What Is AWS CloudTrail?
Learn about CloudTrail features and benefits.
What Is AWS CloudTrail?
What Is AWS CloudTrail?
AWS CloudTrail is a service that tracks activity within an organization's AWS environment, including actions performed by users, IAM (identity and access management) roles, and actions performed on and in AWS services. Accordingly, CloudTrail records this activity as events. Collectively, CloudTrail events include actions performed using AWS Management Console, APIs, AWS Command Line Interface, and AWS SDKs. Actions performed using CloudTrail are also tracked.
CloudTrail events are of two types:
Management events: These contain information about management operations, also referred to as control plane operations. Such events include setting up logging or a user login activity.
Data events: These contain information about operations performed on or in a service, also referred to as data plane operations. Such events include Amazon S3 bucket-level activity or Amazon API Gateway activity.
CloudTrail is activated upon creating an AWS account, and it logs events whenever actions are performed in the AWS account. The CloudTrail console provides event history of the past 90 days, and this history is searchable and downloadable with custom filters. However, event history beyond the past 90 days cannot be viewed or deleted from the CloudTrail console.
Although CloudTrail logs most of the activity, some AWS services allow logging only a subset of the activity, while a few services don’t allow logging API calls and activity at all.
What Is a CloudTrail Trail?
A CloudTrail trail is a configuration that allows performing various workflows on CloudTrail events. A trail is configurable to collect only specific events or exclude certain events and only delivers events matching its configuration. A trail logs management events and requires additional configuration to also include data events.
As the CloudTrail console provides the event history of the past 90 days, a trail can be created to deliver event logs to an S3 bucket. When required, the log data in the S3 buckets can be searched or processed using SQL statements in Amazon Athena.
Similarly, a trail can be created to deliver log data to CloudWatch Logs to monitor and subsequently trigger alarms when a specific event type or activity is identified in the log data.
In general, a trail can be created for all the AWS regions or only for one AWS region. Accordingly, if the trail applies to all regions, then it collects events from all the regions. This also includes any new regions available after creating the trail. If the trail applies to only one region, it collects events from only that region.
What Is CloudTrail Insights?
CloudTrail Insights is a CloudTrail feature for identifying unusual activity in write API calls. First, it creates a baseline for acceptable activity by analyzing CloudTrail management events and then creates Insights events when abnormal activity is identified. This process is also the reason CloudTrail Insights can take up to 36 hours to report unusual activity after it’s activated.
Unlike CloudTrail events, an Insights event is only created after detecting unusual activity. Examples of such activity include a burst in EC2 instance termination or an increased user and role creation in IAM. An Insights event provides information about when the event started, related API activity, and relevant statistics to help you understand the incident and take action.
CloudTrail Benefits
When an organization deploys more and more workloads, it can become cumbersome to gain visibility into user and resource activity. By using CloudTrail, an organization can attain the following benefits:
Visibility: CloudTrail provides comprehensive visibility into all the activities of end users, such as which user attempted a change, what was their role, the IP address from which the change was initiated, and the resource changed. It also gives complete visibility into both successful and failed API calls to help determine internal policy violations.
Compliance: CloudTrail automatically records and stores activity of an organization’s AWS environment, simplifying auditing for various compliances such as HIPAA and PCI DSS. Additionally, integration with CloudWatch Logs helps you search log data, identify events violating compliance, and take measures to prevent unacceptable activity.
Security: CloudTrail event logs stored in S3 buckets can be ingested into SIEM and log analysis tools for security analysis. Events can be analyzed to detect data exfiltration in S3 buckets and trigger automated responses through CloudWatch Events or AWS Lambda.
Troubleshooting: When operational issues occur, CloudTrail events generated for the most recent changes to services or instances can be first analyzed to understand quickly if a recent modification caused the issues. After this preliminary step, a more detailed event analysis can be conducted for identifying causes of operation problems.
CloudTrail vs. CloudWatch
While CloudTrail tracks activity for auditing, analysis, and troubleshooting, CloudWatch monitors AWS resources and applications in real time to provide insights into performance, utilization, and operational health, allowing administrators to optimize resources for efficiency and cost-savings.
As the size and number of AWS deployments of an organization increase, it becomes increasingly difficult, and at the same time necessary, to gain operational visibility. CloudTrail alleviates this problem by ensuring the organization’s AWS environment is managed as per internal policies and unusual activity is flagged early on.
What Is AWS CloudTrail?
What Is AWS CloudTrail?
AWS CloudTrail is a service that tracks activity within an organization's AWS environment, including actions performed by users, IAM (identity and access management) roles, and actions performed on and in AWS services. Accordingly, CloudTrail records this activity as events. Collectively, CloudTrail events include actions performed using AWS Management Console, APIs, AWS Command Line Interface, and AWS SDKs. Actions performed using CloudTrail are also tracked.
CloudTrail events are of two types:
Management events: These contain information about management operations, also referred to as control plane operations. Such events include setting up logging or a user login activity.
Data events: These contain information about operations performed on or in a service, also referred to as data plane operations. Such events include Amazon S3 bucket-level activity or Amazon API Gateway activity.
CloudTrail is activated upon creating an AWS account, and it logs events whenever actions are performed in the AWS account. The CloudTrail console provides event history of the past 90 days, and this history is searchable and downloadable with custom filters. However, event history beyond the past 90 days cannot be viewed or deleted from the CloudTrail console.
Although CloudTrail logs most of the activity, some AWS services allow logging only a subset of the activity, while a few services don’t allow logging API calls and activity at all.
What Is a CloudTrail Trail?
A CloudTrail trail is a configuration that allows performing various workflows on CloudTrail events. A trail is configurable to collect only specific events or exclude certain events and only delivers events matching its configuration. A trail logs management events and requires additional configuration to also include data events.
As the CloudTrail console provides the event history of the past 90 days, a trail can be created to deliver event logs to an S3 bucket. When required, the log data in the S3 buckets can be searched or processed using SQL statements in Amazon Athena.
Similarly, a trail can be created to deliver log data to CloudWatch Logs to monitor and subsequently trigger alarms when a specific event type or activity is identified in the log data.
In general, a trail can be created for all the AWS regions or only for one AWS region. Accordingly, if the trail applies to all regions, then it collects events from all the regions. This also includes any new regions available after creating the trail. If the trail applies to only one region, it collects events from only that region.
What Is CloudTrail Insights?
CloudTrail Insights is a CloudTrail feature for identifying unusual activity in write API calls. First, it creates a baseline for acceptable activity by analyzing CloudTrail management events and then creates Insights events when abnormal activity is identified. This process is also the reason CloudTrail Insights can take up to 36 hours to report unusual activity after it’s activated.
Unlike CloudTrail events, an Insights event is only created after detecting unusual activity. Examples of such activity include a burst in EC2 instance termination or an increased user and role creation in IAM. An Insights event provides information about when the event started, related API activity, and relevant statistics to help you understand the incident and take action.
CloudTrail Benefits
When an organization deploys more and more workloads, it can become cumbersome to gain visibility into user and resource activity. By using CloudTrail, an organization can attain the following benefits:
Visibility: CloudTrail provides comprehensive visibility into all the activities of end users, such as which user attempted a change, what was their role, the IP address from which the change was initiated, and the resource changed. It also gives complete visibility into both successful and failed API calls to help determine internal policy violations.
Compliance: CloudTrail automatically records and stores activity of an organization’s AWS environment, simplifying auditing for various compliances such as HIPAA and PCI DSS. Additionally, integration with CloudWatch Logs helps you search log data, identify events violating compliance, and take measures to prevent unacceptable activity.
Security: CloudTrail event logs stored in S3 buckets can be ingested into SIEM and log analysis tools for security analysis. Events can be analyzed to detect data exfiltration in S3 buckets and trigger automated responses through CloudWatch Events or AWS Lambda.
Troubleshooting: When operational issues occur, CloudTrail events generated for the most recent changes to services or instances can be first analyzed to understand quickly if a recent modification caused the issues. After this preliminary step, a more detailed event analysis can be conducted for identifying causes of operation problems.
CloudTrail vs. CloudWatch
While CloudTrail tracks activity for auditing, analysis, and troubleshooting, CloudWatch monitors AWS resources and applications in real time to provide insights into performance, utilization, and operational health, allowing administrators to optimize resources for efficiency and cost-savings.
As the size and number of AWS deployments of an organization increase, it becomes increasingly difficult, and at the same time necessary, to gain operational visibility. CloudTrail alleviates this problem by ensuring the organization’s AWS environment is managed as per internal policies and unusual activity is flagged early on.
Unify and extend visibility across the entire SaaS technology stack supporting your modern and custom web applications.