Posted at: 2017-07-27 @ 06:49:07
I've been a huge fan of cloudtrail since it was launched. It provides one of the best tools available to see what is happening in your environment. Unfortunately AWS by default doesn't provide a dashboard or a way to actually process these logs. The viewer they give you is almost useless.
Hence creating Traildash2, a serverless application that takes your cloudtrail logs and pushes them into AWS ElasticSearch and provides a nice dashboard to show off all your handy work!
The default TrailDash2 dashboard
The source code, cloudformation templates for deployment, documentation and deployment steps can all be found over at the github site https://github.com/adcreare/traildash2
The basics of the application is fairly simple. Attach a lambda trigger to the S3 bucket which contains the cloudtrail files. Every-time a new file arrives the lambda will trigger. Each file will be received from S3 and pushed into the elastic search cluster. The custom dashboard then allows that data to be displayed and searched in a more useful way.
TrailDash2 comes from a tool called TrailDash developed by the team from AppliedTrust https://github.com/AppliedTrust/traildash
. Unfortunately they have ended the life of their tool and creating your own dashboard from scratch isn't that straight forward.
Longer term I have plans for the lambda function to support alerting on certain event types, probably into an SNS topic. This would provide the administrator a bunch of alarms for certain kinds of events.
Its open source, so feel free to modify and extend the application, I will happily accept pull requests as well.