What is AWS CloudTrail? A Comprehensive Beginner's Guide

<div class="toc"> <h3>Table of Contents</h3> <ul> <li><a href="#what-is-cloudtrail">What is CloudTrail?</a></li> <li><a href="#how-it-works">How It Works</a></li> <li><a href="#event-types">Event Types</a></li> <li><a href="#event-history-vs-trails">Event History vs. Trails</a></li> <li><a href="#practical-example">Practical Example: Analyzing an Event</a></li> <li><a href="#pricing">Pricing</a></li> <li><a href="#faq">Frequently Asked Questions (FAQ)</a></li> </ul> </div> <h2 id="what-is-cloudtrail">What is CloudTrail?</h2> <p>AWS CloudTrail acts like a surveillance camera (CCTV) for your AWS account. It runs quietly in the background, recording all API calls and user activities. It allows you to see exactly who accessed what resource, when, and from where.</p> <h2 id="how-it-works">How It Works</h2> <p>The logic behind CloudTrail is simple:</p> <ol> <li><strong>Record:</strong> It captures every API call made in your account (via console, CLI, or SDK).</li> <li><strong>Store:</strong> It sends these records (logs) to an S3 bucket you specify or to CloudWatch Logs.</li> <li><strong>Integrate:</strong> It integrates with CloudWatch Events or EventBridge to trigger automated responses to specific events (e.g., "root user logged in").</li> </ol> <h2 id="event-types">Event Types</h2> <p>CloudTrail events are categorized into three main types:</p> <h3 id="management-events">1. Management Events</h3> <p>These are control plane operations. For example:</p> <ul> <li>Launching an EC2 instance (<code>RunInstances</code>)</li> <li>Creating an S3 bucket (<code>CreateBucket</code>)</li> <li>Creating an IAM user</li> </ul> <p>These events are recorded by default, and the first trail is free.</p> <h3 id="data-events">2. Data Events</h3> <p>These are data plane operations. They cover access to data within resources. For example:</p> <ul> <li>Reading a file in an S3 bucket (<code>GetObject</code>)</li> <li>Invoking a Lambda function (<code>Invoke</code>)</li> </ul> <p>These events can be very high volume, are disabled by default, and incur additional charges.</p> <h3 id="insights-events">3. Insights Events</h3> <p>These are for detecting anomalies. For instance, if an API call normally made 5 times a minute is suddenly made 500 times, CloudTrail Insights records this as an anomaly.</p> <h2 id="event-history-vs-trails">Event History vs. Trails</h2> <p>Two concepts often confused by beginners:</p> <ul> <li><strong>Event History:</strong> A window where you can view the last 90 days of management events for free. It is enabled by default but allows only viewing and simple filtering.</li> <li><strong>Trail:</strong> If you want to store events longer than 90 days, archive them to S3, analyze them with CloudWatch, or capture Data Events, you must create a "Trail".</li> </ul> <h2 id="practical-example">Practical Example: Analyzing an Event</h2> <p>Below is a typical CloudTrail Management Event example generated when a user logs into the AWS console:</p> <pre><code class="language-json"> { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDAEXAMPLE", "arn": "arn:aws:iam::123456789012:user/example-user", "accountId": "123456789012", "userName": "example-user" }, "eventTime": "2024-05-15T10:00:00Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.0", "userAgent": "Mozilla/5.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" } } </code></pre> <p>With this log, you can see who (<code>userName</code>), when (<code>eventTime</code>), and from which IP address (<code>sourceIPAddress</code>) the login occurred.</p> <h2 id="pricing">Pricing</h2> <p>CloudTrail pricing is as follows:</p> <ul> <li><strong>Management Events:</strong> The first copy of the trail is free. Additional copies are charged.</li> <li><strong>Data Events:</strong> Charged per 100,000 events processed.</li> <li><strong>Insights Events:</strong> Charged based on the number of events analyzed.</li> </ul> <h2 id="faq">Frequently Asked Questions (FAQ)</h2> <div class="faq-section"> <h3>How long can I store CloudTrail logs?</h3> <p>In Event History, 90 days. However, if you create a Trail and send logs to S3, you can store them for years according to S3 lifecycle rules (e.g., by moving them to Glacier).</p> <h3>Does CloudTrail affect performance?</h3> <p>No, CloudTrail operates asynchronously and does not affect the performance (latency) of your applications.</p> <h3>Which events are not recorded?</h3> <p>Some high-volume or sensitive service details (e.g., certain CloudWatch metrics or STS calls) may not be fully recorded. Check the <a href="https://docs.aws.amazon.com/cloudtrail/">AWS documentation</a> for details.</p> </div> <p>For more information, you can check our <a href="/en/tech/aws-consultancy">AWS Consultancy</a> services or <a href="/en/tech/kubernetes-consultancy">Kubernetes Consultancy</a> solutions. You can also follow all developments about <a href="/en">DevOpsN</a> on our homepage.</p> <p><em>Kaynak / Source: https://awsfundamentals.com/blog/aws-cloudtrail-introduction</em></p>