|
At this time, I’m excited to announce new updates to AWS CloudTrail Lake, which is a managed information lake you should use to mixture, immutably retailer, and question occasions recorded by AWS CloudTrail for auditing, safety investigation, and operational troubleshooting.
The brand new updates in CloudTrail Lake are:
- Enhanced filtering choices for CloudTrail occasions
- Cross-account sharing of occasion information shops
- Basic availability of the generative AI–powered pure language question era
- AI-powered question outcomes summarization functionality in preview
- Complete dashboard capabilities, together with a high-level overview dashboard with AI-powered insights (AI-powered insights is in preview), a collection of 14 pre-built dashboards for varied use circumstances, and the flexibility to create customized dashboards with scheduled refreshes
Let’s look into the brand new options one after the other.
Enhanced filtering choices for CloudTrail occasions ingested into occasion information shops
Enhanced occasion filtering capabilities provide you with higher management over which CloudTrail occasions are ingested into your occasion information shops. These enhanced filtering choices present tighter management over your AWS exercise information, bettering the effectivity and precision of safety, compliance, and operational investigations. Moreover, the brand new filtering choices assist you cut back your evaluation workflow prices by ingesting solely essentially the most related occasion information into your CloudTrail Lake occasion information shops.
You’ll be able to filter each administration and information occasions primarily based on attributes equivalent to eventSource, eventType, eventName, userIdentity.arn, and sessionCredentialFromConsole.
I’m going to the AWS CloudTrail console and select Occasion information shops beneath Lake within the navigation pane. I select Create occasion information retailer. In step one, I enter a reputation within the Occasion information retailer title area. For this demo, I go away different fields as default. You’ll be able to select the pricing and retention choices that fit your wants. Within the subsequent step, I select Managements occasions and Information occasions beneath CloudTrail occasions. You’ll be able to embody all of the choices you want beneath CloudTrail occasions. You even have the choice to decide on ingestion choices. I select Ingest occasions to start out ingesting when it’s created. There could also be situations, once you wish to deselect the Ingest occasions choice to cease an occasion information retailer from ingesting occasions. For instance, chances are you’ll be copying path occasions to the occasion information retailer and don’t need the occasion information retailer to gather any future occasions. You may as well select to allow ingestion for all accounts in your group or embody solely the present area in your occasion information retailer.
The next instance exhibits an out of the field template for filtering, which excludes any administration occasions which are initiated by an AWS Service. I select Superior occasion assortment beneath the Administration occasions. I select Exclude AWS service-initiated occasions from the Log selector template dropdown. You may as well increase the JSON view to see how the filters really apply.
Below the Information occasions, the next instance creates a filter to incorporate DynamoDB information occasions initiated by a sure person, serving to me to log occasions primarily based on an IAM principal. I select DynamoDB as Useful resource sort. I select Customized as Log selector template. Below the Superior occasion selector, I select userIdentity.arn as Subject and equals as Operator. I enter the person’s ARN as Worth. I select Subsequent and select Create occasion information retailer within the ultimate step.
Now, I’ve my occasion information retailer that provides me granular management over the ingested CloudTrail information.
This expanded set of filtering choices lets you be extra selective in capturing solely essentially the most related occasions in your safety, compliance, and operational wants.
Cross-account sharing of occasion information shops
You should use the cross-account sharing characteristic of occasion information shops to boost collaborative evaluation inside organizations. It permits safe sharing of occasion information shops with chosen AWS principals via Useful resource-Primarily based Insurance policies (RBP). This performance permits approved entities to question shared occasion information shops throughout the similar AWS Area the place they have been created.
To make use of this characteristic, I’m going to the AWS CloudTrail console and select Occasion information shops beneath Lake within the navigation pane. I select an occasion information retailer from the record and navigate to its particulars web page. I select Edit within the Useful resource coverage part. The next instance coverage features a assertion that permits root customers in accounts 111111111111, 222222222222, and 333333333333 to run queries and get question outcomes on the occasion information retailer owned by account ID 999999999999. I select Save modifications to avoid wasting the coverage.
Generative AI–powered pure language question era in CloudTrail Lake is now usually accessible
In June, we introduced this characteristic for CloudTrail Lake in preview. With this launch, you’ll be able to generate SQL queries utilizing pure language questions to simply discover and analyze AWS exercise logs (solely administration, information, and community exercise occasions) with no need technical SQL experience. The characteristic makes use of generative AI to transform pure language questions into ready-to-use SQL queries you’ll be able to run immediately within the CloudTrail Lake console. This simplifies the method of exploring occasion information shops and retrieving insights equivalent to error counts, high companies used, and the causes of errors. This characteristic can be accessible via the AWS Command Line Interface (AWS CLI), offering extra flexibility for customers preferring command-line operations. The preview weblog put up supplies step-by-step directions on learn how to get began with the pure language question era characteristic in CloudTrail Lake.
CloudTrail Lake generative AI–powered question outcomes summarization functionality in preview
Constructing on the aptitude of pure language question era, we’re introducing a brand new AI-powered question outcomes summarization characteristic in preview to additional simplify the method of analyzing AWS account exercise. With this characteristic, you’ll be able to simply extract invaluable insights out of your AWS exercise logs (solely administration, information, and community exercise occasions) by robotically summarizing the important thing factors out of your question ends in pure language, lowering the effort and time required to know the data.
To do this characteristic, I’m going to the AWS CloudTrail console and select Question beneath Lake within the navigation pane. I select an occasion information retailer for my CloudTrail Lake question from the dropdown record in Occasion information retailer. You should use summarization no matter whether or not the question was written manually or generated by generative AI. For this instance, I’ll use the pure language question era functionality. Within the Question generator, I enter the next immediate within the Immediate area utilizing pure language:
What number of errors have been logged throughout the previous month for every service and what was the reason for every error?
Then, I select Generate question. The next SQL question is robotically generated:
SELECT eventsource,
errorcode,
errormessage,
depend(*) as errorcount
FROM a0******
WHERE eventtime >= '2024-10-14 00:00:00'
AND eventtime <= '2024-11-14 23:59:59'
AND (
errorcode IS NOT NULL
OR errormessage IS NOT NULL
)
GROUP BY 1,
2,
3
ORDER BY 4 DESC;I select Run to get the outcomes. To make use of the summarization functionality, I select Summarize outcomes within the Question outcomes tab. CloudTrail robotically analyzes the question outcomes and supplies a pure language abstract of the important thing insights. It’s essential to notice that there’s a month-to-month quota of three MB for question outcomes that may be summarized.
This new summarization functionality can prevent effort and time in understanding your AWS exercise information by robotically producing significant summaries of the important thing findings.
Complete dashboard capabilities
Lastly, let me let you know concerning the new dashboard capabilities of CloudTrail Lake to boost visibility and evaluation throughout your AWS environments.
The primary one is a Highlights dashboard that gives you with an easy-to-view abstract of the info captured in your CloudTrail Lake administration and information occasions saved in occasion information shops. This dashboard makes it simpler to rapidly determine and perceive essential insights, equivalent to the highest failed API calls, developments in failed login makes an attempt, and spikes in useful resource creation. It surfaces any anomalies or uncommon developments within the information.
I’m going to the AWS CloudTrail console and select Dashboard beneath Lake within the navigation pane to take a look at the Highlights dashboard. First, I allow Highlights dashboard by selecting Agree and allow Highlights.
I take a look at the Highlights dashboard as soon as it populates with information.
The second addition to the brand new dashboard capabilities is a collection of 14 pre-built dashboards. These dashboards are designed for various personas and use circumstances. For instance, the security-focused dashboards assist you to trace and analyze key safety indicators, equivalent to high entry denied occasions, failed console login makes an attempt, and customers who’ve disabled multi-factor authentication (MFA). There are additionally pre-built dashboards for operational monitoring, highlighting developments in errors and availability points, equivalent to high APIs with throttling errors and high customers with errors. You may as well use the dashboards centered on particular AWS companies equivalent to Amazon EC2 and Amazon DynamoDB, which assist you determine safety dangers or operational issues inside these specific service environments.
You’ll be able to create your individual dashboards and optionally set schedules for refreshing them. This degree of customization helps you tailor the CloudTrail Lake evaluation capabilities to your exact monitoring and investigative wants throughout your AWS environments.
I swap to the Managed and customized dashboards to watch the customized and pre-built dashboards.
I select IAM exercise dashboard pre-built dashboard to watch general IAM exercise. You’ll be able to select Save as new dashboard to customise this dashboard.
To create a customized dashboard from scratch, I’m going to Dashboard beneath Lake within the navigation pane and select Construct my very own dashboard. I enter a reputation within the Enter a reputation for the dashboard area and select occasion information shops beneath Permissions, to visualise the occasions. Subsequent, I select Create dashboard.
Now, I can add widgets to my dashboard. You’ve the flexibleness to customise your dashboards in a number of methods. You’ll be able to choose from an inventory of pre-built pattern widgets utilizing Add pattern widget, or you’ll be able to create your individual customized widgets utilizing Create new widget. For every widget, you’ll be able to select the kind of visualization you like, equivalent to a line graph, bar graph, or different choices to greatest characterize your information.
Now accessible
The brand new options in AWS CloudTrail Lake characterize a significant development in offering a complete audit logging and evaluation resolution. These enhancements present the flexibility to realize extra profound understanding and conduct investigations extra quickly, aiding with extra preventative monitoring and sooner incident dealing with throughout your whole AWS environments.
Now you can begin utilizing generative AI–powered pure language question era in CloudTrail Lake in US East (N. Virginia), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), and Europe (London) AWS Areas.
CloudTrail Lake generative AI–powered question outcomes summarization functionality is accessible in preview in US East (N. Virginia), US West (Oregon), and Asia Pacific (Tokyo) Areas.
Enhanced filtering choices, cross-account sharing of occasion information shops and dashboards can be found in all of the Areas the place CloudTrail Lake is accessible, except for generative AI–powered summarization characteristic on the Highlights dashboard being accessible solely in US East (N. Virginia), US West (Oregon), and Asia Pacific (Tokyo) Areas.
Operating queries will incur CloudTrail Lake question fees. For extra particulars on pricing, go to AWS CloudTrail pricing.