Module 9: Activity 9 – Working with AWS CloudTrail
Activity overview
In this activity, you will create an AWS CloudTrail trail that audits actions taken in your account. You will then conduct an investigation to determine who modified the Mom & Pop Café website.
The activity starts with an Amazon Elastic Compute Cloud (Amazon EC2) instance named Cafe Web Server, which runs a web application that hosts the Mom & Pop Café website.
- In Task 1, you observe that the website looks normal.
- In Task 2, soon after you create a trail with AWS CloudTrail, you notice that the website has been hacked, and that part of the hack involved an action where someone modified the security group settings.
- In Task 3, you use a variety of methods to analyze the CloudTrail logs, including the Linux grep utility and the AWS CLI.
- In Task 4, you use Amazon Athena to search the CloudTrail logs.
- In the Challenge section that concludes Task 4, you work to identify the hacker.
- In Task 5, now that you have discovered the culprit, you remove that user’s access. You also take steps to reduce the chances that the AWS account and the Mom & Pop Café website will be hacked again.
The architectural diagram here illustrates the setup that is used in this activity