Study Guide860 words
Mastering AWS CloudTrail for API Tracking and Auditing
Use AWS CloudTrail to track API calls
Mastering AWS CloudTrail for API Tracking and Auditing
AWS CloudTrail is a fundamental service for security, compliance, and operational troubleshooting. It provides a detailed record of actions taken by users, roles, or AWS services across your AWS infrastructure.
Learning Objectives
After studying this guide, you should be able to:
- Explain the primary function of AWS CloudTrail in a data infrastructure.
- Differentiate between Management Events and Data Events.
- Describe the limitations of the default Event History versus a custom Trail.
- Identify methods for analyzing CloudTrail logs using Athena, CloudTrail Lake, and CloudWatch.
- Configure a multi-region trail for long-term auditing and compliance.
Key Terms & Glossary
- API Action: Any request made to an AWS service (e.g., creating an S3 bucket or starting an EC2 instance).
- Management Events: Operations performed on resources (control plane), such as attaching an IAM policy or creating a Glue job.
- Data Events: High-volume resource operations (data plane), specifically S3 object-level activity and Lambda function executions.
- Trail: A configuration that enables delivery of CloudTrail events to an S3 bucket, CloudWatch Logs, and CloudWatch Events.
- Event History: A searchable record of the last 90 days of management events, enabled by default.
- CloudTrail Insights: An optional feature that analyzes management events to identify unusual API call volume or error rates.
The "Big Idea"
[!IMPORTANT] If CloudWatch tells you what is happening to your resources (performance/metrics), CloudTrail tells you who did it and how it was done. It is the "security camera" of your AWS account, providing an immutable audit trail necessary for governance and forensic investigation.
Formula / Concept Box
| Component | Description |
|---|---|
| Who | userIdentity (IAM User, Role, or Federated User) |
| What | eventName (API call) and eventSource (Service) |
| When | eventTime (Timestamp in UTC) |
| Where | sourceIPAddress and awsRegion |
| Result | responseElements (Outcome of the API call) |
Hierarchical Outline
- CloudTrail Fundamentals
- Regional Service: CloudTrail operates per region, but can be configured globally.
- Automation: Records actions from Console, CLI, SDKs, and internal AWS services.
- Event Categories
- Management Events: Control plane actions (Default logging: Yes).
- Data Events: Data plane actions (Default logging: No; High volume).
- Insights Events: Anomaly detection based on historical baselines.
- Storage and Analysis
- Event History: 90-day window, free, management events only.
- S3 Buckets: Permanent storage for JSON log files; required for custom trails.
- CloudTrail Lake: Managed SQL-based data lake for querying activity across accounts.
- Amazon Athena: Used to run ad-hoc SQL queries directly on logs stored in S3.
Visual Anchors
CloudTrail Architecture Flow
Loading Diagram...
Logic of Event Selection
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Definition-Example Pairs
- Write-Only Event: An API operation that modifies a resource.
- Example:
RunInstances(EC2) orCreateJob(Glue).
- Example:
- Read-Only Event: An API operation that retrieves information without changing it.
- Example:
DescribeInstances(EC2) orGetJobStatus(Glue).
- Example:
- Immutable Logging: Logs that cannot be changed once written to ensure audit integrity.
- Example: Storing CloudTrail logs in an S3 bucket with Object Lock enabled.
Worked Examples
Setting up a Compliant Multi-Region Trail
- Objective: Ensure all API calls across all regions are recorded in a central S3 bucket.
- Action: In the CloudTrail Console, select Create Trail.
- Configuration: Enable Apply trail to all regions. This ensures new regions are automatically included as AWS launches them.
- Storage: Select Create new S3 bucket and enable Log file validation. This generates a digital signature for every log file delivered, allowing you to prove the logs haven't been tampered with.
- Monitoring: Enable CloudWatch Logs integration to trigger an SNS alert if an unauthorized
DeleteBucketcall is detected.
Checkpoint Questions
- What is the maximum duration for which CloudTrail Event History stores management events by default?
- Which service would you use to query CloudTrail logs stored in S3 using standard SQL?
- True or False: CloudTrail logs the actual data content of an S3 object during a
PutObjectcall. - Does CloudTrail log unsuccessful console login attempts for the Root user?
Comparison Tables
| Feature | Event History | Custom Trail |
|---|---|---|
| Retention | 90 Days | Indefinite (S3) |
| Cost | Free | Paid (S3 storage + Data events) |
| Event Types | Management Only | Management + Data |
| Reach | Single Region (at a time) | Multi-Region/Global |
| Analysis | Search/Filter in Console | Athena, QuickSight, OpenSearch |
Muddy Points & Cross-Refs
- CloudTrail vs. CloudWatch: A common point of confusion. Remember: CloudTrail is for auditing (Who?), while CloudWatch is for monitoring performance (What is the CPU usage?).
- Data Event Costs: Enabling data events for S3 can be extremely expensive for high-traffic buckets. Use prefix filtering in your trail configuration to only log specific, sensitive paths.
- Regional Viewing: Event History is regional. If you don't see an event, check if you are in the correct AWS region in the console.
[!TIP] For the exam, remember that IAM, CloudFront, and Route 53 are global services. Their events are delivered to the
us-east-1region logs regardless of where the request originated.