# Monitoring Amazon WorkSpaces Secure Browser Monitoring Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon WorkSpaces Secure Browser and your other AWS solutions. AWS provides the following monitoring tools to watch your WorkSpaces Secure Browser portals and their resources, report when something is wrong, and take automatic actions when appropriate: + *Amazon CloudWatch* monitors your AWS resources and the applications you run on AWS in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a specified threshold. For example, you can have CloudWatch track CPU usage or other metrics for your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/). + *Amazon CloudWatch Logs* lets you monitor, store, and access your log files from Amazon EC2 instances, CloudTrail, and other sources. CloudWatch Logs can monitor information in the log files and notify you when certain thresholds are met. You can also archive your log data in highly durable storage. For more information, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/). + *AWS CloudTrail* captures API calls and related events made by or on behalf of your AWS account and delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/). **Topics** + [ # Monitoring Amazon WorkSpaces Secure Browser with Amazon CloudWatch ](monitoring-cloudwatch.md) + [ # Logging WorkSpaces Secure Browser API calls using AWS CloudTrail ](logging-using-cloudtrail.md) + [ # User activity logging in Amazon WorkSpaces Secure Browser ](monitoring-logging.md) # Monitoring Amazon WorkSpaces Secure Browser with Amazon CloudWatch Monitoring with CloudWatch You can monitor Amazon WorkSpaces Secure Browser using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. These statistics are kept for 15 months, so that you can access historical information and gain a better perspective on how your web application or service is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/). The `AWS/WorkSpacesWeb` namespace includes the following metrics. **CloudWatch metrics for Amazon WorkSpaces Secure Browser** | Metric | Description | Dimensions | Statistics | Units | | --- | --- | --- | --- | --- | | SessionAttempt | The number of Amazon WorkSpaces Secure Browser session attempts. | [PortalId] | Average, Sum, Maximum, Minimum | Count | | SessionSuccess | The number of successful Amazon WorkSpaces Secure Browser session starts. | [PortalId] | Average, Sum, Maximum, Minimum | Count | | SessionFailure | The number of failed Amazon WorkSpaces Secure Browser session starts. | [PortalId] | Average, Sum, Maximum, Minimum | Count | | SessionIdleDisconnect | The number of connections that were closed due to user inactivity. | [PortalId] | Average | Count | | ActiveSession | The number of active sessions on a portal. | [PortalId] | Average | Count | | GlobalCpuPercent | The CPU usage of the Amazon WorkSpaces Secure Browser session instance. | [PortalId] [PortalId, UserName] | Average, Sum, Maximum, Minimum | Percent | | GlobalMemoryPercent | The memory (RAM) usage of the Amazon WorkSpaces Secure Browser session instance. | [PortalId] [PortalId, UserName] | Average, Sum, Maximum, Minimum | Percent | | DisplayLatency | The average time in milliseconds between frame capture and presentation. | [PortalId] [PortalId, UserName] | Average, Maximum, Minimum | Miliseconds | | InputLatency | The input latency between client and server. For example, the latency between the client mouse click and server mouse click. | [PortalId] [PortalId, UserName] | Average, Maximum, Minimum | Miliseconds | | SessionLoggerEventDelivered | The number of events each delivered Session Logger file has. | [PortalId] | Average, Sum, Maximum, Minimum | Count | | SessionLoggerTargetNotFoundError | The number of log file deliveries that resulted in bucket not found. | [PortalId] | Average, Sum, Maximum, Minimum | Count | | SessionLoggerAccessDeniedError | The number of log file deliveries that resulted in permissions denied. | [PortalId] | Average, Sum, Maximum, Minimum | Count | **Note** The metric data points are collected by each session once per minute and published to CloudWatch once every 5 minutes. Session Logger metrics are emitted immediately, for each Log File delivery. **Dimensions for Amazon WorkSpaces Secure Browser metrics** | Dimension | Description | | --- | --- | | PortalId | Filters the metric data for Amazon WorkSpaces Secure Browser for a specified portal. | | UserName | Filters the metric data for Amazon WorkSpaces Secure Browser for a specified portal and user. | You can use the **SessionLoggerEventDelivered** metric to monitor the aggregate number of events from your portal, or see the number of log files that were delivered by counting the number of data points rather than summing values. We recommend configuring alarms on the **SessionLoggerTargetNotFoundError** and SessionLoggerAccessDeniedError metrics to detect accidental resource or permissions deletion. # Logging WorkSpaces Secure Browser API calls using AWS CloudTrail CloudTrail logs WorkSpaces Secure Browser is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon WorkSpaces Secure Browser. CloudTrail captures all API calls for Amazon WorkSpaces Secure Browser as events. These include calls from the Amazon WorkSpaces Secure Browser console and code calls to Amazon WorkSpaces Secure Browser API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Amazon WorkSpaces Secure Browser. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can identify the request that was made to Amazon WorkSpaces Secure Browser, the IP address from which the request was made, who made the request, when it was made, as well as additional details. To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html). **Topics** + [ # WorkSpaces Secure Browser information in CloudTrail ](service-name-info-in-cloudtrail.md) + [ # Understanding WorkSpaces Secure Browser log file entries ](understanding-service-name-entries.md) # WorkSpaces Secure Browser information in CloudTrail Information in CloudTrail CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Amazon WorkSpaces Secure Browser, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. In **Event history**, you can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html). For an ongoing record of events in your AWS account, including events for Amazon WorkSpaces Secure Browser, you can create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWSRegions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following: + [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) + [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html) + [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html) + [Receiving CloudTrail log files from multiple regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html) All Amazon WorkSpaces Secure Browser actions are logged by CloudTrail and are documented in the *Amazon WorkSpaces API Reference*. For example, calls to the `CreatePortal`, `DeleteUserSettings` and `ListBrowserSettings` actions generate entries in the CloudTrail log files. Every event or log entry contains information about who generated the request. The identity information helps you determine the following: + Whether the request was made with root or IAM user credentials. + Whether the request was made with temporary security credentials for a role or federated user. + Whether the request was made by another AWS service. For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). # Understanding WorkSpaces Secure Browser log file entries Log file entries A *trail* is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and other details. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order. The following example shows a CloudTrail log entry that demonstrates the `ListBrowserSettings` action. ``` { "Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "111122223333", "arn": "arn:aws:iam::111122223333:user/myUserName", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "myUserName" }, "eventTime": "2021-11-17T23:44:51Z", "eventSource": "workspaces-web.amazonaws.com", "eventName": "ListBrowserSettings", "awsRegion": "us-west-2", "sourceIPAddress": "127.0.0.1", "userAgent": "[]", "requestParameters": null, "responseElements": null, "requestID": "159d5c4f-c8c8-41f1-9aee-b5b1b632e8b2", "eventID": "d8237248-0090-4c1e-b8f0-a6e8b18d63cb", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }, { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "111122223333", "arn": "arn:aws:iam::111122223333:user/myUserName", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "myUserName" }, "eventTime": "2021-11-17T23:55:51Z", "eventSource": "workspaces-web.amazonaws.com", "eventName": "CreateUserSettings", "awsRegion": "us-west-2", "sourceIPAddress": "5127.0.0.1", "userAgent": "[]", "requestParameters": { "clientToken": "some-token", "copyAllowed": "Enabled", "downloadAllowed": "Enabled", "pasteAllowed": "Enabled", "printAllowed": "Enabled", "uploadAllowed": "Enabled" }, "responseElements": "arn:aws:workspaces-web:us-west-2:111122223333:userSettings/04a35a2d-f7f9-4b22-af08-8ec72da9c2e2", "requestID": "6a4aa162-7c1b-4cf9-a7ac-e0c8c4622117", "eventID": "56f1fbee-6a1d-4fc6-bf35-a3a71f016fcb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }] } ``` # User activity logging in Amazon WorkSpaces Secure Browser User activity logging Amazon WorkSpaces Secure Browser enables customers to log session events related to user activities in the Secure browser sessions. WorkSpaces Secure Browser offers two options for logging user activity and security-related events: + Session Logger captures a wide range of session events. These logs are delivered to an Amazon S3 bucket in your account, enabling easy integration with your preferred SIEM platform. + User Access Logging captures the most critical session events. These logs are streamed to an Amazon Kinesis stream for real-time processing and analysis. For more information about how to set up these options, see [Setting up Session Logger for Amazon WorkSpaces Secure Browser](session-logger.md) and [Setting up User Access logging for Amazon WorkSpaces Secure Browser](user-access-logging.md). **Topics** + [ # Session events in Session Logger for Amazon WorkSpaces Secure Browser ](session-events-session-logger.md) + [ # Session events in User Access logging for Amazon WorkSpaces Secure Browser ](session-events-logging.md) # Session events in Session Logger for Amazon WorkSpaces Secure Browser Session events in Session Logger Session Logger captures various session-related events for monitoring and auditing purposes. You can configure Session Logger to collect all session events or a selected subset, depending on the needs of the WorkSpaces Secure Browser portal. For more information about configuration, see [Setting up Session Logger for Amazon WorkSpaces Secure Browser](session-logger.md). To maintain user privacy, Session Logger does not record sensitive content, such as clipboard data, or the contents of uploaded or downloaded files. The following fields are included in all events: + **Time** + **Username** + **Portal ID** + **Portal IP** + **Client IP** + **Session ID** **** | Name | Description | Additional fields included in the event | | --- | --- | --- | | SessionStart | A secure browser session was launched, but the user has not connected yet. | | | SessionConnect | The user is connected to the secure browser session. | | | TabOpen | In their secure browser session, the user opened a new tab, or they opened a link in a new tab. | Hostname, path, URL (if the user opens a link in a new tab), none (if the user opens a new tab) | | UrlVisit | In their browser session, the user navigated to a URL. | Hostname, path, URL | | WebsiteInteract | The user changed a standard HTML element on a website (e.g., clicks a checkbox, radio-button, or button, or selects an item in the drop-down). | Hostname, path, URL | | TabClose | In their browser session, the user closed a tab. | Hostname, path, URL (if the user closes a tab they navigated to), none (if the user closes a new tab) | | ContentTransferFromLocalToRemoteClipboard | The user updated the clipboard within the secure browser using content from their local browser (outside the secure environment). This update can occur either by copying content through the in-session toolbar or by transferring data via keyboard shortcuts (Ctrl\$1C / Ctrl\$1V). | | | ContentCopyFromWebsite | The user updated the clipboard within the secure browser using content from the secure browser (inside the secure environment). | Hostname, path, URL | | ContentPasteToWebsite | Clipboard content was pasted into a webpage within the browser. (This event does not capture instances where clipboard content is pasted into the browser's URL bar.) | Hostname, path, URL | | PrintJobSubmit | The user submitted a request job to the browser’s virtual printer (“DCV Printer”). The content is saved as PDF on the user’s local machine. | Filename, size, extension | | FileDownloadFromSecureBrowserToRemoteDisk | A file was saved from the session to the remote instance’s local disk. | Hostname, path, URLfilename, size, extension | | FileTransferFromRemoteToLocalDisk | A file was downloaded from the remote instance’s disk to the user’s local device. | Filename, size, extension | | FileUploadFromRemoteDiskToSecureBrowser | A file stored on the remote instance’s local disk was uploaded to a file-sharing SaaS platform (e.g., Google Drive, Box, or File.io) via the browser session. | | | FileTransferFromLocalToRemoteDisk | A file was uploaded from the user device to the secure browser session. | Filename, size, and extension | | SessionDisconnection | The user is disconnected from the secure browser session. | | | SessionEnd | The secure browser session has terminated. Termination can occur in one of three ways: the administrator ends the session via the User Session Manager in the console, the user manually ends the session using End Session in the toolbar, or the session times out after exceeding a duration set by the administrator. | | Each event follows the [OCSF standard](https://github.com/ocsf) and includes a list of attributes that are common to all events: ``` { activity_name : String | A human readable name of the event | eg. UrlLoad activity_id : Integer | OCSF standard value 99 for 'others' category_name : "WorkSpacesSecureBrowser" | The category name where the event belongs to. category_id : 2 | Numerical identifier for category, metadata : [link](https://schema.ocsf.io/1.3.0/objects/metadata?extensions=) | Required { product : [link](https://schema.ocsf.io/1.3.0/objects/product?extensions=) { vendor_name : "wsb", name : "WorkSpacesSecureBrowser" } version : String | Version of the schema | eg. 1.0.0 }, severity_id : 1 | The severity of the event. All events will have a severity of 1, meaning 'Informational', type_id : class_uid * 100 + activity_id time : The time the event happened (RFC3339 format), observables : [link](https://schema.ocsf.io/1.3.0/objects/observable?extensions=) [ { name : "session_detail.portal_id", type_id : 10 //Resource UID value : //Generated value }, { name : "session_detail.session_id", type_id : 10 //Resource UID value : //Generated value }, { name : "session_detail.client_ip", type_id : 2 //IP Address value : //Generated value }, { name : "session_detail.portal_ip", type_id : 2 //IP Address value : //Generated value }, { name : "session_detail.username", type_id : 10 //Resource UID value : //Generated value } ], // New Events session_detail : { portal_id : String | UUID of the Portal | eg. 1ebe42de-86bb-4073-88a4-34284bc5bcbb, session_id : String | SessionId of the user session | eg. 17be80fa-7bc2-4675-b17a-791243938cdf client_ip : String | IP Address from which user LoggedIn From | eg. 31.65.180.9 portal_ip : String | IP Address of the AWS AppStream Instance that is running the Portal | eg.240.62.100.169 username : String | The logged-in username | eg. bobross } } ``` Below is an example of the URLVisit event: ``` { activity_id : 99, activity_name : "URLVisit", ... observables : [ ... { name : "url", type_id : 23 //Unified Resource Locator } ] ... url : { url_string : String | Full URL path, hostname : String | The hostname in the URL path : String | Path in the domain } } ``` Below is an example of the PrintJobSubmit event: ``` { activity_id : 99, activity_name : "PrintJobSubmitted", observable : [ ... { name : "file.name", type_id : 24 // File } ] ... file : { name : String | The file name, type_id : 1 //Regular file size : Long | Size in bytes ext : String | File extension } } ``` ## Session Logger metrics for Amazon WorkSpaces Secure Browser Session Logger metrics Session Logger emits the following Amazon CloudWatch metrics. You can use the **SessionLoggerEventDelivered** metric to monitor the aggregate number of events from your portal, or see the number of log files that were delivered by counting the number of data points rather than summing values. We recommend configuring alarms on the **SessionLoggerTargetNotFoundError** and SessionLoggerAccessDeniedError metrics to detect accidental resource or permissions deletion. **Note** Metric data points are collected by each session once per minute and published to Amazon CloudWatch once every 5 minutes. Session Logger metrics are emitted immediately, for each Log File delivery. **Session Logger metrics** | Metric | Description | Dimension | Statistics | Unit | | --- | --- | --- | --- | --- | | SessionLoggerEventDelivered | The number of events each delivered Session Logger file has. | [PortalId] | Average, Sum, Maximum, Minimum | Count | | SessionLoggerTargetNotFoundError | The number of log file deliveries that resulted in bucket not found. | [PortalId] | Average, Sum, Maximum, Minimum | Count | | SessionLoggerAccessDeniedError | The number of log file deliveries that resulted in permissions denied. | [PortalId] | Average, Sum, Maximum, Minimum | Count | # Session events in User Access logging for Amazon WorkSpaces Secure Browser Session events in User Access logging The following session events are available for User Acess logging: + **Validation**: The event is sucessfully put to the Kinesis data stream. + **StartSession**: The user has started a session and is connected to the secure browser session. + **VisitPage**: The user is visiting a page in the session. + **EndSession**: The user has terminated the session. URL navigation logs are recorded from the browser history. URLs not recorded in browser history (either visited in incognito mode or deleted from browser history) are not recorded in logs. It's up to customers to determine whether to turn off incognito mode or history deletion with their browser policy. Below is an example of each available event. The following fields are always included for each event: + **timestamp** is included as epoch time in milliseconds. + **eventType** is included as a string. + **details** is included as another json object. + **portalArn** and **userName** are included for every event except for **Validation**. ``` { "timestamp": "1665430373875", "eventType": "Validation", "details": { "permission": "Kinesis:PutRecord", "userArn": "userArn", "operation": "AssociateUserAccessLoggingSettings", "userAccessLoggingSettingsArn": "userAccessLoggingSettingsArn" } } { "timestamp": "1665179071723", "eventType": "StartSession", "details": {}, "portalArn": "portalArn", "userName": "userName" } { "timestamp": "1665179084578", "eventType": "VisitPage", "details": { "title": "Amazon", "url": "https://www.amazon.com/" }, "portalArn": "portalArn", "userName": "userName" } { "timestamp": "1665179155953", "eventType": "EndSession", "details": {}, "portalArn": "portalArn", "userName": "userName" } ```