Event Logs

Available event logs sources for QuickSight data sources:

• AWS CloudTrail

Setup CloudTrail logs on a S3 bucket

Setting up AWS CloudTrail to store data in an S3 bucket for tracking API usage in AWS QuickSight involves several steps. Here’s a step-by-step guide using the AWS Management Console:

Step 1: Sign in to the AWS Management Console

1. Go to the AWS Management Console.

2. Sign in using your AWS account credentials.

Step 2: Create an S3 Bucket to Store CloudTrail Logs

1. Navigate to the S3 Service:

   • In the AWS Management Console, search for "S3" in the search bar at the top, and select S3 from the results.

2. Create a New Bucket:

   • Click on Create bucket.

   • Provide a unique bucket name (e.g., cloudtrail-logs-youraccountname).

   • Choose the AWS Region where you want to create the bucket.

   • Click Create bucket.

Step 3: Create a CloudTrail to Monitor API Calls

1. Navigate to the CloudTrail Service:

   • In the AWS Management Console, search for "CloudTrail" in the search bar, and select CloudTrail from the results.

2. Create a Trail:

   • In the CloudTrail dashboard, click on Create trail.

   • Step 1:

     • Trail name: Enter a name for your trail (e.g., QuickSightAPILogging).

     • In the Storage location section, under Create a new S3 bucket or use an existing one, select Existing S3 bucket.

     • S3 bucket: Choose the S3 bucket you created earlier (e.g., cloudtrail-logs-youraccountname).

     • Prefix: Optionally, specify a prefix for your CloudTrail logs (e.g., quicksight-logs/). Take note of this value, it will be required later for your data source configuration (e.g., quicksight-logs/AWSLogs/792169733636)

   • Step 2:

     • Management events: Enable management events if not already enabled. This logs control plane activities (e.g., CreateTable in QuickSight).

     • Management events: Choose the Read option.

   • Step 3:

     • Review and Create

Step 4: Verify CloudTrail is Logging

1. Check CloudTrail Logs:

   • Return to the CloudTrail dashboard.

   • View the Events history to confirm that CloudTrail is logging events. Open Dashboards and Analyses to generate GetDashboard and GetAnalysis events. (It may take seconds or even a minute between opening a Dashboard and event generation on CloudTrail).

2. Check S3 Bucket:

   • Navigate to the S3 service and open your bucket.

   • Verify that logs are being delivered to the specified folder in the bucket.

Step 5: Query CloudTrail Logs for AWS QuickSight API Usage

1. Identify QuickSight API Calls:

   • Look for API calls related to QuickSight, such as GetDashboard, GetAnalysis (This may take a while to show up too).

2. Download and Analyze Logs:

   • You can download the logs from your S3 bucket and analyze them manually or using tools like Amazon Athena to query logs directly in S3.

Step 6: The information needed for Select Star

• Event Log Bucket: The bucket name you chose on step 2.2 (e.g., cloudtrail-logs-youraccountname).

• Event Log Bucket Prefix: The prefix name chosen on step 3.2, plus CloudTrail/yourregion (e.g., /AWSLogs/792169733636/CloudTrail/us-east-2/)

Conclusion

By following these steps, you’ll have AWS CloudTrail configured to log API calls, store them in an S3 bucket, and track AWS QuickSight usage. You can use these logs for security audits, compliance, or understanding how QuickSight is used in your organization.

Setup the access so Select Star can read the S3 stored logs

Updating an existing AWS IAM role to enable access to an S3 bucket containing CloudTrail logs involves attaching an appropriate policy to the IAM role. Here’s a step-by-step guide:

Step 1: Sign in to the AWS Management Console

1. Go to the AWS Management Console: Navigate to https://aws.amazon.com/.

2. Sign in: Enter your credentials to log in.

Step 2: Navigate to the IAM Service

1. Search for IAM:

   • In the AWS Management Console, use the search bar at the top to search for "IAM" and select IAM from the results.

2. Open IAM Roles:

   • In the IAM dashboard, click on Roles in the left-hand navigation pane.

Step 3: Locate the IAM Role (CrossAccountQuicksight)

1. Search for the Role:

   • Use the search bar to find the IAM role named CrossAccountQuicksight.

2. Select the Role:

   • Click on the role name CrossAccountQuicksight to open its configuration page.

Step 4: Attach a Policy to the IAM Role to Access the S3 Bucket

1. Click on Add Permissions:

   • On the role's page, click the Add permissions button.

   • Choose Create inline policy from the dropdown menu.

2. Create a Custom Policy:

   • Since you need to grant access to a specific S3 bucket, you’ll create a custom inline policy.

   • Click on the JSON tab to enter the policy directly.

3. Enter the S3 Bucket Policy:

   • Add actions s3:GetObject and s3:ListBucket.

   • Add the Event Log Bucket arn and the Event Log Bucket Prefix folder arn (/*) as Resources.

   • Here's a sample policy:

   Copy

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "s3:GetObject",
                   "s3:ListBucket"
               ],
               "Resource": [
                   "arn:aws:s3:::cloudtrail-logs-youraccountname",
                   "arn:aws:s3:::cloudtrail-logs-youraccountname/AWSLogs/792169733636/CloudTrail/us-east-2/*"
               ]
           }
       ]
   }

4. Review and Attach the Policy:

   • After entering the policy, click Next.

   • Provide a name for the policy (e.g., SelectStarAccessS3CloudTrailLogs).

   • Review the details and click Create policy to attach it to the role.

Step 5: Verify the Role Update

1. Review Attached Policies:

   • Back on the IAM role page, review the list of attached policies to ensure that your new policy (AccessS3CloudTrailLogs) is listed.

2. Test the Role (Optional):

   • If you have access to the system where this role is used, you can test it by attempting to access the CloudTrail logs in the specified S3 bucket.

Step 6: Save and Exit

1. Save the Configuration:

   • Ensure that all changes are saved and the policy is properly attached.

2. Exit the IAM Console:

   • You can now exit the IAM console.

Conclusion

By following these steps, you’ve successfully updated the IAM role CrossAccountQuicksight to enable it to access the S3 bucket where your CloudTrail logs are stored. This ensures that any service or application using this role can retrieve and process the CloudTrail logs as needed.