CloudTrail

CloudTrail

  • Global Service

  • Provides governance, compliance and audit for the AWS Account

  • Enabled by default

  • Enables to get an history of events/API calls made within your AWS Account by:

    • Console

    • SDK

    • CLI

    • AWS Services

  • Export CloudTrail logs into:

    • CloudWatch Logs

    • S3 (encrypted by default using SSE-S3)

  • A single trail can be applied to all regions (default) or a single region

  • CloudTrail logs are encrypted by default using SSE-S3

  • If a resource is deleted in AWS, investigate CloudTrail first

CloudTrail Events - Types

Management Events

  • Monitors the operations that are performed on resources in your AWS account/events of operations that modify AWS resources

    • Creating a new IAM user

    • Deleting a subnet

  • By default, trails are configured to log management events ( enabled by default)

  • Can separate Read Events (that don’t modify resources) from Write Events (that may modify resources)

Data Events

  • Events of operations that modify data

    • S3 object-level activity

    • Lambda function execution

  • By default, data events are not logged (disabled by default - because high volume operations)

CloudTrail Insights Events

  • Enable CloudTrail Insights to detect unusual activity in your account

    • inaccurate resource provisioning

    • hitting service limits

    • bursts of AWS IAM actions

    • gaps in periodic maintenance activity

  • CloudTrail Insights analyzes normal management events to create a baseline and then continuously analyzes write events to detect unusual patterns. If that happens, CloudTrail generates insight events that

    • show anomalies in the Cloud Trail console

    • can can be logged to S3

    • can trigger an EventBridge event for automation

CloudTrail Events - Retention

  • Event retention: 90 days

  • CloudTrail logs up to the last 90 days can be analyzed in CloudTrail Console. Older logs should be present in S3 and can be analyzed using Athena