What is CloudTrail and what does it do?
CloudTrail is an AWS service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It records AWS API calls for your account and delivers log files to you. These log files provide details about what happened in your AWS account, who made the API calls, when they occurred, and other details.
What are the key features of CloudTrail?
- Tracks API calls made on your behalf from AWS Management Console, AWS SDKs, command line tools
- Records API calls from all AWS services, including global services like IAM
- Delivers log files containing API activity to S3 bucket you specify
- Can be configured to send logs to CloudWatch Logs for monitoring
- Integrates with CloudWatch for alarms and EventBridge for automation
- Provides event history of your AWS account activity
- Data events can track resource operations performed on resources
What are the types of events CloudTrail can track?
There are 3 types of events:
- Management Events: Operations that are performed on resources like creating an EC2 instance. These are always logged.
- Data Events: Resource operations performed on the resource itself like GetObject in S3. Must be enabled.
- Insight Events: Detect unusual API calls and surface them for review.
How are CloudTrail trails configured and what do they do?
A trail enables CloudTrail to deliver log files to an S3 bucket. Once logs are in S3, they can be analyzed using Athena. Trails allow you to:
- Send logs to S3 bucket for retention and analysis
- Customize trails for specific requirements
- Control what events are logged with management, data and insight events
- Send logs to CloudWatch Logs for monitoring
What services are not supported by CloudTrail?
Some AWS services are not currently supported by CloudTrail logging. Major unsupported services:
- Amazon Elastic File System (Amazon EFS)
- AWS PrivateLink
- Amazon WorkDocs
- Amazon WorkMail
How can CloudTrail integrate with other AWS services?
- CloudWatch for alarms, notifications, dashboards
- EventBridge for responding to events, automation
- Athena for analyzing logs stored in S3
- CloudWatch Logs for real-time monitoring of logs
- S3 for storage of log files
- Kinesis Data Firehose for streaming logs to other services
References
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html