UPCOMING EVENT Discover how nOps streamlines your cost optimization at AWS re: Invent - BOOK A MEETING

NEW Featured eBook: AWS Cloud Cost Allocation: The Complete Guide - Download Now

AWS CloudTrail is a service that provides a record of actions taken by a user, role, or AWS service in an AWS account. It logs all API calls, including calls from the AWS Management Console, AWS SDKs, and command-line tools.

CloudTrail enables governance, compliance, and operational and risk auditing of your AWS environment. The service can track changes made to AWS resources and store the event history in an Amazon S3 bucket. CloudTrail also supports real-time security and operational problem monitoring with CloudWatch or other analysis tools.

What are the benefits of CloudTrail?

  • Change Tracking: Engineers can use CloudTrail to monitor and review changes to AWS resources. It records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service. This precise tracking of modifications made by users, roles, or services aids in debugging, troubleshooting and forensic analysis.
  • Audit and Compliance: By automatically logging all actions and API calls made within your AWS environment, CloudTrail creates detailed records for regulatory and compliance purposes.
  • Security: By capturing every API call, CloudTrail enables security analysts to automatically detect abnormal activity and potential security vulnerabilities. For example, you can use CloudWatch Events integration to set up real-time alerts and trigger automated workflows in response to specific API activities detected by CloudTrail.
  • Integration with AWS Services: CloudTrail can closely integrate with other AWS services like AWS Config, Amazon CloudWatch, and AWS Lambda, enabling automated responses to event logs for enhanced monitoring and management.
  • Multi-Region and Multi-Account Management: You can use CloudTrail to get a unified operational view; it aggregates activity logs from multiple AWS regions and accounts into a single dashboard. This centralized logging helps in managing large-scale deployments and simplifying oversight across diverse AWS environments.
  • Customizable Storage and Retention: With CloudTrail, engineers have the flexibility to specify log storage locations and retention periods in Amazon S3. You might make customizations based on priorities like cost-effectiveness, data governance policies, etc.

How does CloudTrail work?

Let’s break down five key features of CloudTrail: CloudTrail Event History, CloudTrail Lake, CloudTrail Trails, CloudTrail Insights, and CloudTrail Channels.

CloudTrail Events

There are three type of CloudTrail events:

CloudTrail Management Events:

These events provide visibility into management operations performed on resources in your AWS account. Management events include API calls made using the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This category typically includes operations that modify your environment, such as launching EC2 instances, creating a S3 bucket, or setting up IAM roles.

CloudTrail Data Events:

These are higher-volume events that provide insights into the data plane operations performed on or within the resources. For example, data events include S3 object-level operations (like GET, PUT, DELETE) and AWS Lambda function execution activity. Data events are not recorded by default and must be explicitly enabled.

CloudTrail Insights Events:

Insights events are generated by analyzing variations from typical API call volumes and error rates, providing notifications about unusual activities in your AWS account. This includes spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity patterns. These events help users to identify and respond to potential irregularities in account activity.

Insights events also need to be explicitly enabled on trails or event data stores. They incur an additional cost and are logged separately in the destination S3 bucket or event data store. Users can view up to 90 days of Insights events through the CloudTrail console or by using the AWS CLI.

CloudTrail Event History

AWS CloudTrail Event History provides a secure and searchable record of the past 90 days of management events in an AWS Region. Accessible directly from the AWS CloudTrail console, users can view, search, and download this data without any additional configuration or cost.

Events can be filtered by attributes through the console or by using the AWS CLI with the aws cloudtrail lookup-events command or the LookupEvents API operation. The Event history is not connected to any trails or event data stores that exist in your account and is not affected by configuration changes you make to your trails and event data stores.

There are no CloudTrail charges for viewing the Event history page or running the lookup-events command.

The CloudTrail Event history page (image source: AWS)

CloudTrail Lake / Event Data Stores

CloudTrail Lake allows users to aggregate, manage, and analyze events from AWS and external sources like AWS Audit Manager and AWS Config. Users can create single or multi-region event data stores within AWS or specific to an AWS organization, encrypting data using AWS KMS.

Charges are incurred based on data ingestion, storage duration, and query operations. Key features include querying event data using SQL, saving queries to a S3 bucket, and ensuring data integrity of query results.

View account activity in the CloudTrail Lake Dashboard (image source: AWS)

CloudTrail Trails

CloudTrail Trails are configurations that direct the delivery of event logs to specified Amazon S3 buckets. These trails can be set up as either multi-region or single-region, and can log management events, data events, and Insights events.

Trails support encryption and can be integrated with Amazon CloudWatch Logs and Amazon EventBridge for real-time event analysis. Creating a multi-region trail is considered a best practice for capturing activities across all regions.

CloudTrail Trails (image source: AWS)

CloudTrail Channels

CloudTrail supports integration with external sources through CloudTrail Lake channels, which can be configured to receive events from non-AWS sources such as on-premise systems or other cloud environments. These channels help in managing and analyzing data from hybrid environments.

Service-linked channels, configured by AWS services, automatically apply event selectors and regional settings to streamline event logging.

What are AWS CloudTrail Best Practices?

Here are some quick best practices to ensure you’re leveraging CloudTrail effectively.

#1: Enable CloudTrail in All Regions:

To ensure comprehensive monitoring, enable CloudTrail in all AWS regions and implement multi-region trails to capture logs from all regions into a single S3 bucket. This consolidates your logs and makes it easier to monitor activities across your entire AWS footprint.

#2: Integrate with AWS CloudWatch and AWS Config:

Utilize CloudTrail’s integration capabilities with AWS CloudWatch for real-time monitoring and alerting, and with AWS Config for resource tracking and compliance. This integration allows for automated responses to specific events, enhancing both security and operational efficiency.

#3: Use CloudTrail Insights for Proactive Monitoring:

Enable CloudTrail Insights to detect unusual activity in your AWS accounts. Insights analyze normal management event patterns and can alert you to anomalies that may indicate potential security issues or unintended changes.

#4: Set up separate trails for different use cases:

Diversify your CloudTrail configuration by setting up multiple trails tailored to specific needs like auditing, security monitoring, and operational troubleshooting. This allows teams to access the information most relevant to their roles and enhances security by segregating log data across different S3 buckets.

#5: Restrict Access to CloudTrail logs and ensure Log File Integrity:

Apply strict access controls to your S3 buckets where CloudTrail logs are stored. Use AWS IAM roles and policies to control who can access these logs to prevent unauthorized access and potential security breaches. You can also enable log file integrity validation in CloudTrail to verify the integrity of your log files and ensure the credibility of the logs for auditing purposes.

#6: Enable MFA-delete and versioning on the Amazon S3 Bucket storing log files:

Enhance the security of your CloudTrail logs by enabling multi-factor authentication (MFA) and versioning for the S3 buckets where log files are stored. This prevents accidental or malicious deletions and ensures that you can recover overwritten logs, adding an extra layer of security and data integrity.

#7: Turn on data events for trails:

Enable data events in CloudTrail to track high-volume activities related to S3 and AWS Lambda, which are critical for monitoring access to sensitive data. This detailed visibility helps in detecting and responding to unexpected access, ensuring data protection. Compliance with standards like FedRAMP often requires these logs, so using AWS Config managed rules to ensure data events are logged for every S3 bucket can be crucial.

CloudTrail Frequently Asked Questions

What logs are in CloudTrail?

AWS CloudTrail records every API call made to your AWS account. These logs capture details such as the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS services. CloudTrail can be used across multiple AWS accounts using AWS Organizations.

What is CloudWatch vs CloudTrail

Image source: AWS

AWS CloudWatch and AWS CloudTrail are both monitoring services offered by AWS, but they serve different purposes. CloudWatch primarily focuses on performance monitoring. CloudWatch logs and metrics help you understand how your applications and services are performing. It allows you to set alarms and visualize data using dashboards for operational health.

CloudTrail, on the other hand, is focused on auditing and governance, tracking every API call made to your AWS account for security and compliance monitoring.

What is CloudWatch vs X-Ray

Image source: AWS

AWS CloudWatch and AWS X-Ray provide different types of insights into your applications. CloudWatch is focused on metrics and logging for your AWS infrastructure and applications.

In contrast, AWS X-Ray is a distributed tracing service from AWS that helps analyze and debug applications by providing a complete view of requests as they traverse through the system. It enables developers to trace the path of individual requests from the front end to the backend and gives insights into how these requests interact with different components of the application. This helps in identifying bottlenecks, pinpointing the root cause of issues, and optimizing application performance.

Monitor your cloud spend with nOps

If you’re looking to save on AWS, nOps Business Contexts makes it easy and painless to understand your cloud spend.

Business Contexts transforms millions of rows of contextless data into the who, what, when and why of cloud spend — making it easy to get 100% visibility of your cloud costs and usage so your bills are never a surprise or mystery.

  • Allocate 100% of your AWS costs, including EKS. Kubernetes costs are often a black box — no longer with nOps. Understand and allocate your unified AWS spend in one platform.
  • Automated resource tagging. You don’t need to have all your resources tagged to allocate costs. Create dynamic rules by region, tags, operation, accounts, and usage types to allocate costs back to custom cost centers.
  • 40+ views & filters. Map hourly costs by any relevant engineering concept (deployment, service, namespace, label, pod, container…) or finance concept (cost unit, purchase type, line item, cost allocation tag…).
  • Custom reports & dashboards for the whole team. Monthly reporting and reconciliation can take hours; with nOps only minutes. Tailor dashboards and Slack/email reports to your needs, whether you’re a CFO or VP of Engineering.

The best part? nOps is an all-in-one solution for all of your cloud optimization needs: automated commitment management, rightsizing, resource scheduling, workload management, Spot usage, storage optimization, and more.

Join our customers using nOps to understand your cloud costs and leverage automation with complete confidence by booking a demo today!