Tracking network changes with AWS CloudTrail

One of the most perplexing challenges faced by security and IT specialists is tracking network changes, especially in traditional datacenter environments. Amazon Web Services (AWS) introduced an advantage of the cloud over traditional datacenter deployments with the introduction of the AWS CloudTrailservice at re:Invent 2013. CloudTrail reports all changes occurring in your environment, including network change information. The list of AWS APIs, and therefore amount of information that the CloudTrail exposes, is extensive. In this blog post we’ll focus on the APIs that manage network changes, especially Security Groups changes and Network ACLs. Let’s recall the main difference between the Security Groups and Network ACLs:

  • Security Groups operate at the instance level and only support allow rules
  • Network ACLs operate at subnet level and support both allow and deny rules

There are other well-documented differences, but based on the differences noted above, it should be clear that changes performed on Security Groups or Network ACLs can be very disruptive to your AWS deployment from both a reliability and cloud security perspective, so are therefore well worth monitoring. Alert Logic’s integration with CloudTrailgives you the ability to:

  1. Review network changes in your AWS environment when troubleshooting network connectivity issues.
  2. Review network changes to meet compliance requirements, like PCI DSS.

To get a list of all network changes using Alert Logic Log Manager, you’ll need to do the following:

  1. Select Log Manager from the top menu of products. (If you’re not using Log Manager today, you can request a demo or trial from
  2. Select the “Messages” link from the navigation menu on the right side of the screen.
  3. Click on the “Context Map” toolbar icon (Context Map Icon) to browse for the correct messages context or select “Context Map” menu option from the options menu.
  4. Once the “Context Map” browser windows appears, hover over “Network” context and click the plus side next to it to add it to the search OmniBox. Omni Box
  5. If you are successful, the OmniBox search bar state should look similar to the following picture (click to enlarge): OmniBox Search Bar
  6. Click on the magnifying glass icon located to the right of OmniBox search bar and execute the search.

OmniBox Search Bar

Search result details

Search result details

This search will return all network changes. If you want to be more specific, you can:

  1. Click on the “Network” context item. This will expose:
    1. The set of “Networks’” children contexts
    2. The message types mapped to the network context
    Context Map
  2. Hover over a “Context” or a “Message Type” item and click on the plus sign that appears next to it to add the item to the OmniBox search bar. For example, clicking on the plus sign next to the “AWS Create Network Acl Entry” message type will produce a search that returns all messages logged by the CloudTrail service in response to “CreateNetworkAclEntry” API call (remember that AWS Console internally calls this API when you create a new Network ACL entry).
  3. If you followed instructions, then your OmniBox search bar should look like this (click to enlarge): OmniBox Search Bar
  4. Click on the magnifying glass to execute the search and get all logged “CreateNetworkAclEntry” API messages.

Execute Search

Search result details

Search result details

In the next blog post, we’ll review reports available in Alert Logic Log Manager that help you review AWS network changes as well as discuss how to create scheduled reports (views) for various aspects of network changes in your AWS environment.