AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
CloudTrail is active in your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event.
CloudTrail provides three ways to record events:
- Event history – The Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an AWS Region. You can search events by filtering on a single attribute. You automatically have access to the Event history when you create your account.
- CloudTrail Lake – AWS CloudTrail Lake is a managed data lake for capturing, storing, accessing, and analyzing user and API activity on AWS for audit and security purposes. CloudTrail Lake converts existing events in row-based JSON format to Apache ORC format. ORC is a columnar storage format that is optimized for fast retrieval of data. Events are aggregated into event data stores, which are immutable collections of events based on criteria that you select by applying advanced event selectors.
- Trails – Trails capture a record of AWS activities, delivering and storing these events in an Amazon S3 bucket, with optional delivery to CloudWatch Logs and Amazon EventBridge. You can input these events into your security monitoring solutions. You can also use your own third-party solutions or solutions such as Amazon Athena to search and analyze your CloudTrail logs. You can create trails for a single AWS account or for multiple AWS accounts by using AWS Organizations. You can log Insights events to analyze your management events for anomalous behavior in API call rates and error rates.
You can deliver one copy of your ongoing management events to your S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges.
Visibility into your AWS account activity is a key aspect of security and operational best practices. You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account.
You can integrate CloudTrail into applications using the API, automate trail or event data store creation for your organization, check the status of event data stores and trails you create, and control how users view CloudTrail events.
AWS CloudTrail Architecture
AWS Account is created in the AWS environment in the diagram above. When a new account is created, Cloud Trail is activated. An API call is made in the Back End whenever we carry out any operation using an AWS account, such as signing in, creating and deleting EC2 instances, creating S3 buckets, and uploading data into them. An API request is made on the backend when the activity occurs.
The activities that we carry out with our AWS Account can be carried out in a variety of ways. For instance, we can use the account with the aid of the AWS CLI (AWS - Command-line Interface), and we can also carry out the activity using the SDK (Software Development Kit) or AWS Management Console. We may use any method here, and by using that method, whenever we execute an activity from the account, the backend API is called. When the backend API is called, an event is generated, and the event log is saved in the Cloud Trail. Only when we carry out any activity using an AWS Account does an event get created in Cloud Trail.
Benefits of using AWS CloudTrail in AWS
- CloudTrail log file: The log file integrity validation is a tool you may use to help with IT security and auditing procedures.
- Security and Compliance: Meeting security and compliance standards is made easier with CloudTrail. It supports security incident investigation and compliance audits by assisting enterprises in identifying illegal or suspicious activity through the monitoring of AWS actions.
- Resource Change Tracking: AWS resource changes over time can be tracked with CloudTrail. This helps with resource management and troubleshooting by helping to spot configuration changes, authorization changes, and resource removals.
- Alerting and Notifications: Businesses can configure alerts and notifications for a variety of events that are logged in CloudTrail logs. The prompt response to urgent situations is made possible by this proactive monitoring.
- Cross-Account and Multi-Region Support: Multi-account logging is supported by CloudTrail, enabling businesses to centralize logging for numerous AWS accounts. Additionally, it offers multi-region logging, which consolidates logs from various AWS regions in one place for centralized analysis. Enables your account's governance, compliance, and auditing. Aids in constant monitoring and security analysis simple to manage and access.
