Thursday, October 23, 2025

AWS - CloudTrail

AWS CloudTrail is a logging and auditing service that automatically records every API call (management, data, and event-level) made in your AWS account.

Think of it as your "flight recorder" for AWS — it captures the who, what, when, where, and from where for every action taken, whether via:

  • AWS Console
  • CLI
  • SDKs
  • AWS services on your behalf
CloudTrail logs AWS service API activity (control/data plane), not custom application APIs; those are logged via CloudWatch, ALB, or API Gateway.

What AWS CloudTrail logs

CloudTrail records management and data events made to AWS services, such as:

  • CLI commands → aws s3 ls
  • SDK calls → app using AWS SDK
  • Console actions → creating EC2, updating IAM, etc.

Examples:

  • ListBuckets (S3)
  • RunInstances (EC2)
  • PutObject (S3 upload)
What CloudTrail does NOT log

❌ Your application-level APIs, like:

  • xyz.com/plan/id
  • Custom REST endpoints
  • Internal microservice calls

These are outside AWS control plane/data plane APIs.

Why Use CloudTrail?

  1. Security Auditing
    Detect unauthorized or unusual activity (e.g., a user creating new IAM roles or disabling logging).

  2. Compliance
    Helps meet regulatory requirements (e.g., PCI-DSS, HIPAA, SOC).

  3. Operational Troubleshooting
    Trace changes or errors back to specific users or services.

  4. Forensics & Incident Response
    Investigate breaches or misconfigurations historically.

Key Concepts

ConceptDescription
EventA record of an API call or action taken
TrailA configuration that delivers events to an S3 bucket
Management EventsActions like creating resources, changing permissions (default: enabled)
Data EventsHigh-volume events like S3 object-level access or Lambda executions (optional, paid)
Insight EventsDetect and alert on unusual API call patterns (e.g., spikes in activity)

Where are the logs stored?

CloudTrail delivers logs to:

  • Amazon S3 bucket (mandatory)
  • CloudWatch Logs (optional, for real-time monitoring)
  • CloudTrail Lake (optional, for querying with SQL directly in AWS)

Cost

  • Management events: First copy per region is free
  • Data events & Insights: Charged per event
  • CloudTrail Lake: Charged for ingestion and querying

Best Practices

  1. Enable CloudTrail in all regions (Global trail)
  2. Use an S3 bucket with versioning and access logging
  3. Enable encryption (SSE or KMS)
  4. Send logs to CloudWatch Logs for alerts
  5. Enable Insight events to detect anomalies
  6. Enable multi-account trails with AWS Organizations

Example Event Log (JSON)

{
  "eventTime": "2025-10-05T12:00:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "StartInstances",
  "userIdentity": {
    "type": "IAMUser",
    "userName": "dev-ops-user"
  },
  "sourceIPAddress": "192.0.2.0",
  "requestParameters": {
    "instancesSet": {
      "items": ["i-1234567890abcdef0"]
    }
  }
}
-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Node | Cluster Vs Worker Threads

Cluster: Multiple processes (scale app across CPU cores) Worker Threads: Multiple threads (handle CPU-heavy work inside one process) Cluster...

  • Web API Facts
    Web Api is REST based service on web works on http or https. REST - Representational State Transfer  Facts  Rest Facts Client-Server model: ...
  • Architecture - .NET Project Architecture Design Framework
    System development steps and phases  Requirement  🧭 Step 1: Understand the Business and Technical Requirements Tools 🧩 Step 2: Choose the ...
  • EF - N+1 Problem
     ✅ What is the N+1 Query Problem? The N+1 problem occurs when your code runs: 1 query to load a list of parent records + N additional q...