Amazon CloudTrail logging for Amazon Transfer Family
Amazon Transfer Family integrates with both Amazon CloudTrail and Amazon CloudWatch. CloudTrail and CloudWatch serve different but complementary purposes.
-
This topic covers integration with CloudTrail , an Amazon service that creates a record of actions taken within your Amazon Web Services account. It continuously monitors and records API operations for activities like console sign-ins, Amazon Command Line Interface commands, and SDK/API operations. This allows you to keep a log of who took what action, when, and from where. CloudTrail helps with auditing, access management, and regulatory compliance by providing a history of all activity in your Amazon environment. For details, see the Amazon CloudTrail User Guide.
-
Amazon CloudWatch logging for Amazon Transfer Family covers integration with CloudWatch, a monitoring service for Amazon resources and applications. It collects metrics and logs to provide visibility into resource utilization, application performance, and overall system health. CloudWatch helps with operational tasks like troubleshooting issues, setting alarms and autoscaling. For details, see the Amazon CloudWatch User Guide.
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API operations, so they don't appear in any specific order.
For an ongoing record of events in your Amazon account, including events for Amazon Transfer Family, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all Amazon Regions. The trail logs events from all Regions in the Amazon partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
All Amazon Transfer Family actions are logged by CloudTrail and are documented in the Actions
API reference. For example, calls to the
CreateServer, ListUsers and StopServer actions
generate entries in the CloudTrail log files.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
-
Whether the request was made with root or Amazon Identity and Access Management user credentials.
-
Whether the request was made with temporary security credentials for a role or federated user.
-
Whether the request was made by another Amazon service.
For more information, see the CloudTrail userIdentity element.
If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Amazon Transfer Family. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history.
Using the information collected by CloudTrail, you can determine the request that was made to Amazon Transfer Family, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, see the Amazon CloudTrail User Guide.
Enable Amazon CloudTrail logging
You can monitor Amazon Transfer Family API operations using Amazon CloudTrail. By monitoring API operations, you can
get useful security and operational information. If you have Amazon S3 object level
logging enabled, RoleSessionName is contained in the Requester
field as [AWS:Role Unique Identifier]/username.sessionid@server-id. For
more information about Amazon Identity and Access Management (IAM) role unique identifiers, see Unique
identifiers in the Amazon Identity and Access Management User Guide.
Important
The maximum length of the RoleSessionName is 64 characters. If the
RoleSessionName is longer, the server-id
Example log entry for creating a server
The following example shows a CloudTrail log entry (in JSON format) that demonstrates the
CreateServer action.
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AAAA4FFF5HHHHH6NNWWWW:user1", "arn": "arn:aws:sts::123456789102:assumed-role/Admin/user1", "accountId": "123456789102", "accessKeyId": "AAAA52C2WWWWWW3BB4Z", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-12-18T20:03:57Z" }, "sessionIssuer": { "type": "Role", "principalId": "AAAA4FFF5HHHHH6NNWWWW", "arn": "arn:aws:iam::123456789102:role/Admin", "accountId": "123456789102", "userName": "Admin" } } }, "eventTime": "2024-02-05T19:18:53Z", "eventSource": "transfer.amazonaws.com", "eventName": "CreateServer", "awsRegion": "us-east-1", "sourceIPAddress": "11.22.1.2", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", "requestParameters": { "domain": "S3", "hostKey": "HIDDEN_DUE_TO_SECURITY_REASONS", "protocols": [ "SFTP" ], "protocolDetails": { "passiveIp": "AUTO", "tlsSessionResumptionMode": "ENFORCED", "setStatOption": "DEFAULT" }, "securityPolicyName": "TransferSecurityPolicy-2020-06", "s3StorageOptions": { "directoryListingOptimization": "ENABLED" } }, "responseElements": { "serverId": "s-1234abcd5678efghi" }, "requestID": "6fe7e9b1-72fc-45b0-a7f9-5840268aeadf", "eventID": "4781364f-7c1e-464e-9598-52d06aa9e63a", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789102", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "transfer.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }