【Table of contents】
1.Introduction
WafCharm is updating the rules of AWS WAF in the customer's environment. Since this process is automatic, it may sound difficult to specify the update timing, but it is possible to know the update timing using AWS CloudTrail. So let's check how to use AWS CloudTrail.
2. What is AWS CloudTrail?
AWS CloudTrail is a service for governance, compliance, operational and risk auditing of AWS accounts. To put it simply, it keeps a record of all changes made to your AWS account. Therefore, it is useful when responding to an audit, and it is also useful for follow-up confirmation when a problem occurs.
https://aws.amazon.com/jp/cloudtrail/
https://aws.amazon.com/jp/cloudtrail/features/
3. Procedure for Obtaining Information
We will explain the procedure using an example of updating the blacklist IP of AWS WAF. First, display the AWS CloudTrail dashboard. Then, click on "Event History". In the event history, you can set filters, and select "CreateIPSet" for "Event Name". You can also specify the time period and download the contents.
If you check the details of the content, you will see that the IP address of the connection source that executed the event is also listed.
You can also filter the data after downloading the list. The filter items can be specified in various ways. It is also possible to output data on a per-user basis. The items that can be used for filtering are the services that are supported by AWS CloudTrail. Please check the official information for details.
https://docs.aws.amazon.com/ja_jp/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html?icmpid=docs_cloudtrail_console
Please change the region according to your environment.
(Example: CloudFront: Northern Virginia, etc.)
4. Conclusion
Using CloudTrail, you can see what module is modified by what entity in log format. You can follow the activities of WafCharmIf using this service too.
