CloudTrail

Core Concepts and Purpose

AWS CloudTrail provides essential visibility into activities within your AWS account.

CloudTrail serves as a “black box recorder” for an AWS account, answering “who did this” and “when did it happen.” It captures actions performed via the AWS Management Console, AWS CLI, AWS SDKs, and other AWS services. (source_page: 3)

CloudTrail is non-negotiable for security, compliance, and data governance, especially in ML workloads. (source_page: 3)

Understanding CloudTrail is essential for AWS Certified Solutions Architect, ML Associate, and potentially even AWS EI Practitioner certifications. (source_page: 3)

CloudTrail addresses the lack of insight into actions taken within a cloud environment, such as accidental deletion of S3 buckets or IAM policy changes. (source_page: 3)

It helps diagnose why systems stopped working by providing a record of actions. (source_page: 3)

CloudTrail provides the required traceability and audit trail for critical systems, proving who accessed data. (source_page: 3)

Manual methods do not scale to meet the demands of cloud environments. (source_page: 3)

CloudTrail Overview and Functionality

CloudTrail records AWS API calls and other events, providing detailed insights into activity across your AWS account.

CloudTrail captures actions performed via the AWS Management Console, AWS CLI, AWS SDKs, and other AWS services. (source_page: 3)

It records all events and securely delivers them to an S3 bucket controlled by the user for long-term storage. (source_page: 3)

CloudTrail seamlessly integrates with Amazon CloudWatch Logs for real-time alerts on specific activities (e.g., critical security group modifications, IAM permission elevation attempts). (source_page: 3)

CloudTrail logs are encrypted at rest and in transit. Log files are encrypted with a KMS key (AWS-managed or customer-managed) before being written to the S3 bucket. (source_page: 3)

CloudTrail is enabled by default for all new and existing AWS accounts, automatically logging management events. (source_page: 3)

CloudTrail stores the past 90 days of event history for free, accessible via the AWS Management Console. (source_page: 3)

Technical Specs: 90 days of event history

For logs beyond 90 days, a new trail must be created to deliver logs to an S3 bucket. (source_page: 3)

Multi-Region Trails are configured by default when created via the AWS Management Console to capture activity from all current and future AWS regions. (source_page: 3)

Single-Region Trails can be created to log events for a specific AWS region. (source_page: 3)

CloudTrail offers an optional configuration to ensure the authenticity and integrity of CloudTrail log files by detecting tampering (additions, deletions, modifications) after delivery to an S3 bucket. (source_page: 3)

How AWS CloudTrail Works

The operational flow of CloudTrail involves several steps from event capture to delivery and potential integration.

Users can optionally create a new trail or use the existing default trail. A new trail is required for retaining event history beyond 90 days. (source_page: 3)

Integrity validation can be enabled during the delivery of logs to Amazon S3. (source_page: 3)

CloudTrail automatically captures API calls and actions performed by human users or AWS service roles, such as stopping an EC2 instance or creating an S3 bucket policy. (source_page: 3)

Information is written into JSON log files. (source_page: 3)

Log files are delivered to the configured S3 bucket in near real-time (within approximately 5 minutes). (source_page: 3)

Technical Specs: delivery within approximately 5 minutes

Log files are encrypted with a KMS key (AWS-managed or customer-managed) before being written to the S3 bucket. (source_page: 3)

Logs can be sent to Amazon CloudWatch Logs to trigger alerts. (source_page: 3)

CloudTrail Event Types

CloudTrail categorizes captured activities into different event types to provide granular logging for various operational aspects.

Management Events

Control plane actions representing operations performed on resources in an AWS account (e.g., creating, modifying, or deleting resources). These include API examples like CreateBucket, DeleteUser, and ModifyInstanceAttribute. They are logged by default in trails and event data stores.

api_examples: CreateBucket, DeleteUser, ModifyInstanceAttribute

logging_default: Logged by default

Use Cases:

Auditing resource creation/modification/deletion

Data Events

Data plane actions that record resource-level activities, often granular and high-volume. Examples include reading from/writing to S3, invoking Lambda functions, or retrieving data from DynamoDB. API examples are GetObject, PutObject (S3); Invoke (Lambda); GetItem, PutItem (DynamoDB). Data events are not logged by default and must be explicitly enabled for specific resources (e.g., S3 buckets, Lambda functions).

api_examples: GetObject, PutObject (S3); Invoke (Lambda); GetItem, PutItem (DynamoDB)

logging_default: Not logged by default, must be explicitly enabled

Use Cases:

Auditing S3 data access
Monitoring Lambda function invocations
Tracking DynamoDB item operations

Insight Events

These events detect unusual activities in an AWS account by automatically analyzing management events to identify potential threats. Examples include spikes in API error rates or unusual write volumes. Insight events are not logged by default and can be enabled on trails or event data stores to help quickly respond to security issues.

examples: Spikes in API error rates, unusual write volumes

purpose: Help quickly respond to security issues

logging_default: Not logged by default, can be enabled

Use Cases:

Proactive threat detection
Identifying unusual activity spikes

Network Activity Events

A newer event type for capturing VPC flow logs and related network activity. These events can be enabled for specific VPCs.

purpose: Capturing VPC flow logs and related network activity

logging_default: Can be enabled for specific VPCs

Use Cases:

Network troubleshooting
Network security analysis

CloudTrail Data Retention and Pricing

Understanding CloudTrail's data retention policies and pricing model is crucial for cost management and compliance.

The last 90 days of management events are available for free via the AWS Management Console. (source_page: 3)

Technical Specs: 90 days of management events, free

For logs beyond 90 days, a new CloudTrail trail must be configured to write logs to an S3 bucket, where standard S3 retention policies apply. (source_page: 3)

The first copy of management events is free. (source_page: 3)

Data Events & Insight Events incur additional costs. This is why they are not enabled by default. (source_page: 3)

CloudTrail Use Cases

CloudTrail provides audit and security capabilities for a variety of scenarios.

CloudTrail is used for identifying who deleted a file or performed specific actions in an AWS account. (source_page: 3)

It helps in diagnosing system failures by analyzing changes that occurred prior to the issue. (source_page: 3)

CloudTrail is essential for generating immutable logs for long-term persistence to meet regulatory audit requirements. (source_page: 3)

It provides an audit trail for access to sensitive data in S3 data lakes and ensures compliance with data regulations. (source_page: 3)

CloudTrail enables configuring Amazon EventBridge rules to trigger AWS Lambda functions based on CloudTrail Insight events (e.g., high error rate). An example is automatically quarantining an IAM user or role when unusual activity is detected (e.g., a compromised user terminating production EC2 instances). (source_page: 3)

AWS CloudTrail Demo (Management Console Navigation)

procedure

A conceptual overview of navigating the AWS Management Console for CloudTrail.

Demonstration of accessing CloudTrail, viewing event history, and creating a new trail.

Prerequisites

AWS Account
Appropriate IAM permissions

1

Accessing CloudTrail

💡 To manage and view CloudTrail events and configurations.

Search for “CloudTrail” in the AWS service search bar.

2

Viewing Event History

💡 To review captured management events for the past 90 days.

Navigate under the “Event history” tab. Options to filter by “Event name” or “Username.” Event records are JSON documents containing details like accessKey, accountId, principalId.

3

Creating a New Trail

💡 To configure long-term retention beyond 90 days, log data events, insight events, or network activity events, and customize logging settings.

Click “Create trail.” 
- Trail Name: e.g., CS demo trail.
- Apply trail to all accounts in my organization: Option to log for all accounts or just the current one.
- Storage Location: Create a new S3 bucket or use an existing one. Option to use a prefix for logs within the bucket.
- SSE-KMS Encryption: Enable encryption for log files delivered to S3. Options to create a new KMS key or use an existing one.
- Additional Settings:
  - Log file validation: Enables integrity validation.
  - SNS Notification: Option to send notifications when logs are delivered.
  - CloudWatch Logs: Option to deliver logs to CloudWatch Logs.
- Event Types:
  - Management events (enabled by default, can be read/write or read-only/write-only).
  - Data events (must be enabled for specific resources).
  - Insight events (must be enabled).
  - Network activity events (for VPC flow logs).
- Review and Create: Final step to confirm settings and create the trail.

Learning Objectives

Core Concepts and Purpose

CloudTrail Overview and Functionality

How AWS CloudTrail Works

CloudTrail Event Types

Management Events

Data Events

Insight Events

Network Activity Events

CloudTrail Data Retention and Pricing

CloudTrail Use Cases

AWS CloudTrail Demo (Management Console Navigation)

Prerequisites

Accessing CloudTrail

Viewing Event History

Creating a New Trail

Exam Tips

Glossary

Key Takeaways

Content Sources