AWS CloudTrail is a logging and auditing service that automatically records every API call (management, data, and event-level) made in your AWS account.
Think of it as your "flight recorder" for AWS — it captures the who, what, when, where, and from where for every action taken, whether via:
-
AWS Console
-
CLI
-
SDKs
-
AWS services on your behalf
Why Use CloudTrail?
-
Security Auditing
Detect unauthorized or unusual activity (e.g., a user creating new IAM roles or disabling logging). -
Compliance
Helps meet regulatory requirements (e.g., PCI-DSS, HIPAA, SOC). -
Operational Troubleshooting
Trace changes or errors back to specific users or services. -
Forensics & Incident Response
Investigate breaches or misconfigurations historically.
Key Concepts
| Concept | Description |
|---|---|
| Event | A record of an API call or action taken |
| Trail | A configuration that delivers events to an S3 bucket |
| Management Events | Actions like creating resources, changing permissions (default: enabled) |
| Data Events | High-volume events like S3 object-level access or Lambda executions (optional, paid) |
| Insight Events | Detect and alert on unusual API call patterns (e.g., spikes in activity) |
Where are the logs stored?
CloudTrail delivers logs to:
-
Amazon S3 bucket (mandatory)
-
CloudWatch Logs (optional, for real-time monitoring)
-
CloudTrail Lake (optional, for querying with SQL directly in AWS)
Cost
-
Management events: First copy per region is free
-
Data events & Insights: Charged per event
-
CloudTrail Lake: Charged for ingestion and querying
Best Practices
-
Enable CloudTrail in all regions (Global trail)
-
Use an S3 bucket with versioning and access logging
-
Enable encryption (SSE or KMS)
-
Send logs to CloudWatch Logs for alerts
-
Enable Insight events to detect anomalies
-
Enable multi-account trails with AWS Organizations
Example Event Log (JSON)
No comments:
Post a Comment