CloudTrail is a governance, compliance, risk management, and auditing service that records account activities (by Console or APIs) and stores logs in S3.
- CloudTrail tracks all user activities and API calls across your AWS accounts – through a console, SDKs, and CLI
- You can track the user name, event name, event date/time, IP address, access key, region, and error code.
Features
CouldTrail monitors activities in AWS accounts. It identifies which user (Who) does which action (What) with the time stamp (When) and the source IP (Where).
- CloudTrail is automatically enabled for all new accounts.
- CloudTrail will automatically begin to log events in your AWS account without any configuration. If you want to save logs for more than 90 days, you will need to enable a Trail.
- A trail can be applied to all regions (default) or a single region.
- CloudTrail can separate “Read Events” from “Write Events,” which modify resources.
- CloudTrail will deliver logs to your S3 bucket about every 5 minutes.
- CloudTrail can be used with other services:
- setup alarms with CloudWatch
- analyzes access patterns with GuardDuty
CloudTrail Events Retention
- Events are stored for 90 days in CloudTrail.
- To keep events more than 90 days, save events in S3 and query with Athena
Use Cases
- Incident investigation
- Intrusion detection
- Industry and regulatory compliance
Cloud Trail Events
Activities are recorded as events – 90 days via event history by default.
Management events
- Account Activities such as login, actions taken through APIs or the Console
- Enabled by default
- Examples
- Configuring security
- Configuring subnets or routing rules
Data events
- S3 object-level API activities or Lambda function execution activities
- Disabled by default
- By default, data events are not logged due to high volume.
Insights events
- Detects unusual activities
- Examples
- A lot of unusual API calls (deleteBucket).
- Inaccurate resource provisioning
- Bursts of IAM action calls
CloudTrail Log Files
- CloudTrail can deliver log files from multiple accounts to a bucket belonging to a central account.
- By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).
You can query CloudTrail logs using
- AWS Console
- AWS CLI
- AWS SDK
- Athena queries to logs in S3
Querying CloudTrail Logs using Athena
Once you have created the Athena table in CloudTrail, you can query the logs in Athena.
SELECT *
FROM "default"."cloudtrail_logs_aws_cloudtrail_logs_table"
WHERE useridentity.username = 'cloud_user'
ORDER BY eventtime DESC
LIMIT 100
Cross Account CloudTrail
You can query all events of your accounts from a central location.
- Collecting CloudTrail logs from multiple accounts can be done
- by creating an AWS Organization and Organization Trail
- or by modifying the S3 bucket policy where you store the logs
- Creating an S3 bucket in a central account and configuring trails in cloud accounts to send their logs to the central bucket.