Moving your complex resources and workloads to the cloud can make it challenging for your organization to analyze and understand everything in your AWS environment. AWS CloudTrail is a management service provided by AWS that enables governance, compliance, operational origin, and risk auditing of your AWS Account. AWS CloudTrail provides a comprehensive record history so you can easily see who made changes, where they made the changes, and when the changes were made. AWS Audit logs provide a wealth of information on every activity within your AWS environments.

With AWS Cloud Trail, you can search and track all account activities to monitor user changes, compliance, error rates, and risks.

The capabilities of CloudTrail are essential to simplifying your AWS environment troubleshooting and letting you identify areas that need improvements.

In this tutorial, we’ll explore using AWS CloudTrail to monitor every activity and track user changes on our AWS Account.

Features of CloudTrail

  • Multi-Regional: AWS CloudTrail allows the user to make trails from any part of the world, and you can enable this functionality from the actions tab.
  • Event History: Event history is a tab on AWS CloudTrail that lets the user see what’s happening in CloudTrail and all the services (S3, Lambda, Dynamo DB) integrated into CloudTrail.
  • File Encryption: File encryption is done by AWS KMS, the key management system that allows you to encrypt the logs created from your environment to maintain the stability of your log files.
  • File Integrity: File integrity checks for file validation and whether all the files are corrupt. If there’s any form of corruption in any of the log files, it’ll destroy the integrity of the file.

Getting Started

  • In your AWS Management Console, search and click on AWS CloudTrail.
  • Create a New Trail by clicking on Create Trail.

  • Choose your Trail attributes. Enter your Trail name and storage location (select an existing S3 bucket or create a new S3 bucket). Enable your log file encryption with your file validation. This will ensure all aws resources are encrypted.

  • When you’re done configuring your Trail attributes, click on Next.
  • Next, choose your log events. In AWS CloudTrail, there are three types of events. Management events, Data events, and Insights events.

Management events are free and can be viewed in the event history tab for 90 days. Data events are not free to the user and cannot be viewed in the event history tab. Insights events let you identify unusual activity, errors, or user behavior in your account.

Only Management events are free for your workloads. Data and Insights events will incur costs. In this tutorial, we’ll be using Management Events.

  • When you’re done configuring log events, click on Next, you’ll see the overview and general details of your configuration, and click on Create Trail.

  • In your Trails dashboard, you’ll see the Trail you just created.

  • Integrate other AWS resources with your trail to see how it works and see different log events. For example, in my S3 bucket, I’ll upload a new file into my S3 bucket. Once I’m done uploading the file, I’ll automatically see the events in my CloudTrail.

  • In your CloudTrail event history, you’ll see all your events and logs from your S3 bucket.

  • You’ll see your event records and referenced resources when you click on them.

  • You can also filter your event history based on AWS access key, Event ID, Event Name, Event Source, Resource name, and user type.

  • You’ll see the PUT event history in your Event Name, the S3 bucket we updated earlier.

  • In your AWS S3 storage bucket, you’ll see your CloudTrail log events in the AWS logs folder.

  • When you click on Cloud Trail, you can see the logs from each AWS Region.

Conclusion

You can see how fast it is to enable and configure AWS CloudTrail on your AWS resources and view log events in your Event History dashboard. CloudTrail is a service that has the primary function to record and track all AWS API requests made. These API calls can be programmatic requests initiated by a user using an SDK, from the AWS CLI, or within the AWS management console.  With our Open-Source workflows, you can automatically send an API request with our ops cli to automatically enable logs and events into your AWS resources. Sign up to get started for free.