CloudTrail
CloudTrail
Global Service
Provides governance, compliance and audit for the AWS Account
Enabled by default
Enables to get an history of events/API calls made within your AWS Account by:
Console
SDK
CLI
AWS Services
Export CloudTrail logs into:
CloudWatch Logs
S3 (encrypted by default using SSE-S3)
A single trail can be applied to all regions (default) or a single region
CloudTrail logs are encrypted by default using SSE-S3
If a resource is deleted in AWS, investigate CloudTrail first
CloudTrail Events - Types
Management Events
Monitors the operations that are performed on resources in your AWS account/events of operations that modify AWS resources
Creating a new IAM user
Deleting a subnet
By default, trails are configured to log management events ( enabled by default)
Can separate Read Events (that don’t modify resources) from Write Events (that may modify resources)
Data Events
Events of operations that modify data
S3 object-level activity
Lambda function execution
By default, data events are not logged (disabled by default - because high volume operations)
CloudTrail Insights Events
Enable CloudTrail Insights to detect unusual activity in your account
inaccurate resource provisioning
hitting service limits
bursts of AWS IAM actions
gaps in periodic maintenance activity
CloudTrail Insights analyzes normal management events to create a baseline and then continuously analyzes write events to detect unusual patterns. If that happens, CloudTrail generates insight events that
show anomalies in the Cloud Trail console
can can be logged to S3
can trigger an EventBridge event for automation
CloudTrail Events - Retention
Event retention: 90 days
CloudTrail logs up to the last 90 days can be analyzed in CloudTrail Console. Older logs should be present in S3 and can be analyzed using Athena