AWS CloudTrail

Home » AWS Cheat Sheets » AWS Management Tools » AWS CloudTrail

AWS CloudTrail

Last updated on February 17, 2024

AWS CloudTrail Cheat Sheet

  • Actions taken by a user, role, or an AWS service in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are recorded as events.
  • CloudTrail is enabled on your AWS account when you create it.
  • CloudTrail focuses on auditing API activity.
  • View events in Event History, where you can view, search, and download the past 90 days of activity in your AWS account.
  • Tutorials dojo strip
  • CloudTrail Lake lets you aggregate, immutably store, and query your activity logs. You can enable this feature using AWS SDKs and CLI.
  • CloudTrail Insights helps you identify unusual activity in your account such as spikes in resource provisioning or bursts of AWS IAM actions.

Trails

    • Create a CloudTrail trail to archive, analyze, and respond to changes in your AWS resources.
    • Types

      • A trail that applies to all regions – CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify. This is the default option when you create a trail in the CloudTrail console.
      • A trail that applies to one region – CloudTrail records the events in the region that you specify only. This is the default option when you create a trail using the AWS CLI or the CloudTrail API.
    • You can create an organization trail that will log all events for all AWS accounts in an organization created by AWS Organizations. Organization trails must be created in the management account.
    • By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption. You can also choose to encrypt your log files with an AWS Key Management Service key.
    • You can store your log files in your S3 bucket for as long as you want, and also define S3 lifecycle rules to archive or delete log files automatically.
    • If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications.
    • CloudTrail publishes log files about every five minutes.

Events

    • The record of an activity in an AWS account. This activity can be an action taken by a user, role, or service that is monitorable by CloudTrail.
    • Types

      • Management events
        • Logged by default
        • Management events provide insight into management operations performed on resources in your AWS account, also known as control plane operations.
      • Data events
        • Not logged by default
        • Data events provide insight into the resource operations performed on or in a resource, also known as data plane operations.
        • Data events are often high-volume activities.
      • Insights events
        • Not logged by default
        • Insights events capture unusual activity in your AWS account. If you have Insights events enabled, CloudTrail detects unusual activity and logs this to S3.
        • Insights events provide relevant information, such as the associated API, incident time, and statistics, that help you understand and act on unusual activity. 
        • Insights events are logged only when CloudTrail detects changes in your account’s API usage that differ significantly from the account’s typical usage patterns.
  • For global services such as IAM, STS, CloudFront, and Route 53, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region.
  • You can filter logs by specifying Time range and one of the following attributes: Event name, User name, Resource name, Event source, Event ID, and Resource type.

AWS CloudTrail Monitoring

    • Use CloudWatch Logs to monitor log data. CloudTrail events that are sent to CloudWatch Logs can trigger alarms according to the metric filters you define.
    • To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.

AWS CloudTrail Price

    • The first copy of management events within each region is delivered free of charge. Additional copies of management events are charged.
    • Data events are recorded and charged only for the Lambda functions, DynamoDB tables, and S3 buckets you specify.
    • Once a CloudTrail trail is set up, S3 charges apply based on your usage, since CloudTrail delivers logs to an S3 bucket.

AWS CloudTrail Limits

Resource

Default Limit

Comments

Trails per region

5

A trail that applies to all regions counts as one trail in every region.

This limit cannot be increased.

Get, describe, and list APIs

10 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

 

LookupEvents API

 

2 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

 

All other APIs

1 transaction per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

Event data stores in CloudTrail Lake

5 per region

This limit cannot be increased.

Event selectors

5 per trail

This limit cannot be increased.

Advanced event selectors

500 conditions across all advanced event selectors

This limit cannot be increased.

Data resources in event selectors

250 across all event selectors in a trail

The total number of data resources cannot exceed 250 across all event selectors in a trail. The limit of number of resources on an individual event selector is configurable up to 250. This upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors.

This limit cannot be increased.

 

Augmenting Security & Improving Operational Health with AWS CloudTrail:

AWS CloudTrail-related Cheat Sheets:

 

Validate Your Knowledge

Question 1

Which of the following statements is true for AWS CloudTrail?

  1. CloudTrail is disabled by default for newly created AWS accounts
  2. When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default
  3. CloudTrail is able to capture application error logs from your EC2 instances
  4. CloudTrail charges you for every management event trail created

Correct Answer: 2

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides the event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

With AWS CloudTrail, simplify your compliance audits by automatically recording and storing event logs for actions made within your AWS account. Integration with Amazon CloudWatch Logs provides a convenient way to search through log data, identify out-of-compliance events, accelerate incident investigations, and expedite responses to auditor requests. After creating a trail, by default, it is applied to all AWS Regions. Alternatively, you can also specify the trail to only a specific Region if you wish to.

Hence, the correct answer is: When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default.

The option that says: CloudTrail is disabled by default for newly created AWS accounts is incorrect because AWS CloudTrail is now enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started.

The option that says: CloudTrail is able to capture application error logs from your EC2 is incorrect because CloudTrail actually does not capture error logs in your EC2 instances. You may instead use CloudWatch Logs for this purpose.

The option that says: CloudTrail charges you for every management event trail created is incorrect because actually, CloudTrail does not charge you for your first management trail, but only the additional management trails you create after the first one.

References:
https://aws.amazon.com/cloudtrail/
https://aws.amazon.com/cloudtrail/pricing/
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html

Note: This question was extracted from our AWS Certified Cloud Practitioner Practice Exams.

Question 2

A leading digital payments company is using AWS to host its suite of web applications which uses external APIs for credit and debit transactions. The current architecture is using CloudTrail with several trails to log all API actions. Each trail is protected with an IAM policy to restrict access from unauthorized users. In order to maintain the system’s PCI DSS compliance, a solution must be implemented that allows them to trace the integrity of each file and prevent the files from being tampered.

Which of the following is the MOST suitable solution with the LEAST amount of effort to implement?

  1. Use AWS Systems Manager State Manager to directly enable the log file integrity feature in CloudTrail. This will automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files.
  2. In the Amazon S3 bucket of the trail, enable the log file integrity feature that will automatically generate a digest file for every log file that CloudTrail delivers. Grant the IT Security team full access to download the file integrity logs stored in the S3 bucket via an IAM policy.
  3. In AWS CloudTrail, enable the log file integrity feature on the trail that will automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files.
  4. Use AWS Config to directly enable the log file integrity feature in CloudTrail. This will automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files.

AWS Exam Readiness Courses

Correct Answer: 3

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them.

Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity. The CloudTrail log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.

When you enable log file integrity validation, CloudTrail creates a hash for every log file that it delivers. Every hour, CloudTrail also creates and delivers a file that references the log files for the last hour and contains a hash of each. This file is called a digest file. CloudTrail signs each digest file using the private key of a public and private key pair. After delivery, you can use the public key to validate the digest file. CloudTrail uses different key pairs for each AWS region.

The digest files are delivered to the same Amazon S3 bucket associated with your trail as your CloudTrail log files. If your log files are delivered from all regions or from multiple accounts into a single Amazon S3 bucket, CloudTrail will deliver the digest files from those regions and accounts into the same bucket.

The digest files are put into a folder separate from the log files. This separation of digest files and log files enables you to enforce granular security policies and permits existing log processing solutions to continue to operate without modification. Each digest file also contains the digital signature of the previous digest file if one exists. The signature for the current digest file is in the metadata properties of the digest file Amazon S3 object.

Hence, the correct answer is: In AWS CloudTrail, enable the log file integrity feature on the trail that will automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files. 

The option that says: Use AWS Systems Manager State Manager to directly enable the log file integrity feature in CloudTrail. This will automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files is incorrect because there is no direct way that you can enable the log file integrity feature in CloudTrail using AWS Systems Manager State Manager. This must be manually enabled using the Console or the AWS CLI.

The option that says: In the Amazon S3 bucket of the trail, enable the log file integrity feature that will automatically generate a digest file for every log file that CloudTrail delivers. Grant the IT Security team full access to download the file integrity logs stored in the S3 bucket via an IAM policy is incorrect because the log file integrity feature must be configured in the trail itself and not on the S3 bucket. 

The option that says: Use AWS Config to directly enable the log file integrity feature in CloudTrail. This will automatically generate a digest file for every log file that CloudTrail delivers. Verify the integrity of the delivered CloudTrail files using the generated digest files is incorrect because there is no direct way that you can enable the log file integrity feature in CloudTrail using AWS Config. You have to manually enable it.

References:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
https://aws.amazon.com/blogs/aws/aws-cloudtrail-update-sse-kms-encryption-log-file-integrity-verification/

Note: This question was extracted from our AWS Certified DevOps Engineer Professional Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Tutorials Dojo AWS Practice Tests

AWS CloudTrail Cheat Sheet References:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/
https://aws.amazon.com/cloudtrail/features/
https://aws.amazon.com/cloudtrail/pricing/
https://aws.amazon.com/cloudtrail/faqs/

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?