currently accessible
You may improve your security posture, identify possible risks, and obtain a deeper understanding of your VPC network traffic with the help of CloudTrail network activity events for VPC endpoint recording. Your vital needs for thorough visibility and control over your AWS setups are met by this capability.
All commercial AWS Regions offer network activity events for VPC endpoints.
