[AWS] CloudTrail

CloudTrail is a governance, compliance, risk management, and auditing service that records account activities (by Console or APIs) and stores logs in S3.

  • CloudTrail tracks all user activities and API calls across your AWS accounts – through a console, SDKs, and CLI
  • You can track the user name, event name, event date/time, IP address, access key, region, and error code.


CouldTrail monitors activities in AWS accounts. It identifies which user (Who) does which action (What) with the time stamp (When) and the source IP (Where).

  • CloudTrail is automatically enabled for all new accounts.
    • CloudTrail will automatically begin to log events in your AWS account without any configuration. If you want to save logs for more than 90 days, you will need to enable a Trail.
  • A trail can be applied to all regions (default) or a single region.
  • CloudTrail can separate “Read Events” from “Write Events,” which modify resources.
  • CloudTrail will deliver logs to your S3 bucket about every 5 minutes.
  • CloudTrail can be used with other services:
    • setup alarms with CloudWatch
    • analyzes access patterns with GuardDuty

CloudTrail Events Retention

  • Events are stored for 90 days in CloudTrail.
  • To keep events more than 90 days, save events in S3 and query with Athena

Use Cases

  • Incident investigation
  • Intrusion detection
  • Industry and regulatory compliance

Cloud Trail Events

Activities are recorded as events – 90 days via event history by default.

Management events

  • Account Activities such as login, actions taken through APIs or the Console
  • Enabled by default
  • Examples
    • Configuring security
    • Configuring subnets or routing rules

Data events

  • S3 object-level API activities or Lambda function execution activities
  • Disabled by default
    • By default, data events are not logged due to high volume.

Insights events

  • Detects unusual activities
  • Examples
    • A lot of unusual API calls (deleteBucket).
    • Inaccurate resource provisioning
    • Bursts of IAM action calls

CloudTrail Log Files

  • CloudTrail can deliver log files from multiple accounts to a bucket belonging to a central account.
  • By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).

You can query CloudTrail logs using

  • AWS Console
  • Athena queries to logs in S3

Querying CloudTrail Logs using Athena

Once you have created the Athena table in CloudTrail, you can query the logs in Athena.

FROM "default"."cloudtrail_logs_aws_cloudtrail_logs_table"
WHERE useridentity.username = 'cloud_user'
ORDER BY eventtime DESC

Cross Account CloudTrail

You can query all events of your accounts from a central location.

  • Collecting CloudTrail logs from multiple accounts can be done
    • by creating an AWS Organization and Organization Trail
    • or by modifying the S3 bucket policy where you store the logs
      • Creating an S3 bucket in a central account and configuring trails in cloud accounts to send their logs to the central bucket.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s