3.2.2.5. AWS CloudTrail Log Events
3.2.2.5. AWS CloudTrail Log Events
CloudTrail records every API call in your AWS account — the who, what, when, and where of all activity. It's the foundation of security auditing and incident investigation.
Event types:
| Type | What's Logged | Default | Cost |
|---|---|---|---|
| Management events | Control plane (CreateBucket, RunInstances, etc.) | Yes (90-day history free) | Free for first trail |
| Data events | Data plane (GetObject, PutItem, Invoke) | No | Per-event charge |
| Insights events | Unusual API activity patterns | No | Per-event charge |
CloudTrail configuration:
- Organization trail: Single trail that logs events from all accounts in the organization
- Multi-region trail: Logs events from all regions into a single S3 bucket
- Log file integrity validation: SHA-256 digest files verify logs haven't been tampered with
# Create an organization trail with log validation
aws cloudtrail create-trail \
--name OrgTrail \
--s3-bucket-name central-cloudtrail-logs \
--is-multi-region-trail \
--is-organization-trail \
--enable-log-file-validation \
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/audit-key
CloudTrail → CloudWatch Logs integration: Stream CloudTrail events to a CloudWatch Logs log group, then create metric filters to alarm on specific API calls (e.g., ConsoleLogin without MFA, DeleteTrail, StopLogging).
CloudTrail Lake provides SQL-based querying of CloudTrail events — faster than Athena for security investigations because data is pre-indexed.
Exam Trap: CloudTrail delivers logs with a delay of up to 15 minutes. It is not real-time. For real-time detection of specific API calls, use EventBridge rules that match CloudTrail events directly — EventBridge receives events within seconds of the API call, while CloudTrail log files arrive later.
