Intro
- Global Service (a single trail can be applied to multiple regions)
- Provides governance, compliance and audit by recording all the API calls to AWS services made within the account.
- Enabled by default
- Event retention: 90 days
- Export CloudTrail logs into
- CloudWatch Logs
- S3 (encrypted by default using SSE-S3)
- CloudTrail logs up to the last 90 days can be analyzed in CloudTrail Console. Older logs should be present in S3 and can be analyzed using Athena.
<aside>
💡 Modifications to log files can be detected by enabling Log File Validation on the logging bucket
</aside>
Event Types
Management Events
- Events of operations that modify AWS resources. Ex:
- Creating a new IAM user
- Deleting a subnet
- Enabled by default
- Can separate Read Events (that don’t modify resources) from Write Events (that may modify resources)
Data Events
- Events of operations that modify data
- S3 object-level activity
- Lambda function execution
- Disabled by default (due to high volume of data events)
Insight Events
- Enable CloudTrail Insights to detect unusual activity in your account
- inaccurate resource provisioning
- hitting service limits
- bursts of AWS IAM actions
- gaps in periodic maintenance activity