Logging and monitoring in AWS CloudShell - AWS CloudShell
Monitoring activity with CloudTrailAWS CloudShell in CloudTrail

Logging and monitoring in AWS CloudShell

Monitoring activity with CloudTrail

AWS CloudShell is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS CloudShell. CloudTrail captures all API calls for AWS CloudShell as events. The calls captured include calls from the AWS CloudShell console and from code calls to the AWS CloudShell APIs.

If you create a trail, you can enable the continuous delivery of CloudTrail events to an Amazon Simple Storage Service (Amazon S3) bucket, including events for AWS CloudShell.

If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that was made to AWS CloudShell, the IP address from which the request was made, who made the request, when it was made, and additional details.

AWS CloudShell in CloudTrail

AWS CloudShell supports logging the following actions as events in CloudTrail log files:

  • createEnvironment

  • createSession

  • deleteEnvironment

  • getEnvironmentStatus*

  • getFileDownloadUrls*

  • getFileUploadUrls*

  • putCredentials

  • redeemCode

  • sendHeartBeat

  • startEnvironment

  • stopEnvironment

*Non-mutating (read-only) API calls.

Events that include the word "Environment" in their names relate to the lifecycle of the compute environment that hosts the shell experience.

The sendHeartBeat event occurs to confirm that the session is not inactive. And the putCredentials event occurs when the credentials the user signed in to console with are forwarded to AWS CloudShell.

EventBridge rules for AWS CloudShell actions

With EventBridge rules you specify a target action to take when EventBridge receives an event that matches the rule. You can define a rule that specifies a target action to take based on an AWS CloudShell action that's recorded as an event in a CloudTrail log file.

For example, you can create EventBridge rules with AWS CLI using the put-rule command. A put-rule call must contain at least an EventPattern or ScheduleExpression. Rules with EventPatterns are triggered when a matching event is observed. The EventPattern for AWS CloudShell events: 

{ "source": [ "aws.cloudshell" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudshell.amazonaws.com" ] } }

For more information, see Events and Event Patterns in EventBridge in the Amazon EventBridge User Guide.