By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Minimal CloudTrail setup for "AWS API Call via CloudTrail" EventBridge events

0

It looks like to get the events of type AWS API Call via CloudTrail I need to have at least one active CloudTrail Trail. However, I still cannot confirm this. The docs aren't very clear on this, and even the support, after two weeks of back-and-forth, cannot say for sure. I have one account where there are zero trails, and yet I do get the events. The support claims it's a bug and that should not be happening.

I don't actually need CloudTrail, and only want to catch some of the events. CloudTrail can get very expensive quickly, as it stores a bunch of files in S3. So lots of reads & writes & storage accumulating.

Question: What is the most minimal Trail configuration needed, at the lowest cost, with CloudTrail to still be able to capture the AWS API Call via CloudTrail events? And I need to configure this via CloudFormation. The reason I am saying this, is because I feel like there is something out of sync with the UI and CF and APIs. It looks like maybe CF does not yet have the full capabilities of Trail defined. But maybe I am wrong here.

Topics
ServerlessApplication IntegrationManagement & Governance
Tags
Amazon EventBridgeAWS CloudTrail
Language
English
profile picture
m0ltar
asked 9 months ago446 views
1 Answer
2

To my knowledge there is no limitation, while creating cloudtrail via cloudformation. I'd suggest you to use the cloufromation template as sample from here and adjust it based on your requirement. This does have almost all the options included.

As far as eventbridge and event rules are talked about, yes for all data events, if you want to use event rules then cloudtrail needs to be setup since cloudtrail doesn't log data events by default. If there is a requirement to monitor or have a trigger based on management event only, then creating a trail in cloudtrail is not needed since those management event are logged by default and can be captured in event rules just by creating rules and specifying pattern in it.

Hope you find this helpful.

Reference:

Cloudtrail Logging

Amazon EventBridge setup and prerequisites

========>>Edit

Anything that's related to configuration, eg: modify IAM role, create lambda function, RDS cluster, create log group etc. are management event. Common example for data events is accessing files from Amazon s3.

Here are the options, that you can exclude to reduce cloudtrail over all cost:

  1. Exclude CloudWatch Logs in cloudtrail (keep Enabled check box unchecked)
  2. If requirement is only for data events, then keep data events in it, cloudtrail by default logs management event and keeps it for 90 days, which can be used by event rules. You should include management event while creating trail only if you want to keep history of management events beyond 90 days(cloudtrail default retention period, which can't be adjusted)
  3. Record management event in the new trail, only when it's truly required to keep history beyond 90 days as first delivery of each management event for an account is free and you wouldn't want to pay for that if retention is not required.
  4. Avoid any possibility of duplicate trails, as it goes high in cost
  5. Keep "Exclude AWS KMS events", "Exclude Amazon RDS Data API events" unchecked if really not required as those API calls would be a lot if s3 buckets in your account are KMS key encrypted and same for RDS data API as well.
  6. Setup budget, which would alert you if your cost goes above the defined threshold

Refer Managing CloudTrail costs for more information and details.

If you have any additional questions, feel free to comment. Happy to help.

profile pictureAWS
EXPERT
secondabhi_aws
answered 9 months ago
  • m0ltar
    9 months ago

    @Abhishek_At_AWS Thanks for your input. How can I know which events are "management events"?

    Also, my main question was about the minimal part of the Trail setup? How can I get a Trail, with least number of events possible, to reduce billing? Given that I don't need to trail anything, but I want to get all of the events in EB.

  • secondabhi_aws EXPERT
    9 months ago

    Anything that's related to configuration, eg: modify IAM role, create lambda function, RDS cluster, create log group etc. are management event. Common example for data events is accessing files from Amazon s3.

    Here are the options, that you can exclude to reduce cloudtrail over all cost:

    1. CloudWatch Logs (keep Enabled check box unchecked)
    2. If requirement is only for data events, then keep data events in it, cloudtrail by default logs management event and keeps it for 90 days, which can be used by event rules. You should include management event while creating trail only if you want to keep history of management events beyond 90 days(cloudtrail default retention period, which can't be adjusted)
    3. Record management event in the new trail, only when it's truly required to keep history beyond 90 days as first delivery of each management event for an account is free and you wouldn't want to pay for that if retention is not required.
    4. Avoid any possibility of duplicate trails, as it goes high in cost
    5. Keep "Exclude AWS KMS events", "Exclude Amazon RDS Data API events" unchecked if really not required as those API calls would be a lot if s3 buckets in your account are KMS key encrypted and same for RDS data API as well.
    6. Setup budget, which would alert you if your cost goes above the defined threshold

    If you have any additional questions, feel free to comment. Happy to help.

    I've updated my answer in EDIT section.

  • secondabhi_aws EXPERT
    8 months ago

    Hi,

    Do you have any additional questions, happy to help.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content