Get Started with CloudTrail Alerting

F5 Distributed Cloud App Infrastructure Protection (AIP) provides a secure integration with your Amazon Web Services (AWS) account to monitor changes to your infrastructure through CloudTrail. For more information about setting up a CloudTrail integration, see AWS Integrations Overview.

What is Distributed Cloud AIP CloudTrail Monitoring?

AWS CloudTrail monitoring is one way Distributed Cloud AIP comprehensively monitors your infrastructure and workload. Using Distributed Cloud AIP’s CloudTrail integration, you can be alerted on changes to your instances, security groups, S3 buckets, and access keys. You can also determine whether any of these changes had adverse effects on your systems.

If you have multiple AWS accounts, you can see across accounts to track risk in Distributed Cloud AIP. With CloudTrail monitoring enabled, you can reduce the exposure window of an attack or an insider threat.

How does Distributed Cloud AIP Alert on Non-Compliant Changes to Your Infrastructure?

Distributed Cloud AIP has built-in rules (part of the CloudTrail Base Rule Set) that capture several AWS best practices, alerting users when non-compliant calls are made to their infrastructure.

Let's review some examples below.

Example 1: AWS account was compromised with the attacker compromising logs

When an account is compromised, one of the first things the attackers would do is to stop logging the call and delete existing trails. The Cloud Trail Admin Activity ruleset monitors administrator activity, including updates to trails and creation of new trails.


This rule was created with the "eventName" as the parameter for the rule filter. You can create any rule based on any "eventName" or "eventSource".

Example 2: Users running instances in non-standard hidden regions incurring costs

The ruleset in this example monitors and alerts you when an instance is launched into a non-standard region.


This rule was created with the "eventName" and region combination as parameters for the rule filter.

Example 3: Are security groups getting created or changed outside of your security policy?

The ruleset in this example monitors and alerts you when a security group is changed.


This rule was created with the following "eventName" parameter keys:

  • AuthorizeSecurityGroupEgress
  • AuthorizeSecurityGroupIngress
CloudTrail Alerts

CloudTrail alerts appear on the Alerts page.

  1. Click the CloudTrail tab to display a histogram and a list of all active CloudTrail alerts.
  2. Click the expand / collapse button to display the Filter dialog. For additional information about alert filtering options, see Alert View.
  3. Click List View to display alerts by severity level.


Click an alert to display the alert preview pane along with the following information:

  1. The date and time of the API call
  2. The user name that made the API call
  3. The account associated with the API call
  4. Click the View Contributing Events link to display the last five contributing events that caused the alert.
    • In this example, there was only one contributing event.
  5. Click the View/Edit Rule link to display an Edit CloudTrail Rule dialog that enables you to view and update the following fields:
    • The rule name
    • The alert title
    • Filter options
    • Suppression settings


You can choose to not get alerts on specific users or actions by adding a suppression. For additional information on suppressing alerts, see Suppress an Alert.

Was this article helpful?
0 out of 0 found this helpful