AWS Management and Monitoring: API Auditing
In the AWS ecosystem, security and compliance start with knowing exactly who did what, when, and from where. API Auditing is the backbone of governance, providing a transparent trail of every action taken within your AWS account.
The “Building Concierge” Analogy
Imagine a high-security office building. IAM is the keycard that lets you in the door. API Auditing (AWS CloudTrail) is the security camera and the sign-in log at the front desk. Even if you have a keycard, the concierge records exactly which room you entered, what time you arrived, and what equipment you moved. If a laptop goes missing, you don’t check the locks; you check the logs.
Core Service: AWS CloudTrail
AWS CloudTrail is the primary service for API auditing. It records AWS API calls and deliveries log files to an Amazon S3 bucket. It captures metadata such as the identity of the caller, the time of the call, the source IP address, and the parameters of the request.
1. Types of Events
- Management Events: Control plane operations (e.g., creating an S3 bucket, attaching an IAM policy). By default, trails log management events.
- Data Events: Resource-level operations (e.g., S3 GetObject, Lambda Invoke). These are high-volume and incur additional costs.
- CloudTrail Insights: Uses machine learning to detect unusual API activity patterns (e.g., a sudden spike in EC2 terminations).
2. Multi-Account and Multi-Region Auditing
For the SAA-C03 exam, understand that a single trail can be applied to all regions. Furthermore, using AWS Organizations, you can create an “Organization Trail” that automatically logs activity across all member accounts and stores them in a centralized S3 bucket in the management account.
Comparison: CloudTrail Event Types
| Feature | Management Events | Data Events | Insights Events |
|---|---|---|---|
| Scope | Resource configurations (Control Plane) | Resource usage (Data Plane) | Anomalous behavior detection |
| Examples | RunInstances, CreateTable | PutObject, GetItem | Spike in API error codes |
| Cost | First copy free per region | Paid per 100k events | Paid per million events analyzed |
| Default | Enabled | Disabled | Disabled |
Security and Integrity
Audit logs are useless if they can be tampered with. AWS provides two key features to protect your audit trail:
- Log File Integrity Validation: CloudTrail creates a digital signature for every log file. You can use this to verify that log files were not modified or deleted after delivery.
- KMS Encryption: While logs are encrypted by S3 by default, you can use AWS KMS (SSE-KMS) to encrypt log files with your own customer-managed keys for an extra layer of security.
Decision Matrix: If-Then Guide
| If the requirement is… | Then use… |
|---|---|
| To see who deleted an EBS volume 2 weeks ago | CloudTrail Event History (90-day lookup) |
| To store logs for 7 years for compliance | CloudTrail + S3 (with Glacier Lifecycle) |
| To trigger a Lambda function when an IAM user is created | CloudTrail + EventBridge |
| To detect a brute-force login attempt via API | CloudTrail Insights + CloudWatch Alarms |
| To prevent log deletion in sub-accounts | Organization Trail + S3 Bucket Policy (MFA Delete) |
Exam Tips and Gotchas
- Not Real-Time: CloudTrail is NOT instantaneous. Logs are typically delivered to S3 every 5–15 minutes. If a question asks for “immediate” blocking of an action, use Service Control Policies (SCPs) or IAM, not CloudTrail.
- The 90-Day Limit: The “Event History” in the console only shows the last 90 days. For longer retention, you MUST configure a Trail to deliver to S3.
- Global Services: Events for global services (IAM, STS, CloudFront) are logged in the us-east-1 region.
- Log Aggregation: To aggregate logs from multiple accounts, always use an Organization Trail rather than manual cross-account S3 bucket policies where possible.
Topics covered :
Summary of key subtopics covered in this guide:
- Difference between Management, Data, and Insights events.
- CloudTrail log delivery to S3 and CloudWatch Logs.
- Log file integrity validation and encryption with KMS.
- Multi-region and Multi-account (AWS Organizations) logging patterns.
- EventBridge integration for automated remediation.
API Auditing Architecture
Service Ecosystem
IAM: Tracks which identity made the call.
KMS: Encrypts logs for regulatory compliance (HIPAA/PCI).
Organizations: Enforces logging across the entire enterprise with one click.
Performance & Scaling
CloudTrail is a managed service that scales automatically. It can handle millions of events across thousands of accounts. Focus on Log File Aggregation for high-performance querying using Amazon Athena.
Cost Optimization
Tip 1: Only enable Data Events on critical buckets or functions.
Tip 2: Use S3 Lifecycle policies to move old logs to Glacier Deep Archive.
Tip 3: One trail is free; additional trails are charged.
PutObject calls. These logs are sent to CloudWatch Logs, where a Metric Filter detects if an unencrypted object is uploaded, triggering an SNS notification to the security team.