CloudTrail

AWS CloudTrail — A service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.

---

Overview

CloudTrail logs all API calls made in your AWS account, recording who made the call, when it was made, and what parameters were used.

Key Insight: CloudTrail is the “audit log” of AWS — every action taken in your account (through console, CLI, SDK, or API) is recorded, creating an immutable trail of activity.

---

Core CloudTrail Concepts

Concept	Description	Key Point
Trail	Configuration that enables logging	Delivers logs to S3
Event	Record of an API call	Contains who, when, what, where
Management Events	Control plane operations	Create, configure, delete resources
Data Events	Data plane operations	Read/write to S3 objects, DynamoDB
Insights	Anomalous activity detection	Additional cost

---

How CloudTrail Works

flowchart TD
    subgraph Activity["AWS Account Activity"]
        Console["Console"]
        CLI["CLI"]
        SDK["SDK"]
        API["Direct API"]
    end

    CT["CloudTrail Service<br/>Capture API calls -> Build event logs -> Encrypt (optional)"]

    Console --> CT
    CLI --> CT
    SDK --> CT
    API --> CT

    CT --> S3["S3 Log Bucket<br/>(long-term storage)"]
    CT --> CWL["CloudWatch Logs<br/>(monitoring and alerting)"]
    CT --> Lake["CloudTrail Lake<br/>(query and analytics)"]

---

Event Types

Management Events

Operations that manage AWS resources.

Category	Examples
IAM	CreateUser, AttachRolePolicy
EC2	RunInstances, TerminateInstances, CreateSecurityGroup
S3	CreateBucket, DeleteBucket, PutBucketPolicy
RDS	CreateDBInstance, ModifyDBInstance
Lambda	CreateFunction, UpdateFunctionCode

Attribute	Value
Default	Enabled for all trails
Cost	First copy free
S3 Log Type	AWSLogs/AccountID/CloudTrail/Region/Year/Month/

Data Events

Operations that read or write data in S3 or DynamoDB.

Service	Operations
S3	GetObject, PutObject, DeleteObject
DynamoDB	GetItem, PutItem, Query, Scan, UpdateItem, DeleteItem

Attribute	Value
Default	Not enabled (must configure)
Cost	$0.10 per 100,000 events
Volume	Can be very high

Warning: Data events can significantly increase costs, especially for S3 with frequent read operations.

---

CloudTrail Features

Feature	Description
Log File Integrity	Validate logs haven’t been tampered with
Encryption	Encrypt logs with SSE-KMS
Multi-Region	Single trail for all regions
Multi-Account	Aggregate logs from multiple accounts
CloudTrail Lake	SQL queries on event data (additional cost)
Insights	Detect unusual API activity (additional cost)
Event Data Store	Immutable event storage for analysis

---

Event Structure

{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDAI...",
    "arn": "arn:aws:iam::123456789012:user/alice",
    "accountId": "123456789012",
    "userName": "alice"
  },
  "eventTime": "2024-01-31T12:34:56Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "RunInstances",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "72.21.198.64",
  "userAgent": "console.ec2.amazonaws.com",
  "requestParameters": {
    "imageId": "ami-0c55b159cbfafe1f0",
    "instanceType": "t2.micro"
  },
  "responseElements": {
    "instancesSet": {
      "items": [{"instanceId": "i-0123456789abcdef0"}]
    }
  },
  "requestID": "example-id",
  "eventID": "example-event-id"
}

---

Use Cases

Use Case	Description
Security Analysis	Detect unauthorized access, unusual patterns
Compliance Auditing	Prove who did what for PCI DSS, HIPAA, SOC 2
Operational Troubleshooting	Debug issues by seeing exact API calls
Change Management	Track all configuration changes
Forensics	Investigate security incidents

---

Pricing

Component	Price	Free Tier
Management Events (first copy)	Free	Included
Management Events (additional copies)	$2.00 per 100,000 events	No
Data Events	$0.10 per 100,000 events	No
CloudTrail Lake	$1.00 per GB ingested	No
Event Insights	Additional cost	No

⚠️ Pricing Disclaimer: AWS pricing is subject to change. Always verify current pricing at the official CloudTrail pricing page.

---

CloudTrail vs Config

Aspect	CloudTrail	AWS Config
What it Logs	API calls (actions)	Resource state (configuration)
Question Answered	Who did what when?	What is configured?
Data Format	Event logs	Configuration items
Querying	CloudTrail Lake (SQL) or log analysis	Advanced queries (SQL-like)
Use Together	✓ See action → See resulting state change

---

TL;DR

• CloudTrail = Logs all AWS API calls (who did what when)
• Trail = Configuration that delivers logs to S3
• Management Events = Control plane operations (create, delete, configure)
• Data Events = Data plane operations (S3 GET/PUT, DynamoDB read/write)
• Pricing = Management events free (first copy); Data events $0.10/100K events
• Use Cases = Security analysis, compliance, troubleshooting, forensics
• Complementary to Config (CloudTrail = actions; Config = state)

---

Resources

AWS CloudTrail Documentation Complete CloudTrail user guide.

CloudTrail Event History View recent events in the AWS Console.

CloudTrail Pricing Detailed pricing breakdown.