AWS CloudTrail Cheat Sheet

AWS CloudTrail is a service that provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. It is an essential service for security, auditing, governance, and compliance.

Core Concepts

Events

An event in CloudTrail is the record of an activity in an AWS account. This can be an action taken by a user, role, or service.

• Management Events:

  • Provide insight into management operations performed on resources in your AWS account (also known as "control plane" operations).

  • Examples: Creating an S3 bucket, launching an EC2 instance, creating an IAM user.

  • By default, CloudTrail logs all management events.

• Data Events:

  • Provide insight into the resource operations performed on or within a resource (also known as "data plane" operations).

  • Examples: S3:GetObject, S3:PutObject, Lambda:InvokeFunction.

  • These are high-volume events and are not logged by default. You must explicitly enable them on a trail for specific resources.

• CloudTrail Insights Events:

  • A paid feature that uses machine learning analysis to detect unusual API activity in your account.

  • It helps you identify potential operational issues or security breaches, such as spikes in resource provisioning or bursts of IAM actions.

  • Insights events are logged only when unusual activity is detected.

Event History

• CloudTrail provides a viewable and searchable record of the past 90 days of your account's management events.

• This is accessible in the CloudTrail console and does not require setting up a trail.

Trails

• A trail is a configuration that enables the delivery of CloudTrail events to an Amazon S3 bucket for long-term storage, analysis, and auditing.

• You can optionally configure a trail to also deliver events to Amazon CloudWatch Logs and Amazon EventBridge.

• Best Practice: Create a trail that applies to all regions. This ensures you capture events from all regions where your account operates and delivers all event log files to a single, specified S3 bucket.

• Organization Trail: A special type of trail that must be created in the management account of an AWS Organization. It captures and logs all events for all AWS accounts within that organization, centralizing audit logs.

Security and Integrity

• Encryption:

  • By default, CloudTrail event log files delivered to your S3 bucket are encrypted using Amazon S3 Server-Side Encryption (SSE-S3).

  • You can also choose to encrypt your log files with a key from AWS Key Management Service (SSE-KMS) for more granular control.

• Log File Integrity Validation:

  • This feature provides assurance that the CloudTrail log files have not been modified or tampered with after being delivered to S3.

  • When enabled, CloudTrail delivers digitally signed digest files containing a hash of the log files. You can use these digest files to validate the integrity of your logs.

CloudTrail Lake

• A managed data store that allows you to aggregate, immutably store, and query your activity logs using SQL-based queries.

• Simplifies audit and security analysis without the need to manage S3 buckets and set up a separate query service like Amazon Athena.

Integration with Amazon CloudWatch

• You can configure a trail to send events to CloudWatch Logs.

• This enables real-time monitoring of API activity. You can create metric filters and alarms in CloudWatch to be notified of specific events (e.g., unauthorized API calls, root user sign-in, changes to security groups).

Pricing

• Event History: Viewing the last 90 days of management events is free.

• Trails: The first copy of management events delivered by a trail to S3 is free. Additional copies or trails delivering management events incur a charge.

• Data Events & Insights Events: These are charged based on the number of events recorded.