AWS CloudTrail features

Overview

AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting. CloudTrail records user activity and API calls across AWS services as events. CloudTrail events help you answer the question of "Who did what, where, and when?"

CloudTrail records four categories of events:

  • Management events that capture control plane actions on resources, such as creating or deleting Amazon Simple Storage Service (S3) buckets.
  • Data events that capture data plane actions within a resource, such as reading or writing an Amazon S3 object.
  • Network activity events that capture actions made using VPC endpoints from a private VPC to the AWS service, including AWS API calls that were denied access (in preview).
  • Insights events that help AWS users identify and respond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events. 

AWS CloudTrail Event History

Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an AWS Region. There are no CloudTrail charges for viewing Event history.

CloudTrail Event history is enabled on all AWS accounts and records management events across AWS services without the need for any manual setup. With AWS Free Tier, you can view, search, and download the most recent 90-day history of your account’s management events at no charge using the CloudTrail console or by using the CloudTrail lookup-events API. To learn more, see Viewing events with CloudTrail Event history.

AWS CloudTrail trails

Trails capture a record of AWS account activities, delivering, and storing these events in Amazon S3, with optional delivery to Amazon CloudWatch Logs and Amazon EventBridge. These events can be fed into your security monitoring solutions. You can use your own third-party solutions or solutions such as Amazon Athena for searching and analyzing logs captured by CloudTrail. You can create trails for a single AWS account or for multiple AWS accounts by using AWS Organizations.

You can deliver your CloudTrail events to S3 and optionally to CloudWatch Logs by creating trails. By doing this, you get the complete event details, and you can export and store events as you like. To learn more, see Creating a trail for your AWS account.

You can validate the integrity of CloudTrail log files stored in your S3 bucket and detect whether the log files were unchanged, modified, or deleted since CloudTrail delivered them to your S3 bucket. You can use log file integrity validation in your IT security and auditing processes. By default, CloudTrail encrypts all log files delivered to your specified S3 bucket by using S3 server-side encryption (SSE). If necessary, you can also add a layer of security to your CloudTrail log files by encrypting the log files with your AWS Key Management Service (KMS) key. If you have decrypt permissions, S3 automatically decrypts your log files. For more information, see Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS).

You can configure CloudTrail to capture and store events from multiple AWS Regions in a single location. This configuration certifies that all settings apply consistently across existing and newly launched Regions. To learn more, see Receiving CloudTrail log files from multiple Regions.

You can configure CloudTrail to capture and store events from multiple AWS accounts in a single location. This configuration verifies that all settings apply consistently across all existing and newly created accounts. To learn more, see Creating a trail for an organization.

AWS CloudTrail Lake

CloudTrail Lake is a managed data lake for capturing, storing, accessing, and analyzing user and API activity on AWS for audit and security purposes. You can aggregate, visualize, query, and immutably store your activity logs from both AWS and non-AWS sources. IT auditors can use CloudTrail Lake as an immutable record of all activities to meet audit requirements. Security administrators can verify that user activity is in accordance with internal policies. DevOps engineers can troubleshoot operational issues such as an unresponsive Amazon Elastic Compute Cloud (EC2) instance or a resource being denied access. 

Because CloudTrail Lake is a managed audit and security lake, your events are stored within the lake. CloudTrail Lake grants read-only access to prevent changes to log files. Read-only access means that events are immutable.

With CloudTrail Lake, you can run SQL-based queries on activity logs for auditing within the lake or you can run SQL queries on your CloudTrail events to dive deeper on data from CloudTrail Lake dashboards. You can also use the natural language query generation in CloudTrail Lake (in preview) to more simply analyze your AWS activity events in CloudTrail Lake without having to write complex SQL queries. Additionally, you can use Amazon Athena to interactively query your CloudTrail Lake auditable logs alongside data from other sources without the operational complexity of moving or replicating data. For example, security engineers can use Athena to correlate activity logs in CloudTrail Lake with application and traffic logs in Amazon S3 for security incident investigations. Compliance and operation engineers can now visualize activity logs in CloudTrail Lake with Amazon QuickSight and Amazon Managed Grafana for compliance, cost, and usage reporting.

With AWS CloudTrail Lake, you can consolidate activity events from AWS and sources outside AWS — including data from other cloud providers, in-house applications, and SaaS applications running in the cloud or on premises  — without having to maintain multiple log aggregators and reporting tools. You can also ingest data from other AWS services, like configuration items from AWS Config or audit evidence from AWS Audit Manager. You can use CloudTrail Lake APIs to set up your data integrations and push events to CloudTrail Lake. To integrate with third-party tools, you can start receiving activity events from these applications in a few steps through partner integrations in the CloudTrail console.

CloudTrail Lake helps you capture and store events from multiple Regions.

By using CloudTrail Lake, you can capture and store events for accounts across your AWS Organizations. Additionally, you can designate up to three delegated administrator accounts to create, update, query, or delete organization trails or CloudTrail Lake event data stores at the organization level.

AWS CloudTrail Insights

AWS CloudTrail Insights events help AWS users identify and respond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events. CloudTrail Insights analyzes your normal patterns of API call volume and API error rates, also called the baseline, and generates Insights events when the call volume or error rates are outside normal patterns. You can enable CloudTrail Insights in your trails or event data stores to detect anomalous behavior and unusual activity.