AWS CloudTrail is a service that provides a record of actions taken by a user, role, or AWS service in an AWS account. It logs all API calls, including calls from the AWS Management Console, AWS SDKs, and command-line tools.
CloudTrail enables governance, compliance, and operational and risk auditing of your AWS environment. The service can track changes made to AWS resources and store the event history in an Amazon S3 bucket. CloudTrail also supports real-time security and operational problem monitoring with CloudWatch or other analysis tools.
What are the benefits of CloudTrail?
- Change Tracking: Engineers can use CloudTrail to monitor and review changes to AWS resources. It records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service. This precise tracking of modifications made by users, roles, or services aids in debugging, troubleshooting and forensic analysis.
- Audit and Compliance: By automatically logging all actions and API calls made within your AWS environment, CloudTrail creates detailed records for regulatory and compliance purposes.
- Security: By capturing every API call, CloudTrail enables security analysts to automatically detect abnormal activity and potential security vulnerabilities. For example, you can use CloudWatch Events integration to set up real-time alerts and trigger automated workflows in response to specific API activities detected by CloudTrail.
- Integration with AWS Services: CloudTrail can closely integrate with other AWS services like AWS Config, Amazon CloudWatch, and AWS Lambda, enabling automated responses to event logs for enhanced monitoring and management.
- Multi-Region and Multi-Account Management: You can use CloudTrail to get a unified operational view; it aggregates activity logs from multiple AWS regions and accounts into a single dashboard. This centralized logging helps in managing large-scale deployments and simplifying oversight across diverse AWS environments.
- Customizable Storage and Retention: With CloudTrail, engineers have the flexibility to specify log storage locations and retention periods in Amazon S3. You might make customizations based on priorities like cost-effectiveness, data governance policies, etc.
How does CloudTrail work?
CloudTrail Events
CloudTrail Management Events:
CloudTrail Data Events:
CloudTrail Insights Events:
Insights events are generated by analyzing variations from typical API call volumes and error rates, providing notifications about unusual activities in your AWS account. This includes spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity patterns. These events help users to identify and respond to potential irregularities in account activity.
Insights events also need to be explicitly enabled on trails or event data stores. They incur an additional cost and are logged separately in the destination S3 bucket or event data store. Users can view up to 90 days of Insights events through the CloudTrail console or by using the AWS CLI.
CloudTrail Event History
AWS CloudTrail Event History provides a secure and searchable record of the past 90 days of management events in an AWS Region. Accessible directly from the AWS CloudTrail console, users can view, search, and download this data without any additional configuration or cost.
Events can be filtered by attributes through the console or by using the AWS CLI with the aws cloudtrail lookup-events command or the LookupEvents API operation. The Event history is not connected to any trails or event data stores that exist in your account and is not affected by configuration changes you make to your trails and event data stores.
There are no CloudTrail charges for viewing the Event history page or running the lookup-events command.
CloudTrail Lake / Event Data Stores
CloudTrail Lake allows users to aggregate, manage, and analyze events from AWS and external sources like AWS Audit Manager and AWS Config. Users can create single or multi-region event data stores within AWS or specific to an AWS organization, encrypting data using AWS KMS.
Charges are incurred based on data ingestion, storage duration, and query operations. Key features include querying event data using SQL, saving queries to a S3 bucket, and ensuring data integrity of query results.
CloudTrail Trails
CloudTrail Trails are configurations that direct the delivery of event logs to specified Amazon S3 buckets. These trails can be set up as either multi-region or single-region, and can log management events, data events, and Insights events.
Trails support encryption and can be integrated with Amazon CloudWatch Logs and Amazon EventBridge for real-time event analysis. Creating a multi-region trail is considered a best practice for capturing activities across all regions.
CloudTrail Channels
CloudTrail supports integration with external sources through CloudTrail Lake channels, which can be configured to receive events from non-AWS sources such as on-premise systems or other cloud environments. These channels help in managing and analyzing data from hybrid environments.
Service-linked channels, configured by AWS services, automatically apply event selectors and regional settings to streamline event logging.
What are AWS CloudTrail Best Practices?
#1: Enable CloudTrail in All Regions:
#2: Integrate with AWS CloudWatch and AWS Config:
#3: Use CloudTrail Insights for Proactive Monitoring:
#4: Set up separate trails for different use cases:
#5: Restrict Access to CloudTrail logs and ensure Log File Integrity:
#6: Enable MFA-delete and versioning on the Amazon S3 Bucket storing log files:
#7: Turn on data events for trails:
CloudTrail Frequently Asked Questions
What logs are in CloudTrail?
What is CloudWatch vs CloudTrail
AWS CloudWatch and AWS CloudTrail are both monitoring services offered by AWS, but they serve different purposes. CloudWatch primarily focuses on performance monitoring. CloudWatch logs and metrics help you understand how your applications and services are performing. It allows you to set alarms and visualize data using dashboards for operational health.
CloudTrail, on the other hand, is focused on auditing and governance, tracking every API call made to your AWS account for security and compliance monitoring.
What is CloudWatch vs X-Ray
AWS CloudWatch and AWS X-Ray provide different types of insights into your applications. CloudWatch is focused on metrics and logging for your AWS infrastructure and applications.
In contrast, AWS X-Ray is a distributed tracing service from AWS that helps analyze and debug applications by providing a complete view of requests as they traverse through the system. It enables developers to trace the path of individual requests from the front end to the backend and gives insights into how these requests interact with different components of the application. This helps in identifying bottlenecks, pinpointing the root cause of issues, and optimizing application performance.
Monitor your cloud spend with nOps
If you’re looking to save on AWS, nOps Business Contexts makes it easy and painless to understand your cloud spend.
Business Contexts transforms millions of rows of contextless data into the who, what, when and why of cloud spend — making it easy to get 100% visibility of your cloud costs and usage so your bills are never a surprise or mystery.
- Allocate 100% of your AWS costs, including EKS. Kubernetes costs are often a black box — no longer with nOps. Understand and allocate your unified AWS spend in one platform.
- Automated resource tagging. You don’t need to have all your resources tagged to allocate costs. Create dynamic rules by region, tags, operation, accounts, and usage types to allocate costs back to custom cost centers.
- 40+ views & filters. Map hourly costs by any relevant engineering concept (deployment, service, namespace, label, pod, container…) or finance concept (cost unit, purchase type, line item, cost allocation tag…).
- Custom reports & dashboards for the whole team. Monthly reporting and reconciliation can take hours; with nOps only minutes. Tailor dashboards and Slack/email reports to your needs, whether you’re a CFO or VP of Engineering.
The best part? nOps is an all-in-one solution for all of your cloud optimization needs: automated commitment management, rightsizing, resource scheduling, workload management, Spot usage, storage optimization, and more.
Join our customers using nOps to understand your cloud costs and leverage automation with complete confidence by booking a demo today!