21 Days of AWS using Terraform — Day 12- Introduction to CloudTrail using Terraform

Welcome to Day 12 of 21 Days of AWS using Terraform. The topic for today is Introduction to CloudTrail using Terraform

What Is AWS CloudTrail?

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

  • It’s enabled when the account is created(for 7 days)
  • When activity occurs in your AWS account, that activity is recorded in a CloudTrail event.
  • Entries can be viewed in Event History(for 90 days)
  • Event logs can be aggregated across accounts and regions.


  • Historically CloudTrail was not enabled by default
  • It won’t logs events like SSH/RDP only API call.
CloudTrail Dashboard(Most Recent Events)

Reference: https://aws.amazon.com/blogs/aws/new-aws-api-activity-lookup-in-cloudtrail/

For an ongoing record of activity and events in your AWS account, create a trail. It allows us to send logs to S3 bucket and can be single or multi-region.

To create a trail

Go to AWS Console --> Management & Governance --> CloudTrail --> Trails --> Create trail
* Trail name: Give your trail name
Apply trail to all regions: You have an option to choose all regions or specific region.
Read/Write events: You have the option to filter the events
Data events: Data events provide insights into the resource operations performed on or within a resource
S3: You can record S3 object-level API activity (for example, GetObject and PutObject) for individual buckets, or for all current and future buckets in your AWS account
Lambda:You can record Invoke API operations for individual functions, or for all current and future functions in your AWS account.
Storage Locations: Where to store the logs, we can create new bucket or use existing bucket
Log file prefix: We have the option to provide prefix, this will make it easier to browse log file
Encrypt log file with SSE-KMS:Default SSE-S3 Server side encryption(AES-256) or we can use KMS
Enable log file validation: To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation
Send SNS notification for every log file delivery:SNS notification of log file delivery allow us to take action immediately

To read the complete blog

GitHub Link


Looking forward for you guys to join this journey