AWS Cloudtrail

What is AWS Cloudtrail?

Amazon Web Service (AWS) offers a service called CloudTrail, which allows you to audit your AWS account for risk, governance, compliance, and operations.

When users, services, or AWS itself makes API calls on your account, it logs the information they provide, including the name of the entity requesting the action, the time the request was made, and more.

It captures API calls triggered by various entities, including:

  • Human users interacting with the AWS console
  • Applications executing AWS CLI commands
  • And other AWS services invoking REST API calls to AWS resources.

The Significance of AWS CloudTrail

Amazon Web Services (AWS) CloudTrail plays a significant role in the field of cloud computing by providing a strong solution for operational and risk auditing, compliance monitoring, and governance.

For individuals working in the DevSecOps landscape, CloudTrail serves as a valuable tool for investigating, searching, and analyzing logs.

It facilitates pinpointing particular actions, noting their timestamps, identifying the user or process responsible for such actions, and specifying the affected resources.

This level of visibility proves instrumental in the following:

  • Post-security breach reviews
  • Proactive monitoring for vulnerabilities
  • Ensuring adherence to compliance standards

The Components of AWS CloudTrail

AWS CloudTrail’s architecture has several important components.

Event History

AWS CloudTrail provides a viewable, searchable, downloadable, and unchangeable log of management events over the previous ninety days in an AWS Region. This event history is automatically accessible upon the creation of your AWS account.

CloudTrail Lake

AWS CloudTrail Lake is a managed storage repository that logs, records, retrieves, and analyzes API and user activity on AWS for security and audit purposes. The system gathers events and stores them in event data stores, where they can be retained indefinitely.


Trails store and record events in an Amazon S3 bucket, with the option to send them to Amazon CloudWatch Logs and Amazon EventBridge if needed. Trails record actions within AWS.

Trails are adaptable and can be set up using AWS Organisations for multiple accounts or just one AWS account.

AWS Management Console

CloudTrail log data is accessible to users for analysis, auditing, and security investigations via the AWS Command Line Interface (CLI), AWS Management Console, or AWS Software Development Kits (SDKs).

Common Use Cases

Here are the most common use cases of AWS CloudTrail:

Security Analysis

Utilizing AWS CloudTrail, users can proactively manage security analysis.

By leveraging CloudTrail events, patterns, and analytics solutions, users can effectively monitor and detect patterns in user behavior for enhanced security insights.

Data Exfiltration

Through the recording of object-level API events in Amazon CloudTrail, users can actively monitor and identify potential data exfiltration activities. This involves tracking the collection of activity data on S3 objects and providing a robust defense against unauthorized data access.

Compliance Assurance

AWS CloudTrail streamlines the verification of compliance with internal policies and regulatory standards.

By preserving a detailed record of activities in the AWS account, users can effortlessly showcase their alignment with compliance requirements, as detailed in the AWS compliance whitepaper.

Operational Issue Resolution

AWS CloudTrail streamlines the process of troubleshooting operational issues.

Users can analyze the AWS API call history generated by CloudTrail, enabling quick identification of the most recent changes made to resources in the environment.

This includes tracking the creation, modification, and deletion of various AWS resources such as Amazon EC2 instances, Amazon VPC security groups, and Amazon EBS volumes.

Monitoring and Alerting

With CloudTrail and AWS CloudWatch integrated, users can design unique alerts and notifications that are triggered by particular API actions or patterns.

Best Practices

Here are some best practices to maximize the effectiveness of AWS CloudTrail:

  • AWS Organizations Integration: When managing a multi-account setup through AWS Organizations, creating a trail at the organization level ensures a comprehensive log of activities across all accounts.
  • Include All Regions: Including all regions in the trail safeguards against undetected resources and potential costs incurred in regions that might be overlooked.
  • Record Only “Write Events”: To reduce log size, focusing on “write events” provides essential information about resource creation, modification, and deletion events.
  • Avoid Excessive Logging: Creating multiple trails might increase storage costs and cause confusion. Opt for a single trail unless there’s a specific need for separation.
  • Be Mindful of CloudWatch Limits: When using CloudWatch, consider the 256 KB limit for event data to avoid missing critical alerts.