CloudTrail

• Global Service

• Provides governance, compliance and audit for the AWS Account

• Enabled by default

• Enables to get an history of events/API calls made within your AWS Account by:

  • Console

  • SDK

  • CLI

  • AWS Services

• Export CloudTrail logs into:

  • CloudWatch Logs

  • S3 (encrypted by default using SSE-S3)

• A single trail can be applied to all regions (default) or a single region

• CloudTrail logs are encrypted by default using SSE-S3

• If a resource is deleted in AWS, investigate CloudTrail first

CloudTrail Events - Types

Management Events

• Monitors the operations that are performed on resources in your AWS account/events of operations that modify AWS resources

  • Creating a new IAM user

  • Deleting a subnet

• By default, trails are configured to log management events ( enabled by default)

• Can separate Read Events (that don’t modify resources) from Write Events (that may modify resources)

Data Events

• Events of operations that modify data

  • S3 object-level activity

  • Lambda function execution

• By default, data events are not logged (disabled by default - because high volume operations)

CloudTrail Insights Events

• Enable CloudTrail Insights to detect unusual activity in your account

  • inaccurate resource provisioning

  • hitting service limits

  • bursts of AWS IAM actions

  • gaps in periodic maintenance activity

• CloudTrail Insights analyzes normal management events to create a baseline and then continuously analyzes write events to detect unusual patterns. If that happens, CloudTrail generates insight events that

  • show anomalies in the Cloud Trail console

  • can can be logged to S3

  • can trigger an EventBridge event for automation

CloudTrail Events - Retention

• Event retention: 90 days

• CloudTrail logs up to the last 90 days can be analyzed in CloudTrail Console. Older logs should be present in S3 and can be analyzed using Athena