One AWS account of your company has dozens of IAM users.
Yesterday, several IAM users performed some unexpected operations, such as terminating EC2 instances.
CloudTrail is enabled in the account, and the logs are stored in an S3 bucket and a CloudWatch Log group.
You want to identify all AWS Management Console logins that occurred over a 24-hour period.
Which of the following methods is the easiest and most cost-efficient?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
Option A is incorrect: With Athena, you can perform a query to get the required console login information as below:
select useridentity.username, sourceipaddress, eventtime, additionaleventdata.
from default.cloudtrail_logs.
where eventname = 'ConsoleLogin'
and eventtime >= '2019-12-17T00:00:00Z'
and eventtime < '2019-12-18T00:00:00Z';
However, this method is not the easiest or cost-effective approach.
Option B is incorrect because it is time-consuming to check the configuration timeline for each EC2 instance.
And users may not operate on EC2 instances when they logged in to AWS.
Option C is incorrect: The approach may work.
However, ConsoleLogin should be the event name instead of the resource type.
Option D is CORRECT because users can perform queries in CloudWatch Logs, where it is very easy to search for the events.
Details can be found at https://aws.amazon.com/blogs/mt/analyzing-cloudtrail-in-cloudwatch/.
The best method for identifying all AWS Management Console logins that occurred over a 24-hour period among dozens of IAM users in an AWS account is to use AWS CloudTrail.
AWS CloudTrail provides a comprehensive record of AWS account activity and can be used to identify who did what, when, and from where across your AWS infrastructure. In this case, CloudTrail is enabled in the AWS account, and the logs are stored in an S3 bucket and a CloudWatch Log group, which means all actions taken by IAM users will be logged in CloudTrail.
To identify all AWS Management Console logins that occurred over a 24-hour period, the easiest and most cost-efficient method is to use the CloudTrail event history. The steps to achieve this are as follows:
Login to the AWS CloudTrail console.
In the event history, filter the resource type to ConsoleLogin.
Select the time range of yesterday.
This will display a list of all ConsoleLogin events that occurred during the specified time range, which will include all AWS Management Console logins.
Option A, using AWS Athena to perform SQL queries to the CloudTrail log files and filter the activities to view only ConsoleLogin events that happened during the last 24 hours, is also a valid method, but it may be more complicated and costly compared to using the CloudTrail event history.
Option B, looking up all EC2 instances in AWS Config and checking the configuration timeline for each instance to find out who logged in to the AWS console, is not a valid method since it does not provide a complete picture of all AWS Management Console logins, especially for actions taken outside of EC2 instances.
Option D, searching for the logs that contain the ConsoleLogin event type over the 24-hour period in the CloudWatch Log group, is not the most efficient method since CloudWatch Logs are mainly used for real-time monitoring and troubleshooting rather than historical analysis. Moreover, not all ConsoleLogin events are captured in CloudWatch Logs by default.