Logging and monitoring in AWS CloudShell - AWS CloudShell
Monitoring activity with CloudTrailAWS CloudShell in CloudTrail

Logging and monitoring in AWS CloudShell

This topic describes how you can log and monitor AWS CloudShell activity and performance with CloudTrail.

Monitoring activity with CloudTrail

AWS CloudShell is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or AWS service in AWS CloudShell. CloudTrail captures all API calls for AWS CloudShell as events. The calls captured include calls from the AWS CloudShell console and code calls to the AWS CloudShell API.

If you create a trail, you can enable the continuous delivery of CloudTrail events to an Amazon Simple Storage Service (Amazon S3) bucket. This includes events for AWS CloudShell.

If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can discover a variety of information about a request. For example, you can determine the request that was made to AWS CloudShell, you can learn the IP address that the request was made from, who made the request, and when it was made.

AWS CloudShell in CloudTrail

AWS CloudShell supports logging the following actions as events in CloudTrail log files:

  • createEnvironment

  • createSession

  • deleteEnvironment

  • deleteSession

  • getEnvironmentStatus*

  • getFileDownloadUrls*

  • getFileUploadUrls*

  • getLayout*

  • putCredentials

  • redeemCode

  • sendHeartBeat

  • startEnvironment

  • stopEnvironment

  • updateLayout

*Non-mutating (read-only) API calls.

Events that include the word "Environment" in their names relate to the lifecycle of the compute environment that hosts the shell experience.

Events that include the word "Layout" restore all the browser tabs in the CloudShell terminal.

The sendHeartBeat event occurs to confirm that the session is active. The putCredentials event occurs when the credentials the user signed in to console with are forwarded to AWS CloudShell.

The deleteSession event deletes the session in one CloudShell tab that’s running in the current browser tab. The updateLayout event saves the current layout from the webapp in the backend. The getLayout event retrieves the layout at the start of the session.

EventBridge rules for AWS CloudShell actions

With EventBridge rules, you specify a target action to take when EventBridge receives an event that matches the rule. You can define a rule that specifies a target action to take based on an AWS CloudShell action that's recorded as an event in a CloudTrail log file.

For example, you can create EventBridge rules with AWS CLI using the put-rule command. A put-rule call must contain at least an EventPattern or ScheduleExpression. Rules with EventPatterns are triggered when a matching event is observed. The EventPattern for AWS CloudShell events:

{ "source": [ "aws.cloudshell" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudshell.amazonaws.com" ] } }

For more information, see Events and Event Patterns in EventBridge in the Amazon EventBridge User Guide.