Labs ICT
Pro Login

CloudTrail

What is CloudTrail?

CloudTrail is AWS's audit logging service. It records every API call made in your AWS account — who did what, when, and from where. Think of it as the security camera footage for your cloud infrastructure.

Every time someone creates an EC2 instance, modifies a security group, or accesses an S3 bucket, CloudTrail logs it. This is invaluable for security investigations, compliance audits, and troubleshooting.

How CloudTrail Works

By default, CloudTrail is enabled and captures events in your account. It records API calls made through the console, CLI, SDKs, and AWS services. The logs are stored in an S3 bucket that you specify.

Each log entry includes the caller's identity, the action performed, the time, the source IP address, and the request parameters. It's like a detailed receipt for every transaction in your account.

Event History

CloudTrail retains the last 90 days of events in the console — no configuration needed. You can search this history to answer questions like "Who deleted that S3 bucket?" or "When was that security group modified?"

For longer retention, deliver events to an S3 bucket and optionally to CloudWatch Logs. S3 gives you durable, long-term storage, while CloudWatch Logs enables real-time monitoring and alerting on specific events.

Trail Configuration

While CloudTrail captures events by default, creating a "trail" gives you more control. You can specify which regions to log, which services to include, and where to store the logs.

aws cloudtrail create-trail \
  --name my-audit-trail \
  --s3-bucket-name my-cloudtrail-logs \
  --is-multi-region-trail

A multi-region trail captures events from all regions in your account. This is important because some events (like IAM changes) are global and need a multi-region trail to be logged properly.

CloudTrail for Security

CloudTrail is a critical security tool. Use it to detect unauthorized access, investigate incidents, and prove compliance with regulations. Combine it with CloudWatch Logs to create real-time alerts for suspicious activity.

For example, alert when someone disables MFA, when root account credentials are used, or when a security group is opened to the world. CloudTrail gives you the visibility to catch and respond to threats quickly. Don't enable it and forget about it — actually review the logs.