AWS WorkSpaces – Integrating Amazon CloudTrail and AWS CloudWatch

Many clients initially struggle with adopting cloud native tools as they migrate VDI workloads to the public cloud. A great example of this is Amazon CloudTrail and AWS CloudWatch. While many cloud native applications leverage these tools to monitor and secure their DevOps built applications, typically we see clients not leveraging this for their AWS WorkSpaces deployment (or their Citrix on AWS EC2 or their VMware Horizon on EC2/VMware Cloud on AWS deployments).

Here is some quick background information on each solution before we set it up.

Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications, and services that run on AWS and on-premises servers. You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.

AWS CloudTrail monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.

AWS CloudTrail use cases include:

• Audit activity
• Identify security incidents
• Troubleshoot operational issues

So now let’s start with the deployment:

(Big thanks to Troy Couch – Associate Director, EUC here at Entisys360 for the technical content below!)

Requirements

• This blog assumes you already deployed AWS WorkSpaces
• A secured S3 bucket for storing the logs

We will setup CloudTrail first

1. Browse to Services -> CloudTrail
   Click Create a trail
   
2. Enter a Trail name (example: WorkSpaces-Events
   Click Create trail
   
3. Confirm successful creation of trail by verify the Status is Logging in green
   
4. Click on the Trail name to open properties
   
   Click Edit for CloudWatch Logs
   
5. Check Enabled for CloudWatch Logs
   Select Existing for Log group
   
   Select New for IAM Role
   
   Click Save changes
6. Confirm CloudWatch settings enabled for CloudTrail
   
7. Select CloudTrail > Event History
   
8. Browse to Services > CloudWatch
   Select Metrics > All Metrics
   
9. Select WorkSpaces
   
10. Click By Organization Name
    
11. Check All items
    
12. Click on Graphed Metrics tab
    
    Click All items
    
13. Select Stacked area for graph type
    
14. Select CloudWatch
    
15. Select WorkSpaces
    
16. Graphed data is now reported in Dashboard
    

Useful Metrics:
– Session Launch Time
– In Session Latency Average
– Connection Failure Summary
– User Connected Summary

Now let’s use CloudWatch against the CloudTrail logs:

1. Select Logs > Logs Insights
   
2. Select WorkSpaces CloudTrail log group
   
   Click Run query
3. Review log insights
   
   As you learn more about the query commands you can look for specific users, events or timestamps.

Here are a few more links to further your query skills:
Sample queries – Amazon CloudWatch Logs
Tutorial: Run and modify a sample query – Amazon CloudWatch Logs

Please contact Entisys360 or your Entisys360 Account Executive, if you would like to learn more about integrating AWS WorkSpaces with other AWS services for a more cloud native VDI deployment.