DEV Community

Cover image for AWS CloudTrail
Freddie HOLMES
Freddie HOLMES

Posted on

AWS CloudTrail

#devops #cloudtrail #aws #security

What is *AWS CloudTrail* and What are the benefits of using Cloudtrail.
AWS CloudTrail is the AWS service that records every action taken in your AWS account.

It answers the question who did *what* *when* from *where* and *how*

CloudTrail tracks API calls and management events made through
AWS Console AWS CLI SDKs and Other AWS services
It is the backbone of security auditing governance compliance and forensic investigation in AWS.

What CloudTrail records
*CloudTrail* captures events, not performance metrics.
Each event contains
Who made the request user role or service
What action was taken API call
Which resource was affected
When it happened timestamp
Where it came from IP address region
Whether it succeeded or failed
Example

Someone deletes an *EC2* instance, CloudTrail records
User name, Time of deletion, Region, Instance ID, Source IP
Nothing happens in AWS without CloudTrail not seeing it.
Types of CloudTrail events

I. *Management events*
These are control plane actions.
Examples
Create or delete EC2 instances, Modify security groups, Create IAM users or roles
Change S3 bucket permissions
enabled by default
Critical for auditing and security

II. *Data events*
These track resource level operations.
Examples
S3 object uploads downloads deletes, Lambda function invocations
Not enabled by default
Must be explicitly configured
Useful for deep security investigations

III. *Insight events*
CloudTrail Insights detect unusual activity patterns.
Examples, Sudden spike in API calls, Unusual resource creation, Unexpected deletion activity
Uses machine learning
Helps detect compromised credentials.

In this guide I will demonstrate how to setup cloudtrail to collect my system event logs.

  1. Login to *AWS console* https://console.aws.amazon.com/ In AWS console search CloudTrail and hit enter

2 Click on *Create Trail*

3 *Cloud Trail* is Created. Verify and navigate to see what event is being logged.

4 *Cloud Trail* will log event for whatever happens on my system. You can also set up SNS notification or even use existing SNS notification to send email notification.


5 Download *CloudTrail* event and analyze the issues to prevent future occurrence.

*Hope this resource was helpful*

Top comments (0)