CloudTrail - devian-al/AWS-Solutions-Architect-Prep GitHub Wiki

  • Actions taken by a user, role, or an AWS service in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are recorded as events.
  • CloudTrail is enabled on your AWS account when you create it

CloudTrail Simplified

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With it, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, API calls, and other AWS services. It is a regional service, but you can configure CloudTrail to collect trails in all regions.

CloudTrail Key Details

  • CloudTrail Events logs API calls or activities.

  • CloudTrail Events stores the last 90 days of events in its Event History - default.

  • This event history simplifies security analysis, resource change tracking, and troubleshooting.

  • Trails

    • Create a CloudTrail trail to archive, analyze, and respond to changes in your AWS resources.
    • Types

      • A trail that applies to all regions – CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify.

        This is the default option when you create a trail in the CloudTrail console.

      • A trail that applies to one region – CloudTrail records the events in the region that you specify only.

        This is the default option when you create a trail using the AWS CLI or the CloudTrail API.

    • You can create an organization trail that will log all events for all AWS accounts in an organization created by AWS Organizations. Organization trails must be created in the management account.
    • By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption. You can also choose to encrypt your log files with an AWS Key Management Service key.
    • You can store your log files in your S3 bucket for as long as you want, and also define S3 lifecycle rules to archive or delete log files automatically.
    • If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications.
    • CloudTrail publishes log files about every five minutes.

  • Events

    • Management events
      • Management events provide information about management operations that are performed on resources in your AWS account.
      • Think of Management events as things normally done by people when they are in AWS. Examples
        • a user sign in
        • a policy changed
        • a newly created security configuration
        • a logging rule deletion
    • Data events
      • Data events provide information about the resource operations performed on or in a resource.
      • Think of Data events as things normally done by software when hitting various AWS endpoints. Examples
        • S3 object-level API activity
        • Lambda function execution activity
    • Insights events
      • Not logged by default
      • Insights events capture unusual activity in your AWS account.
      • If you have Insights events enabled, CloudTrail detects unusual activity and logs this to S3.
      • Insights events provide relevant information, such as the associated API, incident time, and statistics, that help you understand and act on unusual activity.
      • Insights events are logged only when CloudTrail detects changes in your account’s API usage that differ significantly from the account’s typical usage patterns.

  • By default, CloudTrail logs management events, but not data events.

  • By default, CloudTrail Events log files are encrypted using Amazon S3 server-side encryption (SSE).

  • You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key.

  • As these logs are stored in S3, you can define Amazon S3 lifecycle rules to archive or delete log files automatically.

  • If you want notifications about log file delivery and validation, set up Amazon SNS notifications.

  • Monitoring

    • Use CloudWatch Logs to monitor log data. CloudTrail events that are sent to CloudWatch Logs can trigger alarms according to the metric filters you define.
    • To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.