AWS CloudTrail

  • Actions taken by a user, role, or an AWS service in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are recorded as events.
  • CloudTrail is enabled on your AWS account when you create it.
  • CloudTrail focuses on auditing API activity.
  • View events in Event History, where you can view, search, and download the past 90 days of activity in your AWS account.
  • Trails

    • Create a CloudTrail trail to archive, analyze, and respond to changes in your AWS resources.
    • Types

      • A trail that applies to all regions – CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify. This is the default option when you create a trail in the CloudTrail console.
      • A trail that applies to one region – CloudTrail records the events in the region that you specify only. This is the default option when you create a trail using the AWS CLI or the CloudTrail API.
    • You can create a organization trail that will log all events for all AWS accounts in an organization created by AWS Organizations. Organization trails must be created in the master account.
    • By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption. You can also choose to encrypt your log files with an AWS Key Management Service key.
    • You can store your log files in your S3 bucket for as long as you want, and also define S3 lifecycle rules to archive or delete log files automatically.
    • If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications.
    • CloudTrail publishes log files about every five minutes.
  • Events

    • The record of an activity in an AWS account. This activity can be an action taken by a user, role, or service that is monitorable by CloudTrail.
    • Types

      • Management events
        • Logged by default
        • Management events provide insight into management operations performed on resources in your AWS account, also known as control plane operations.
      • Data events
        • Not logged by default
        • Data events provide insight into the resource operations performed on or in a resource, also known as data plane operations.
        • Data events are often high-volume activities.
  • For global services such as IAM, STS, CloudFront, and Route 53, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region.
  • You can filter logs by specifying Time range and one of the following attributes: Event name, User name, Resource name, Event source, Event ID, and Resource type.
  • Monitoring

    • Use CloudWatch Logs to monitor log data. CloudTrail events that are sent to CloudWatch Logs can trigger alarms according to the metric filters you define.
    • To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.
  • Price

    • The first copy of management events within each region is delivered free of charge. Additional copies of management events are charged.
    • Data events are recorded and charged only for the Lambda functions and S3 buckets you specify.
    • Once a CloudTrail trail is set up, S3 charges apply based on your usage, since CloudTrail delivers logs to an S3 bucket.
  • Limits

Resource

Default Limit

Comments

Trails per region

5

A trail that applies to all regions counts as one trail in every region.

This limit cannot be increased.

Get, describe, and list APIs

10 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

All other APIs

1 transaction per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

Event selectors

5 per trail

This limit cannot be increased.

Data resources in event selectors

250 across all event selectors in a trail

The total number of data resources cannot exceed 250 across all event selectors in a trail. The limit of number of resources on an individual event selector is configurable up to 250. This upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors.

This limit cannot be increased.

Augmenting Security & Improving Operational Health with AWS CloudTrail:

AWS CloudTrail-related Cheat Sheets:

 

Validate Your Knowledge

Question 1

Which of the following statements is true for AWS CloudTrail?

  1. CloudTrail is disabled by default for newly created AWS accounts
  2. When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default
  3. CloudTrail is able to capture application error logs from your EC2 instances
  4. CloudTrail charges you for every management event trail created

Correct Answer: 2

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

With AWS CloudTrail, simplify your compliance audits by automatically recording and storing event logs for actions made within your AWS account. Integration with Amazon CloudWatch Logs provides a convenient way to search through log data, identify out-of-compliance events, accelerate incident investigations, and expedite responses to auditor requests.

Hence, the correct answer to the question is: When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default. Alternatively, you can also specify the trail to only a specific Region if you wish to.

The option that says: CloudTrail is disabled by default for newly created AWS accounts is incorrect because AWS CloudTrail is now enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started.

The option that says: CloudTrail is able to capture application error logs from your EC2 is incorrect because CloudTrail actually does not capture error logs in your EC2 instances. You may instead use CloudWatch Logs for this purpose.

The option that says: CloudTrail charges you for every management event trail created is incorrect because actually, CloudTrail does not charge you for your first management trail, but only the additional management trails you create after the first one.

References:
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/cloudtrail/pricing/
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html

Question 2

As part of your company’s security compliance assessment, an external IT Auditor will need to have access to the logs of all of your AWS resources such as EC2, RDS, Lambda and many others. You have to ensure that you provide ample access to enable him to conduct the audit process without the ability to trigger certain actions in your cloud architecture.

Which of the following is the most suitable way to provide access to the auditor?

  1. Create an IAM User with an auto-generated password for AWS console access and then provide the details to the auditor. To allow access to the CloudTrail logs, you have to grant him the exact same IAM policies that a SysOps Administrator has.
  2. Enable API logging of your AWS resources with CloudTrail then create an IAM user that has read-only access to the logs stored in the S3 bucket.
  3. Create an IAM User with access keys then provide the details to the auditor.
  4. Enable API logging of your AWS resources with CloudWatch then create an IAM user that has read-only access to the logs stored in the S3 bucket.

Correct Answer: 2

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. Hence, the correct answer is to enable API logging of your AWS resources with CloudTrail then creating an IAM user that has read-only access to the logs stored in the S3 bucket.

The option that says, “Create an IAM User with an auto-generated password for AWS console access and then provide the details to the auditor. To allow access to the CloudTrail logs, you have to grant him the exact same IAM policies that a SysOps Administrator has.” is incorrect because granting the exact same IAM policies that a SysOps Administrator has is a critical security flaw. This means that the auditor can also perform the actions that the SysOps Administrator can.

The option that says, “Create an IAM User with access keys then provide the details to the auditor.” is incorrect because access keys are primarily used for sending API requests to the AWS resources.

The option that says, “Enable API logging of your AWS resources with CloudWatch then create an IAM user that has read-only access to the logs stored in the S3 bucket.” is incorrect because you should set up CloudTrail and not CloudWatch.

Reference:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

For more AWS practice exam questions with detailed explanations, check this out:

Tutorials Dojo AWS Practice Exams

XX

Sources:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/
https://aws.amazon.com/cloudtrail/features/
https://aws.amazon.com/cloudtrail/pricing/
https://aws.amazon.com/cloudtrail/faqs/

***

AWS Certifications are consistently among the top paying IT certifications in the world, considering that Amazon Web Services is the leading cloud services platform with almost 50% market share! Earn over $150,000 per year with an AWS certification!

Subscribe to our newsletter and notifications for more helpful AWS cheat sheets and study guides like this and answer as many AWS practice exams as you can.🙂

Enroll Now – AWS Certified Cloud Practitioner Practice Exams

AWS Certified Cloud Practitioner Practice Tests

Enroll Now – AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate

Enroll Now – AWS Certified Developer Associate Practice Exams

AWS Certified Developer Associate Tutorials Dojo

Enroll Now – AWS Certified SysOps Administrator Associate Practice Exams

AWS Certified SysOps Administrator Associate Tutorials Dojo

Enroll Now – AWS Certified Solutions Architect Professional Practice Exams

AWS Certified Solutions Architect Professional Tutorials Dojo

Affordable AWS Educational Materials

Browse Other Courses

Generic Category (English)300x250

Recent Posts