CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. You can use it to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. In the Common Information Model, CloudTrail log data is typically mapped to the Authentication and Change data models.
CloudWatch is a service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources. CloudWatch enables you to monitor your complete stack and leverage alarms, logs, and events data to take automated actions and reduce Mean Time to Resolution (MTTR). CloudWatch collects, aggregates, and summarizes compute utilization information like CPU, memory, disk, and network data, as well as diagnostic information like container restart failures, to help DevOps engineers isolate issues and resolve them quickly.
CloudTrail data provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It increases visibility into your user and resource activity by recording AWS Management Console actions and API calls so you can detect unusual activity.
CloudWatch gives you actionable insights that help you optimize application performance, manage resource utilization, and understand system-wide operational health. It allows you to perform historical analysis for cost optimization and derive real-time insights into optimizing applications and infrastructure resources.
Add-on or app used: Splunk Add-on for Amazon Web Services
Additional guidance for onboarding data can be found in the Spunk Documentation:
When your Splunk deployment is ingesting Amazon CloudTrail data and Amazon CloudWatch data, you can use the data to achieve the following AWS security objectives:
- Monitoring AWS EC2 for unusual modifications
- Analyzing AWS service action errors
- Monitoring AWS S3 for suspicious activities
- Monitoring AWS and AWS EC2 for suspicious login activities
- Detecting AWS suspicious provisioning activities
- Detecting suspicious new instances in your EC2 environment
- Detecting AWS network ACL activity
- Monitoring user activity spikes in AWS
Amazon CloudWatch data can also be used to achieve these objectives:
You may also be interested in the following: