CHAPTER 18
Beginner
AWS CloudTrail and Auditing
Updated: May 15, 2026
20 min read
# CHAPTER 18
AWS CloudTrail and Auditing
1. Introduction
Imagine waking up on a Monday morning to discover that your production database has been deleted. Your first question isn't "How is the CPU performing?" (CloudWatch). Your first questions are: "WHO did this? WHEN did they do it? From WHAT IP address?" In a corporate environment, compliance and security auditing are mandatory. AWS solves this with AWS CloudTrail, a service that acts as the unalterable security camera for your entire AWS account, recording every single action taken by any user or system.2. Learning Objectives
By the end of this chapter, you will be able to:- Contrast CloudWatch (Performance) with CloudTrail (Auditing).
- Understand how CloudTrail records API calls as Events.
- Analyze a CloudTrail JSON event log.
- Identify the 90-day default event history limitation.
- Create a CloudTrail Trail to store permanent compliance logs in S3.
3. Beginner-Friendly Explanation
Imagine a secure bank vault.- CloudWatch is the thermometer on the wall. It tells you if the vault is getting too hot or if the pressure is dropping. It monitors the *environment*.
- CloudTrail is the security camera pointing at the vault door. It records exactly who swiped their badge, at what exact timestamp, and whether the door opened or denied them access. It monitors *human and system behavior*.
Every time someone clicks a button in the AWS Console, or runs a command in the terminal, it is actually making an API call to AWS. CloudTrail records every single API call.
4. Anatomy of a CloudTrail Event
When you look at CloudTrail, you see a list of JSON records. A typical event contains critical forensic data:-
userIdentity: Who made the request? (e.g., IAM UserAlice).
-
eventName: What did they do? (e.g.,TerminateInstancesorDeleteDBInstance).
-
eventTime: When did it happen? (e.g.,2023-10-15T14:32:00Z).
-
sourceIPAddress: Where did they do it from? (e.g.,198.51.100.42).
-
errorCode: Was it successful, or were they denied by an IAM policy?
5. Event History vs. Trails
When you create an AWS account, CloudTrail is enabled by default for free. However, the default "Event History" only retains data for the past 90 days. If a hacker breaches your account, creates a backdoor, and you discover it 6 months later, the default logs will be gone, leaving you with zero forensic evidence.The Solution: Create a Trail. Enterprises explicitly create a "Trail" that continuously exports all CloudTrail logs to a highly secure S3 Bucket. Once the logs are in S3, they are kept permanently.
6. Security and Compliance Use Cases
- Auditing: A regulatory body (like HIPAA in healthcare) demands proof that only authorized personnel accessed patient data servers. You provide the CloudTrail logs as cryptographic proof.
-
Troubleshooting: A developer complains that their EC2 instance disappeared. You check CloudTrail, filter by
TerminateInstances, and discover an Auto Scaling Group automatically deleted it based on a scaling policy.
- Security Analysis: You connect CloudTrail to AWS GuardDuty (an AI threat detection service). GuardDuty reads the logs and alerts you: "User Alice just logged in from North Korea, which has never happened before!"
7. Mini Project: Track AWS Account Activities
Let's play forensic investigator and see exactly what we've been doing in this course.Step-by-Step Tutorial:
- 1. Open the AWS Console and search for CloudTrail.
- 2. In the left-hand menu, click Event history.
- 3. You will see a chronological list of every action taken in your account recently!
- 4. Let's filter the logs. Click the Lookup attributes dropdown and select Event name.
-
5.
In the search box, type
RunInstances(The API name for launching an EC2 server) and press Enter.
- 6. Click on the event. Look at the JSON record. You will be able to see the exact time you launched your server in Chapter 4, the Instance Type you chose, and the IP address of your home internet!
8. Best Practices
- Log File Validation: When you create a Trail to save logs to S3, enable "Log File Validation." This creates cryptographic hashes of the logs. If a malicious rogue employee deletes a server and then tries to secretly modify the S3 log file to cover their tracks, the cryptographic hash will break, immediately alerting auditors to the tampering.
9. Common Mistakes
-
Ignoring Global Events: IAM (Identity and Access Management) is a global service located in N. Virginia (
us-east-1). If you are working in London (eu-west-2), and you look at your regional CloudTrail, you might not see IAM user creations. Always ensure your Trail is configured to capture "Global Service Events" across all regions!
10. Exercises
- 1. Define the fundamental difference in purpose between AWS CloudWatch and AWS CloudTrail.
- 2. Why is the default 90-day Event History insufficient for enterprise compliance?
11. MCQs with Answers
Question 1
An administrator suspects an unauthorized IAM user maliciously deleted a critical DynamoDB table. Which AWS service should the administrator query to find the exact username, IP address, and timestamp of the deletion event?
Question 2
By default, how many days does the AWS CloudTrail Event History retain logs before they are permanently deleted?
12. Interview Questions
- Q: Contrast CloudWatch and CloudTrail. In a post-mortem incident review following a server outage, how would an engineering team utilize both services together to find the root cause?
- Q: Explain the necessity of creating a custom CloudTrail "Trail" that exports to an Amazon S3 bucket, rather than relying solely on the default console dashboard.
13. FAQs
Q: Can I set an alarm using CloudTrail? A: Yes! You can integrate CloudTrail with CloudWatch Alarms. For example, you can create a metric filter that scans the CloudTrail logs for the exact eventConsoleLogin where the status equals Failure. If someone fails to log in 5 times in a minute, a CloudWatch Alarm triggers and emails the security team.