AWS CloudTrail
Core concept: CloudTrail records every API call made in your AWS account โ who did what, when, from where.
CloudWatch vs CloudTrailโ
| CloudWatch | CloudTrail | |
|---|---|---|
| What it monitors | Resource performance & application logs | AWS API calls (who/what/when/where) |
| Use case | "My Lambda is erroring" | "Who deleted that S3 bucket?" |
| Data type | Metrics, logs | API events |
| Retention | Configurable | 90 days (free), longer via S3 trail |
Event Typesโ
| Type | Description | Examples |
|---|---|---|
| Management Events | Control plane โ AWS resource operations | CreateBucket, RunInstances, AssumeRole |
| Data Events | Data plane โ operations on data | S3:GetObject, Lambda:Invoke, DynamoDB:PutItem |
| Insights Events | Unusual API activity detection | Spike in TerminateInstances |
Data events are not enabled by default โ they generate high volume (every S3 GET) and cost extra. Enable selectively.
Trailsโ
- Event History: Free, 90-day rolling window, management events only
- Trail: Delivers events to S3 (and optionally CloudWatch Logs) for long-term retention
# Create a trail
aws cloudtrail create-trail \
--name my-audit-trail \
--s3-bucket-name my-cloudtrail-logs \
--include-global-service-events \
--is-multi-region-trail # Capture events from ALL regions
Always create a multi-region trail to capture API calls from all regions including global services (IAM, STS, CloudFront).
CloudTrail Insightsโ
Detects unusual API activity:
- Error rate spikes
- Unexpected resource provisioning
- Service limit approaches
Integration with CloudWatchโ
CloudTrail โ S3 (raw events) โ CloudWatch Logs (via trail config)
โ
Metric Filter โ "Unauthorized API calls"
โ
CloudWatch Alarm โ SNS โ PagerDuty
๐งช Practice Questionsโ
Q1. A security team needs to know who deleted an important DynamoDB table last Tuesday. Which service should they use?
A) CloudWatch Logs
B) CloudTrail Event History
C) X-Ray
D) Config
โ Answer & Explanation
B โ CloudTrail records all DeleteTable API calls with the caller's identity, IP, time, and request parameters. CloudWatch tracks performance metrics, not API calls.
Q2. By default, CloudTrail Event History is retained for how long?
A) 7 days
B) 30 days
C) 90 days
D) 1 year
โ Answer & Explanation
C โ CloudTrail's built-in Event History retains management events for 90 days at no charge. For longer retention or data events, create a Trail that delivers to S3.