AWS CloudTrail — A service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
Overview
CloudTrail logs all API calls made in your AWS account, recording who made the call, when it was made, and what parameters were used.
Key Insight: CloudTrail is the “audit log” of AWS — every action taken in your account (through console, CLI, SDK, or API) is recorded, creating an immutable trail of activity.
Core CloudTrail Concepts
| Concept | Description | Key Point |
|---|---|---|
| Trail | Configuration that enables logging | Delivers logs to S3 |
| Event | Record of an API call | Contains who, when, what, where |
| Management Events | Control plane operations | Create, configure, delete resources |
| Data Events | Data plane operations | Read/write to S3 objects, DynamoDB |
| Insights | Anomalous activity detection | Additional cost |
How CloudTrail Works
flowchart TD subgraph Activity["AWS Account Activity"] Console["Console"] CLI["CLI"] SDK["SDK"] API["Direct API"] end CT["CloudTrail Service<br/>Capture API calls -> Build event logs -> Encrypt (optional)"] Console --> CT CLI --> CT SDK --> CT API --> CT CT --> S3["S3 Log Bucket<br/>(long-term storage)"] CT --> CWL["CloudWatch Logs<br/>(monitoring and alerting)"] CT --> Lake["CloudTrail Lake<br/>(query and analytics)"]
Event Types
Management Events
Operations that manage AWS resources.
| Category | Examples |
|---|---|
| IAM | CreateUser, AttachRolePolicy |
| EC2 | RunInstances, TerminateInstances, CreateSecurityGroup |
| S3 | CreateBucket, DeleteBucket, PutBucketPolicy |
| RDS | CreateDBInstance, ModifyDBInstance |
| Lambda | CreateFunction, UpdateFunctionCode |
| Attribute | Value |
|---|---|
| Default | Enabled for all trails |
| Cost | First copy free |
| S3 Log Type | AWSLogs/AccountID/CloudTrail/Region/Year/Month/ |
Data Events
Operations that read or write data in S3 or DynamoDB.
| Service | Operations |
|---|---|
| S3 | GetObject, PutObject, DeleteObject |
| DynamoDB | GetItem, PutItem, Query, Scan, UpdateItem, DeleteItem |
| Attribute | Value |
|---|---|
| Default | Not enabled (must configure) |
| Cost | $0.10 per 100,000 events |
| Volume | Can be very high |
Warning: Data events can significantly increase costs, especially for S3 with frequent read operations.
CloudTrail Features
| Feature | Description |
|---|---|
| Log File Integrity | Validate logs haven’t been tampered with |
| Encryption | Encrypt logs with SSE-KMS |
| Multi-Region | Single trail for all regions |
| Multi-Account | Aggregate logs from multiple accounts |
| CloudTrail Lake | SQL queries on event data (additional cost) |
| Insights | Detect unusual API activity (additional cost) |
| Event Data Store | Immutable event storage for analysis |
Event Structure
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAI...",
"arn": "arn:aws:iam::123456789012:user/alice",
"accountId": "123456789012",
"userName": "alice"
},
"eventTime": "2024-01-31T12:34:56Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "72.21.198.64",
"userAgent": "console.ec2.amazonaws.com",
"requestParameters": {
"imageId": "ami-0c55b159cbfafe1f0",
"instanceType": "t2.micro"
},
"responseElements": {
"instancesSet": {
"items": [{"instanceId": "i-0123456789abcdef0"}]
}
},
"requestID": "example-id",
"eventID": "example-event-id"
}Use Cases
| Use Case | Description |
|---|---|
| Security Analysis | Detect unauthorized access, unusual patterns |
| Compliance Auditing | Prove who did what for PCI DSS, HIPAA, SOC 2 |
| Operational Troubleshooting | Debug issues by seeing exact API calls |
| Change Management | Track all configuration changes |
| Forensics | Investigate security incidents |
Pricing
| Component | Price | Free Tier |
|---|---|---|
| Management Events (first copy) | Free | Included |
| Management Events (additional copies) | $2.00 per 100,000 events | No |
| Data Events | $0.10 per 100,000 events | No |
| CloudTrail Lake | $1.00 per GB ingested | No |
| Event Insights | Additional cost | No |
⚠️ Pricing Disclaimer: AWS pricing is subject to change. Always verify current pricing at the official CloudTrail pricing page.
CloudTrail vs Config
| Aspect | CloudTrail | AWS Config |
|---|---|---|
| What it Logs | API calls (actions) | Resource state (configuration) |
| Question Answered | Who did what when? | What is configured? |
| Data Format | Event logs | Configuration items |
| Querying | CloudTrail Lake (SQL) or log analysis | Advanced queries (SQL-like) |
| Use Together | ✓ See action → See resulting state change |
TL;DR
- CloudTrail = Logs all AWS API calls (who did what when)
- Trail = Configuration that delivers logs to S3
- Management Events = Control plane operations (create, delete, configure)
- Data Events = Data plane operations (S3 GET/PUT, DynamoDB read/write)
- Pricing = Management events free (first copy); Data events $0.10/100K events
- Use Cases = Security analysis, compliance, troubleshooting, forensics
- Complementary to Config (CloudTrail = actions; Config = state)
Resources
AWS CloudTrail Documentation Complete CloudTrail user guide.
CloudTrail Event History View recent events in the AWS Console.
CloudTrail Pricing Detailed pricing breakdown.