What Is AWS CloudTrail?

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

  • It’s enabled when the account is created
  • When activity occurs in your AWS account, that activity is recorded in a CloudTrail event.
  • Entries can be viewed in Event History(for 90 days)
  • Event logs can be aggregated across accounts.

NOTE

  • Historically CloudTrail was not enabled by default
  • It won’t logs events like SSH/RDP only API call.

Reference: https://aws.amazon.com/blogs/aws/new-aws-api-activity-lookup-in-cloudtrail/

For an ongoing record of activity and events in your AWS account, create a trail. It allows us to send logs to S3 bucket and can be single or multi-region.

To create a trail

NOTE:

  • There is always a delay between when the event occurs vs displayed on CloudTrail dashboard. On the top of that, there is an additional delay when that log will be transferred to S3 bucket.
  • Delivered every 5(active) minutes with up to 15-minute delay
  • All CloudEvents are JSON structure you will see something like this when you try to view any event

Validating CloudTrail Log File Integrity

  • To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.
  • This feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.
  • This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
  • You can use the AWS CLI to validate the files in the location where CloudTrail delivered them
  • Validation of logs can only be performed at the command line
  • We can also configure a CloudTrail to send copies of logs to CloudWatch Logs(central location which aggregates logs)
  • Go back to the trail we have just configured and click on Configure
  • Under CloudWatch logs, you will now see the newly created Log Groups

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP