2.6.3. AWS CloudTrail

💡 First Principle: AWS CloudTrail provides a comprehensive, immutable record of API calls and resource changes within an AWS account, enabling security analysis, compliance auditing, and operational troubleshooting.

AWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account. It records almost all actions performed in your AWS account by users, roles, or AWS services.

Key Characteristics of AWS CloudTrail:

• API Call Logging: Records information about API calls made in your account, including:
  • Who: The identity that made the request.
  • What: The specific API operation performed (e.g., RunInstances, PutObject).
  • When: The time the action occurred.
  • Where: The AWS Region of the request, source IP address.
• Event History: Provides a view of the last 90 days of API activity in the CloudTrail console.
• Trails: Configure a trail to deliver CloudTrail events to an Amazon S3 bucket for long-term storage and to Amazon CloudWatch Logs for real-time monitoring and alerting.
• Use Cases: Security analysis (detecting unauthorized activity), compliance auditing (providing an audit trail), and operational troubleshooting (investigating changes that might have led to issues).

Scenario: A company needs to track all changes made to its AWS account (e.g., who launched an EC2 instance, who modified an S3 bucket policy), for security investigations and compliance requirements.

Reflection Question: How does AWS CloudTrail, by providing a comprehensive and immutable record of API calls and resource changes, fundamentally enable security analysis, compliance auditing, and troubleshooting in your AWS account?