2.2.2. CloudTrail: API Logging and Analysis
š” First Principle: Every action taken in AWS ā whether by a human, a service, or a Lambda function ā is an API call. CloudTrail records every one of those calls. It answers the critical incident question: "Who did what, to which resource, from where, and when?"
Without CloudTrail, you couldn't answer "Who deleted the production S3 bucket?" or "Which IAM role made that change at 3 AM?" CloudTrail makes AWS infrastructure auditable.
Event Types:
| Event Type | What It Captures | Default? |
|---|---|---|
| Management Events | Control plane operations (CreateInstance, DeleteBucket, PutPolicy) | ā Yes |
| Data Events | Data plane operations (S3 GetObject/PutObject, Lambda Invoke, DynamoDB PutItem) | ā No (extra cost) |
| Insights Events | Unusual API activity patterns (anomaly detection) | ā No (extra cost) |
Trail Configuration:
A trail is the configuration that delivers events to an S3 bucket (and optionally CloudWatch Logs and EventBridge). Key decisions:
- Single-region vs. multi-region: Best practice is to create a multi-region trail so you capture activity in all regions, including regions you don't actively use (attackers may exploit unused regions)
- Organization trail: Configured in the management account, automatically applies to all member accounts ā ensures you can't "forget" to enable CloudTrail in a new account
- Log file validation: CloudTrail can compute a SHA-256 digest of each log file. If someone tampers with or deletes log files, validation will fail ā critical for compliance
CloudTrail Lake is a managed data lake for CloudTrail events that allows SQL-based querying without first exporting to S3 and using Athena. Use CloudTrail Lake when you need quick, interactive analysis of API activity at scale.
ā ļø Exam Trap: CloudTrail delivers log files to S3 with a delay of up to 15 minutes (typically 5ā10 minutes). If you need real-time alerting on API activity, configure the trail to deliver to CloudWatch Logs and set a metric filter there, or use EventBridge to subscribe to CloudTrail events directly.
Reflection Question: An IAM user's access key was leaked. You need to find every AWS API call made by that access key in the last 24 hours. What CloudTrail feature or service do you use, and what query would you run?
