AWS CloudTrail: Tracking Activity and Changes in Your AWS Account
Quick Recap: Where We Are in Our AWS Journey
In previous posts, we:
- Created an EC2 instance to run an application
- Used Auto Scaling to manage traffic automatically
- Set up CloudWatch to monitor performance and receive alerts
Monitoring performance is important, but it doesn’t tell us who did what inside our AWS account.
This is where AWS CloudTrail comes in.
What Is AWS CloudTrail?
AWS CloudTrail is a service that records all actions taken in your AWS account.
It helps you answer questions like:
- Who launched or stopped an EC2 instance?
- Who modified a security group?
- When was Auto Scaling changed?
- Which IAM user or role made the change?
CloudTrail is essential for security, auditing, and troubleshooting.
Why CloudTrail Is Important
CloudTrail helps you:
- Track user and API activity
- Investigate security incidents
- Meet compliance and auditing requirements
- Understand changes made across AWS services
Unlike CloudWatch (which monitors performance), CloudTrail monitors actions.
Step-by-Step: Creating a CloudTrail Trail
Step 1: Open CloudTrail
- Sign in to the AWS Management Console
- Search for CloudTrail
- Click CloudTrail
Step 2: Create a Trail
- Click Trails from the left menu
- Click Create trail
Step 3: Configure Trail Settings
Fill in the following:
Trail name:
Example:management-eventStorage location:
Select Create new S3 bucket
AWS will automatically store your logs in this bucket.
Step 4: Choose Log Events
Select:
- ✅ Management events
- ✅ Read and Write events
Leave other options as default for beginners.
Step 5: Enable Trail for All Regions
- Check Enable for all regions
This ensures all activity across AWS regions is logged.
Step 6: Create the Trail
- Click Create trail
CloudTrail starts logging activity immediately.
Viewing CloudTrail Events
Step 1: Open Event History
- In CloudTrail, click Event history
Here you’ll see:
- Event name (e.g.,
StartInstances) - AWS service used
- IAM user or role
- Time of the event
- Source IP address
Step 2: Filter Events
You can filter by:
- Event name
- User name
- Resource type
- Time range
This is very useful when investigating issues.
Example: What CloudTrail Can Show You
If you:
- Start or stop an EC2 instance
- Modify a security group
- Create an Auto Scaling group
- Change CloudWatch alarms
CloudTrail records who performed the action and when.
How CloudTrail Complements CloudWatch
| Service | Purpose |
|---|---|
| CloudWatch | Monitors performance and triggers alarms |
| CloudTrail | Tracks user actions and API calls |
Together, they provide visibility + accountability.
Best Practice for Beginners
- Always enable CloudTrail
- Store logs securely in S3
- Review event history regularly
- Use CloudTrail when troubleshooting unexpected changes
Final Thoughts
CloudTrail gives you confidence and control over your AWS account by recording every important action.
With EC2, Auto Scaling, CloudWatch, and CloudTrail, you now have:
- Compute
- Scalability
- Monitoring
- Auditing
A solid foundation for working in AWS
Top comments (0)