Day 3 — AWS CloudTrail Setup

Earlier in this AWS infrastructure setup series, we completed basic

• AWS account setup:
• Securing the root account,
• Enabling MFA,
• Configuring IAM Identity Center,
• Setting up billing controls.

Now, the next step is building visibility. It is important to know:

• who changed what,
• when it changed,
• from where it changed,
• and which API call caused the issue.

If an EC2 instance is deleted or a security group changes unexpectedly, CloudTrail helps you trace the exact action.

Step 1 — Create a CloudTrail Trail

AWS now provides a very good default setup through:
CloudTrail → Quick create

Quick Create automatically configures:

• Multi-region logging
• Secure S3 log storage
• Encryption
• Log validation
• Management event tracking

This gives a secure baseline without unnecessary complexity.

Step 2 — Review the Created Trail

After creating a trail using the Quick Create option, let's go to the new trace and check what it created.

CloudTrail → Trails
and open the newly created trail.

What to Verify on This Screen

On this page, you can review the overall trail status, logging configuration, storage settings, and the event types currently being monitored across your AWS environment.

Trail Logging
Logging → Enabled
This confirms CloudTrail is actively recording AWS API activity.

Multi-Region Trail
Multi-region trail → Yes
This ensures all AWS regions are covered automatically.

S3 Log Location
CloudTrail automatically created an S3 bucket for log storage.
Example:
aws-cloudtrail-logs-xxxxxxxx
This is where CloudTrail audit logs are stored.

*Organization Trail *
If you use AWS Organizations you can enable:
Apply trail to my organization

This allows centralized CloudTrail logging across multiple AWS accounts.

Management Events Configuration

API Activity:
Read → Enabled
Write → Enabled
This records infrastructure-level AWS operations such as:
IAM changes,
EC2 actions,
VPC modifications,
Security Group updates,
Route table changes,
and CloudTrail configuration updates.

AWS KMS Events:
Disabled / Unchecked
This provides better visibility into encryption-related activity.

Amazon RDS Data API Events:
Disabled / Unchecked
This keeps database API activity visible in CloudTrail logs.

Data Events
Disabled
Because Data Events can generate very large amounts of logs.
Examples:

• S3 object-level access logging
• Lambda invocation logging
• DynamoDB object activity These can significantly increase AWS costs in active environments. You can later enable specific Data Events only when necessary.

Insights Events
Disabled initially
CloudTrail Insights is an anomaly detection feature that analyzes unusual AWS API activity patterns.
Examples:

• abnormal API spikes,
• unusual IAM behavior,
• unexpected operational activity.

You can enable it later as infrastructure and security requirements grow.

Understanding the CloudTrail Navigation Menu

After creating the trail, it is useful to understand the main sections inside the CloudTrail console.
As your startup infrastructure grows, these sections become increasingly important for troubleshooting, auditing, and security monitoring.

Dashboard

CloudTrail → Dashboard
The Dashboard provides a high-level overview of CloudTrail activity.
Here you can quickly see:

• recent event activity,
• trail health,
• event trends,
• and overall logging visibility. This is usually the first place to check when verifying that CloudTrail is functioning correctly.

Event Coverage

CloudTrail → Event coverage
This section shows how much of your AWS environment is covered by Events logging.

An event in CloudTrail is the record of an activity in an AWS account. This activity can be an action taken by an IAM identity, or service that is monitorable by CloudTrail. CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.

There are four types of CloudTrail events:

• Management events
• Data events
• Network activity events
• Insights events

Event History

CloudTrail is enabled by default for your AWS account and you automatically have access to the CloudTrail event history. The event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an AWS Region.

These events capture activity made through the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. The event history records events in the AWS Region where the event happened. There are no CloudTrail charges for viewing the event history.

Examples:

• Who deleted an EC2 instance?
• Which IAM user modified a policy?
• When was a security group changed?
• Which API call created a new resource?

Event History is the primary troubleshooting and audit screen.

Insights

AWS CloudTrail Insights help AWS users identify and respond to unusual activity associated with API call rates and API error rates by continuously analyzing CloudTrail management and data events.

What is Next?

Once CloudTrail is enabled, every infrastructure action starts leaving an audit trail.

This becomes extremely useful later when you begin working with:

• Terraform automation
• CI/CD pipelines
• IAM role separation
• production deployments
• incident response
• compliance requirements

In the next part of this Startup Infrastructure Setup series, we will focus on Infrastructure Governance and Infrastructure as Code. The next stage will move toward building a scalable, centralized, and team-friendly cloud foundation for startup environments.