1. Overview
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It records AWS API calls and transitions them into log files delivered to an S3 bucket or CloudWatch Logs. Essentially, it tracks “Who did what, where, and when.”
The “CCTV” Analogy
Think of AWS CloudTrail as a 24/7 security camera system installed in a high-security building (your AWS Account). While IAM controls who has a key (Authorization), CloudTrail records every movement made by anyone who enters. If a vase goes missing (a resource is deleted), you check the CloudTrail “footage” to see exactly which person took it and at what time.
2. Core Concepts & Well-Architected Framework
CloudTrail aligns primarily with the Security Pillar and Operational Excellence Pillar of the AWS Well-Architected Framework.
- Auditability (Security): You must be able to trace actions to a specific user or role. CloudTrail provides the “Traceability” required for compliance standards like PCI-DSS, HIPAA, and SOC.
- Governance (Operations): By analyzing CloudTrail logs, organizations can ensure that resource changes align with internal policies.
Types of Events
- Management Events: Operations performed on resources (e.g., creating an EC2 instance, attaching an IAM policy). These are logged by default.
- Data Events: Resource-level operations (e.g., S3 object-level activity like GetObject/PutObject, Lambda function executions). These are NOT logged by default due to high volume.
- CloudTrail Insights: An add-on feature that uses Machine Learning to detect unusual API activity (e.g., a sudden spike in TerminateInstance calls).
3. Comparison Table: CloudTrail vs. Related Services
| Feature | AWS CloudTrail | AWS Config | Amazon CloudWatch |
|---|---|---|---|
| Focus | API Call History (Who/When) | Resource State/History (What it looks like) | Performance & Application Logs |
| Primary Use | Auditing & Compliance | Compliance & Change Tracking | Monitoring & Troubleshooting |
| Retention | 90 days (default), indefinite (S3) | Indefinite (S3) | Configurable (Retention policies) |
| Granularity | Account-wide API events | Resource configuration snapshots | Metrics, logs, and events |
4. Scenario-Based Learning (Decision Matrix)
Decision Matrix: If/Then
- If you need to find out which IAM user deleted an EBS volume… Then use CloudTrail Management Events.
- If you need to see the history of changes to a Security Group’s rules over time… Then use AWS Config.
- If you need to trigger a Lambda function whenever a specific API call is made… Then use EventBridge (triggered by CloudTrail).
- If you need to monitor S3 bucket access for sensitive data… Then enable CloudTrail Data Events for that bucket.
Exam Tips: Golden Nuggets
- Multi-Region: Always enable CloudTrail for “All Regions” in a single trail to ensure you catch activity in regions you don’t normally use (common hacker tactic).
- Log Integrity: Enable “Log File Integrity Validation” to ensure logs haven’t been tampered with or deleted after being written to S3.
- Organization Trails: Use AWS Organizations to create a single trail that logs activity for ALL member accounts, preventing local admins from turning it off.
- S3 Delivery: CloudTrail logs are typically delivered every 5 minutes. They are not “real-time” but “near real-time.”
CloudTrail Architectural Flow
Key Services
Amazon S3: The primary destination for log files. Use MFA Delete for extra security.
KMS: Encrypt your CloudTrail logs using your own CMK for higher security control.
Common Pitfalls
Single Region Trails: Forgetting to enable global trails leaves blind spots in unused regions.
Cost: Data Events can be extremely expensive in high-traffic accounts. Enable only where needed.
Quick Patterns
Security Analysis: Stream CloudTrail logs to CloudWatch Logs -> Create Metric Filter -> Set Alarm for “UnauthorizedOperation”.
Cross-Account: Centralize logs from multiple accounts into a single S3 bucket in a “Logging Account”.