AWS CloudTrail: Audit Logging to Track Who Did What
Record all API calls with AWS CloudTrail for security auditing and compliance. Learn logging strategies for SAA-C03 exam.
Related Exam Domains
- Domain 1: Design Secure Architectures
Key Takeaway
AWS CloudTrail records all API calls in your AWS account, tracking "who, when, what, where". By default, it provides 90 days of event history; store in S3 for unlimited retention.
Exam Tip
Exam Essential: "Track who did it = CloudTrail", "Performance monitoring = CloudWatch", "Configuration change tracking = AWS Config"
What is CloudTrail?
A service that records all API calls made in your AWS account.
Who terminated the EC2 instance?
[CloudTrail Event]:
- User: arn:aws:iam::123456789012:user/john
- Action: ec2:TerminateInstances
- Time: 2026-01-28T14:30:00Z
- IP: 203.0.113.50
- Region: ap-northeast-2
- Instance: i-0abc1234def56789
Event Types
Three Event Types
| Type | Description | Default Recording | Example |
|---|---|---|---|
| Management Events | AWS resource management operations | ✅ Free | EC2 create/delete, IAM policy changes |
| Data Events | Operations on data within resources | ❌ Paid | S3 GetObject, Lambda Invoke |
| Insights Events | Anomalous activity detection | ❌ Paid | API call volume spikes |
Management Events
Management Event Examples:
- Start/Stop/Terminate EC2 instances
- Create IAM users, policy changes
- Create VPC, modify security groups
- Create/delete S3 buckets
- Create RDS instances
Read events: DescribeInstances, ListBuckets
Write events: RunInstances, CreateBucket
→ Can filter by read/write separately
Data Events
Data Event Examples:
- S3: GetObject, PutObject, DeleteObject
- Lambda: Invoke
- DynamoDB: GetItem, PutItem
→ Can generate high volume → disabled by default
→ Recommend selective activation for specific buckets/functions
Exam Tip
Management vs Data Events: Management events are recorded by default (free). Data events (S3 object access, Lambda invocations) require separate activation (paid).
Trail Configuration
Trail Types
Trail Scope:
Single Region Trail:
[Records only ap-northeast-2] → [S3 Bucket]
All Regions Trail (Recommended):
[Records events from all regions] → [S3 Bucket]
→ Auto-includes newly added regions
Organization Trail:
[All accounts + All regions] → [Management Account S3 Bucket]
→ Organization-wide audit
Log Storage
CloudTrail Log Storage Options:
[CloudTrail]
│
├── [S3 Bucket] ← Long-term retention (required)
│ ├── Server-side encryption (SSE-S3 or SSE-KMS)
│ ├── Log file integrity validation (digest files)
│ └── S3 Lifecycle can move to Glacier
│
└── [CloudWatch Logs] ← Real-time monitoring (optional)
├── Metric filters for alarms
└── Immediate alerts on specific API calls
CloudTrail + CloudWatch Logs Integration
Security Monitoring Scenario:
[CloudTrail] → [CloudWatch Logs]
│
├── Metric Filter: "Root account login"
│ └── CloudWatch Alarm → SNS → Admin notification
│
├── Metric Filter: "Security group changes"
│ └── CloudWatch Alarm → SNS → Security team alert
│
└── Metric Filter: "IAM policy changes"
└── CloudWatch Alarm → Lambda → Auto rollback
CloudTrail Insights
Automatically detects anomalous API activity.
Normal Pattern:
EC2 RunInstances: Average 5 per day
Anomaly Detected:
EC2 RunInstances: 200 calls today!
→ CloudTrail Insights event generated
→ Alert sent
Use Cases:
- Abnormal resource provisioning
- IAM activity spikes
- Service limit related activity surges
Log File Integrity Validation
With Integrity Validation Enabled:
[CloudTrail Log Files]
│
▼
[Digest File Generated] (hourly)
│
▼
[SHA-256 Hash + RSA Signature]
→ Validates log files haven't been tampered with
→ Essential for compliance, forensic analysis
Event History vs Trail
| Item | Event History | Trail |
|---|---|---|
| Setup | Enabled by default | Manual creation |
| Retention | 90 days | Unlimited in S3 |
| Events | Management only | Management + Data + Insights |
| Cost | Free | S3 storage + Data event costs |
| Regions | Current region only | All regions possible |
Exam Tip
90-day Limit: Default event history retains only 90 days. Create a Trail and store in S3 for long-term retention.
Security Best Practices
| Method | Description |
|---|---|
| All regions trail | Detect unauthorized activity in unused regions |
| S3 bucket protection | MFA Delete, bucket policy to prevent deletion |
| Log encryption | Encrypt with SSE-KMS |
| Integrity validation | Digest files detect tampering |
| CloudWatch integration | Real-time security alarms |
| Separate account storage | Place S3 bucket in dedicated log account |
SAA-C03 Exam Focus Points
- ✅ API Audit: "Track who changed resources = CloudTrail"
- ✅ Event Types: "Management events free by default, data events require activation"
- ✅ 90-day Limit: "Long-term retention = Trail + S3"
- ✅ Integrity Validation: "Prevent log tampering = digest files"
- ✅ vs CloudWatch: "Audit = CloudTrail, Monitoring = CloudWatch"
Exam Tip
Sample Exam Question: "For security auditing, you need to retain all AWS API calls long-term and receive immediate alerts on root account login. What's the solution?" → Answer: CloudTrail Trail → S3 long-term storage + CloudWatch Logs → Metric filter → Alarm → SNS notification
Frequently Asked Questions
Q: Is CloudTrail free?
The first Trail for management events is free. Additional trails, data events, and Insights events are charged. S3 storage costs are separate.
Q: Should I use both CloudTrail and CloudWatch Logs?
CloudTrail stores logs in S3, and sending to CloudWatch Logs enables real-time monitoring and alarms. Both are recommended for security-critical environments.
Q: Should I enable data events for all S3 buckets?
Data events can generate high volumes and costs. Selectively enable only for buckets with sensitive data or compliance requirements.
Q: How long until CloudTrail logs reach S3?
Typically logs are delivered to S3 within 5-15 minutes after the API call. Use CloudWatch Logs integration for real-time needs.
Q: Can I audit all Organization accounts with one Trail?
Yes. Create an Organization Trail in the management account and all member account events are recorded to a single S3 bucket.