📜 AWS CloudTrail
CloudTrail records every API call made to AWS — who called it, when, from where, and what they changed. It's the audit log for your entire AWS account. Essential for compliance, security investigations, and change tracking.
🔑 Covers: API Activity Logging · Event Types · Compliance · Trails · CloudTrail InsightsWhat is CloudTrail? — The AWS Audit Log
Every action in AWS is made through an API call — whether you click in the console, run the CLI, or use the SDK. CloudTrail records all of these calls.
🎯 Key Use Cases
🕵️ Security Investigations
Someone deleted a production database. Who did it? CloudTrail shows: IAM user "john-dev" called DeleteDBInstance at 3am from IP 192.168.1.100.
📋 Compliance Auditing
Prove to auditors that access controls work. Show that only authorized users accessed sensitive data. Generate audit reports covering months/years.
🔧 Change Tracking
App broke after deployment. What changed? CloudTrail shows what Lambda configurations, IAM policies, or security groups were modified and when.
CloudTrail Event Types — Three Kinds of Records
🔑 Management Events
What: API calls that configure/manage AWS resources.
Examples: CreateS3Bucket, TerminateInstances, CreateSecurityGroup, UpdateFunction, PutRolePolicy, ConsoleLogin
Enabled by default: YES — free for first trail
Also called: Control plane operations
📁 Data Events
What: API calls that read/write actual data inside resources.
Examples: S3 GetObject, PutObject, DeleteObject; Lambda InvokeFunction; DynamoDB GetItem, PutItem
Enabled by default: NO — must enable explicitly, costs extra
Also called: Data plane operations
💡 Insights Events
What: Automatically detected unusual API activity patterns.
Examples: Sudden 100x spike in TerminateInstances calls, unusual IAM API usage pattern, unexpected resource creation bursts
Enabled by default: NO — opt-in feature
Use for: Automatic anomaly detection without setting thresholds
Data Events = "What happened to my data" (who read/wrote S3 objects, who invoked Lambda)
Exam scenario: "Log every time someone reads a file from S3 bucket X" → Enable S3 Data Events for that bucket.
Trails — Long-Term CloudTrail Storage
By default, CloudTrail shows events for the last 90 days in the Event History (free, no trail needed). For longer retention, you create a Trail.
📋 Trail Configuration Options
| Setting | Options | Recommendation |
|---|---|---|
| Scope | Single region or All regions | Always use All regions to catch global API calls |
| Storage | S3 bucket (required) | Enable S3 server-side encryption (SSE-KMS) |
| CloudWatch Logs | Optional — send to a CW Log Group | Enable for real-time alerting on specific API calls |
| SNS Notifications | Optional — notify on new log files | Useful for triggering automated processing |
| Log File Validation | Enable/disable | Always enable — ensures log files haven't been tampered with |
| Organization Trail | Apply to all accounts in AWS Org | Use for multi-account logging from one central trail |
Example alarm: Alert whenever someone calls
DeleteTrail or StopLogging — someone might be trying to hide their tracks!
What a CloudTrail Event Record Looks Like
Each event is a JSON object containing complete details about the API call:
Every event tells you: Who? When? What? Where from? Which service? Parameters?
CloudTrail Insights — Automatic Anomaly Detection
CloudTrail Insights watches your write API call rates over time and learns what "normal" looks like. When it detects an unusual spike or unusual pattern, it creates an Insights event and notifies you.
- Normally your account creates 2 EC2 instances per day. Suddenly 200 are created in 10 minutes. (Possible: compromised credentials being used for crypto mining)
- Normally 0 security groups are deleted per week. Suddenly 50 are deleted. (Possible: automated attack or misconfigured script)
- IAM CreateAccessKey is called 5x more than normal. (Possible: someone is creating backdoor access keys)
CloudWatch Logs = records "what happened inside your application" (application plane).
Do NOT confuse them! If question asks "track who deleted Lambda function" → CloudTrail. If "track application errors" → CloudWatch Logs.