CloudTrail

Icon

CloudTrail

About

  • Provides governance, compliance and audit for your AWS account.

  • CloudTrail is enabled by default.

  • It can give an history of events / API calls made within your AWS account by,

    • Console

    • SDK

    • CLI

    • AWS Services

  • Can put logs from CloudTrail into CloudWatch Logs or S3.

  • A Trail can be applied to All Regions (default) or single Region.

  • If events more than 90 days are needed then they can be send to CloudWatch logs or S3 bucket.

CloudTrail Events

Management Events

  • It consists of all events that are performed on resources in AWS account.

  • By default, trails are configured to log management events.

  • Can separate Read Events from Write Events.

Data Events

  • By default, data events are not logged because of high volume operations.

  • Examples are as follows,

    • AWS S3 Object level activity is one such example and can separate Read and Write Events.

    • AWS Lambda function execution activity is another example.

CloudTrail Insights Events

  • Enable CloudTrail Insights to detect unusual activity in to your account.

    • Inaccurate resource provisioning

    • Hitting service limits

    • Bursts of AWS IAM actions

  • CloudTrail Insight analyses normal management events for baseline.

  • Then continuously analyses writes events to detect unusual activities/patterns.

  • These anamolies can be viewed in CloudTrail Console and can also be sent to S3 or EventBridge can be used to generate events.

CloudTrail Events Retentions

  • Events are stored for 90 days in CloudTrail.

  • To keep events beyond this 90 period, log them to S3 and use Atena (Serverless service to query S3 data) for analysis.

PreviousOpenTelemetryNext18_Lambda

Last updated