1. What is AWS CloudTrail?
AWS CloudTrail is a service that enables you to track and monitor activity in your AWS account. It provides a record of API calls made to AWS services, as well as changes made to resources in your account. CloudTrail can be used to help you audit your account activity, troubleshoot issues, and ensure compliance with policies and regulatory requirements. It is an important tool for anyone using AWS, as it provides valuable insights into the activity within your account and helps you to maintain control and visibility over your resources
2. What are the benefits of CloudTrail?
CloudTrail helps you prove compliance, improve security posture, and consolidate activity records across Regions and accounts. CloudTrail provides visibility into user activity by recording actions taken on your account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service.
This information helps you track changes made to your AWS resources and troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.
3. Who should use CloudTrail?
AWS CloudTrail is a service that is useful for a wide range of users, including:
- Developers and IT professionals who use AWS services in their applications or infrastructure
- Security and compliance professionals who need to monitor and track activity in their AWS account
- System administrators who want to troubleshoot issues or identify security threats in their AWS environment
- Business leaders who need to ensure compliance with regulatory requirements or company policies
In general, anyone who uses AWS services and wants to monitor and log activity in their account would benefit from using CloudTrail. It is an important tool for maintaining control and visibility over your AWS resources and ensuring that your account is being used in an appropriate and secure manner.
4. Can you explain how to create a Trail in AWS CloudTrail?
Amazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS accounts. With CloudTrail, we can log, continuously monitor, and retain account activity related to actions across our AWS infrastructure.
To create a Trail in AWS CloudTrail, follow these steps:
- Sign in to the AWS Management Console, and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
- In the CloudTrail console, choose Create Trail.
- On the Create Trail page, enter a name for your Trail.
- Under “Create a new S3 bucket or specify an existing bucket”, choose “Create a new S3 bucket”. Enter a name for your S3 bucket and choose Next.
- Under “Storage location”, choose the region where you want to store your log files.
- Under “Log file delivery”, choose whether you want to enable real-time delivery of log files to an Amazon SNS topic. This will allow you to receive notifications when new log files are delivered to your S3 bucket.
- Under “Management events”, choose the types of events that you want to record. You can record all management events, or you can select specific event types.
- Under “Data events”, choose whether you want to record data events. If you choose to record data events, you can also select specific S3 buckets and/or specific event types to record.
- Choose Create Trail.
The Trail is be created and CloudTrail will begin recording the specified events in the specified S3 bucket.
5. When would you use multiple Trails in CloudTrail?
Multiple Trails can be useful in a few different situations. One common use case is to have one Trail enabled for all regions, and then have additional Trails enabled for specific regions of interest. This can be helpful if you want to track activity in all regions, but want to be able to more easily drill down into activity in specific regions.
Another common use case is to have one Trail enabled for all AWS accounts in an organization, and then have additional Trails enabled for specific AWS accounts of interest. This can be helpful in tracking activity across an organization, while still being able to easily drill down into activity in specific AWS accounts.
6. How can we enable logging for S3 buckets using CloudTrail?
In order to enable logging for S3 buckets using CloudTrail, you will need to create a new trail and specify the buckets that you would like to log. CloudTrail will then automatically create log files for all activity in those buckets, which you can use to track what is happening in your S3 storage.
7. Is it possible to turn off logging for certain events with CloudTrail? If yes, then how?
Yes, it is possible to turn off logging for certain events with CloudTrail. You can do this by creating a trail with a filter that excludes the events that you don’t want to log.
8. Can you give me some examples of real-world usage of CloudTrail?
Here are some examples of real-world usage of Amazon CloudTrail:
- Auditing: CloudTrail can be used to audit the actions taken by users, roles, and AWS services in your AWS account. You can use CloudTrail logs to identify when and by whom specific actions were taken, such as when an Amazon EC2 instance was launched or when an IAM user’s permissions were modified.
- Compliance: Many regulatory frameworks, such as PCI DSS and HIPAA, require organizations to maintain an audit trail of their actions in the cloud. CloudTrail can be used to meet these compliance requirements by providing a record of all actions taken in your AWS account.
- Security: CloudTrail can be used to monitor for suspicious activity in your AWS account. For example, you can set up CloudTrail to send an alert to an Amazon SNS topic if a root user logs in to your account, or if an IAM user’s permissions are changed in a way that could compromise security.
- Troubleshooting: If you experience an issue with a service in your AWS account, you can use CloudTrail logs to identify the cause of the problem. For example, if an Amazon EC2 instance is not launching, you can use CloudTrail logs to see if there were any errors or issues during the launch process.
9. Can you explain what multi-region and global services are in context with CloudTrail?
Multi-region and global services are services that are available in multiple AWS regions. CloudTrail logs events for these services, regardless of the region in which they were performed. This allows you to track activity for these services across all regions from a single location.
10. Do all API calls made by an IAM user show up on CloudTrail logs? If not, which ones don’t?
No, not all API calls made by an IAM user show up on CloudTrail logs. By default, all API calls made by an IAM user, including calls made using the AWS Management Console, the AWS CLI, and other tools, are recorded in CloudTrail logs. This includes calls made using the AWS API, the AWS Management Console, the AWS CLI, the AWS SDKs, and other tools.
However, there are some exceptions to this. Some API calls are not recorded in CloudTrail logs, including:
- Calls made using AWS CloudFormation StackSets
- Calls made to the CloudTrail API to create or delete trails
- Calls made to the CloudTrail API to get a list of trails
- Calls made to the CloudTrail API to start and stop logging
- Calls made to the CloudTrail API to update a trail
In addition, CloudTrail does not record data events for certain services by default. Data events are events that are related to the storage and retrieval of data, such as when an object is added to or deleted from an Amazon S3 bucket. You can enable data event logging for these services if you want to record data events in CloudTrail logs.
11. How do you get the list of all trails created in your AWS account?
You can get the list of all trails created in your AWS account by using the AWS CloudTrail console, the AWS CloudTrail API, or the AWS Command Line Interface (CLI).
To get the list of all trails created in your AWS account, you can use the
ListTrails API action or the
describe-trails by AWS CLI command.
Here’s an example of how to use the
ListTrails API action to get the list of trails in your AWS account:
aws cloudtrail list-trails
This will return a list of all trails in your AWS account, including the name of the trail and the Amazon S3 bucket where the log files are stored.
Here’s an example of how to use the
describe-trails AWS CLI command to get the list of trails in your AWS account:
aws cloudtrail describe-trails
This will also return a list of all trails in your AWS account, including the name of the trail and the Amazon S3 bucket where the log files are stored.
Alternatively, you can also use the CloudTrail console to view a list of trails in your AWS account. To do this, sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/. The console will display a list of all trails in your AWS account.
12. Can you give me more details about the data provided by CloudTrail event history?
CloudTrail event history provides a record of all API activity in your AWS account, including information on who made the request, when it was made, what resources were accessed, and what actions were taken. This data can be extremely helpful in troubleshooting and auditing your AWS account activity.
13. If I am a new AWS customer or an existing AWS customer and don’t have CloudTrail set up, do I need to enable or set up anything to view my account activity?
No, nothing is required to begin viewing your account activity. You can visit the AWS CloudTrail console or AWS CLI and begin viewing up to the past 90 days of account activity.
14. Does the CloudTrail Event History show all account activity within my account?
AWS CloudTrail will only show the results of the CloudTrail Event history for the current Region you are viewing for the last 90 days and supports a range of AWS services. These events are limited to management events that create, modify, and delete API calls and account activity. For a complete record of account activity, including all management events, data events, and read-only activity, you must configure a CloudTrail trail.
15. What search filters can I use to view my account activity?
You can specify the Time range and one of the following attributes: event name, user name, resource name, event source, event ID, and resource type.
16. Can I use the lookup-events CLI command even if I don’t have a trail configured?
Yes, you can visit the CloudTrail console or use the CloudTrail API/CLI and begin viewing the past 90 days of account activity.
17. Is it possible to configure CloudWatch metrics for CloudTrail logs? If so, where can you find these metrics?
Yes, it is possible to configure CloudWatch metrics for CloudTrail logs. You can find these metrics by going to the CloudWatch console and selecting the “Metrics” tab. From there, you should see a list of all the available CloudTrail metrics.
18. What happens to existing log files when you update a trail?
When you update an existing trail, any new log files that are created will be automatically included in the trail. However, any existing log files will not be affected.
19. What additional CloudTrail features are available after creating a trial?
Set up a CloudTrail trail to deliver your CloudTrail events to Amazon Simple Storage Service (S3), Amazon CloudWatch Logs, and Amazon CloudWatch Events. This helps you use features to archive, analyze, and respond to changes in your AWS resources.
20. Can I restrict user access from viewing the CloudTrail Event History?
Yes, CloudTrail integrates with AWS Identity and Access Management (IAM), which helps you control access to CloudTrail and to other AWS resources that CloudTrail requires. This includes the ability to restrict permissions to view and search account activity. Remove the “cloudtrail:LookupEvents” from the User IAM policy to prevent that IAM user from viewing account activity.
21. Is there any cost associated with CloudTrail Event History being enabled on my account upon creation?
There is no additional cost for enabling CloudTrail Event History on your AWS account. However, there are costs associated with storing the log data that CloudTrail generates. The cost of storing CloudTrail log data depends on the volume of log data that you generate and the duration for which you store the log data
22. Can you tell me if there’s any way to access or download my CloudTrail log files from Amazon S3?
Yes, you can access and download your CloudTrail log files from Amazon S3. You can either use the AWS Management Console or the AWS Command Line Interface (CLI).
23. Can I turn off CloudTrail Event History for my account?
Yes, you can turn off CloudTrail Event History for your AWS account by deleting the CloudTrail trails that are capturing events. When you delete a CloudTrail trail, CloudTrail will stop capturing events for that trail and delete the log data that has been stored in Amazon S3
24. Can you explain what log file integrity validation is?
Log file integrity validation is a process that helps to ensure that the log files generated by AWS CloudTrail have not been tampered with. This is accomplished by calculating a cryptographic hash for each log file and then comparing that hash to a known hash value. If the two values match, then the log file has not been modified and can be considered valid.
25. What steps should be taken to ensure that unauthorized users cannot modify or delete CloudTrail log files from Amazon S3?
The first step is to ensure that the Amazon S3 bucket that CloudTrail log files are being stored in is not publicly accessible. The second step is to create an IAM role that has read-only access to the bucket and assign that role to the CloudTrail service. Finally, you should configure CloudTrail to encrypt log files at rest using AWS KMS.
26. Can you explain what trail tags are?
Trail tags are key-value pairs that you can use to organize and categorize your AWS CloudTrail trails. You can add tags to a trail when you create it or edit tags for an existing trail.
27. What does continuous monitoring mean in the context of CloudTrail?
Continuous monitoring in CloudTrail means that the service is constantly monitoring for changes to your AWS account and will immediately notify you of any changes that occur. This allows you to quickly identify and respond to any potential security threats.
28. What is the difference between management events and data events in CloudTrail?
Management events are actions that are performed on your AWS account, such as creating or deleting an Amazon S3 bucket. Data events are actions that are performed on the resources in your AWS account, such as reading or writing data to an Amazon S3 bucket.
29. What is the maximum size allowed for each CloudTrail log file?
The maximum size of a CloudTrail log file is 250 MB. When CloudTrail generates log data, it stores the log data in log files that are delivered to the Amazon S3 bucket that you specify. Each log file has a maximum size of 250 MB, and when a log file reaches this size, CloudTrail creates a new log file and begins storing new log data in the new file.
Keep in mind that the maximum size of a log file applies to the uncompressed size of the file. If you enable data event logging for CloudTrail, the log data for data events may be compressed before it is stored in the log file. In this case, the actual size of the log file may be smaller than the maximum size.
30. What is the default retention period for log files stored in the s3 bucket used by CloudTrail?
The default retention period for log files stored in the s3 bucket used by CloudTrail is 90 days.
Services and Region support
31. What services are supported by CloudTrail?
CloudTrail records account activity and service events from most AWS services.
32. Are API calls made from the AWS Management Console recorded?
Yes. CloudTrail records API calls made from any client. The AWS Management Console, AWS Software Development Kits (SDKs), command line tools, and higher-level AWS services call AWS API operations, so these calls are recorded.
33. Where are my log files stored and processed before they are delivered to my S3 bucket?
Activity information for services with Regional endpoints (such as Amazon Elastic Compute Cloud [EC2] or Amazon Relational Database Service [RDS]) is captured and processed in the same Region as the action is made. It is then delivered to the Region associated with your S3 bucket. Activity information for services with single endpoints such as IAM and AWS Security Token Service (STS) is captured in the Region where the endpoint is located. It is then processed in the Region where the CloudTrail trail is configured and delivered to the Region associated with your S3 bucket.
Applying a trial to all Regions
34. What does it mean to apply a trail to all AWS Regions?
Applying a trail to all AWS Regions refers to creating a trail that will record AWS account activity across all Regions in which your data is stored. This setting also applies to any new Regions added.
35. What are the benefits of applying a trail to all Regions?
You can create and manage a trail across all Regions in the partition in one API call or a few selections. You will receive a record of account activity made in your AWS account across all Regions to one S3 bucket or CloudWatch Logs group. When AWS launches a new Region, you will receive the log files containing the event history for the new Region without taking any action.
36. How do I apply a trail to all Regions?
In the CloudTrail console, you select yes to apply to all Regions in the trail configuration page. If you are using the SDKs or AWS CLI, you set the IsMultiRegionTrail to true.
37. What happens when I apply a trail to all Regions?
Once you apply a trail in all Regions, CloudTrail will create a new trail by replicating the trail configuration. CloudTrail will record and process the log files in each Region and deliver log files containing account activity across all Regions to a single S3 bucket and a single CloudWatch Logs log group. If you specified an optional Amazon Simple Notification Service (SNS) topic, CloudTrail will deliver Amazon SNS notifications for all log files delivered to a single SNS topic.
38. Can I apply an existing trail to all Regions?
Yes. You can apply an existing trail to all Regions. When you apply an existing trail to all Regions, CloudTrail will create a new trail for you in all Regions. If you previously created trails in other Regions, you can view, edit, and delete those trails from the CloudTrail console.
39. How long will it take for CloudTrail to replicate the trail configuration to all Regions?
Typically, it will take less than 30 seconds to replicate the trail configuration to all Regions.
40. How many trails can I create in a Region?
You can create up to five trails in a Region. A trail that applies to all Regions exists in each Region and is counted as one trail in each Region.
41. What is the benefit of creating multiple trails in a Region?
With multiple trails, different stakeholders such as security administrators, software developers, and IT auditors can create and manage their own trails. For example, a security administrator can create a trail that applies to all Regions and configure encryption using one Amazon Key Management Service (KMS) key. A developer can create a trail that applies to one Region for troubleshooting operational issues.
42. Does CloudTrail support resource-level permissions?
Yes. Using resource-level permissions, you can write granular access control policies to allow or deny access to specific users for a particular trail.
Security and expiration
43. How can I secure my CloudTrail log files?
By default, CloudTrail log files are encrypted using S3 server-side encryption (SSE) and placed into your S3 bucket. You can control access to log files by applying IAM or S3 bucket policies. You can add an additional layer of security by enabling S3 multi-factor authentication (MFA) Delete on your S3 bucket.
44. Where can I download a sample S3 bucket policy and an SNS topic policy?
You can download a sample S3 bucket policy and an SNS topic policy from the CloudTrail S3 bucket. You must update the sample policies with your information before you apply them to your S3 bucket or SNS topic.
45. How long can I store my activity log files?
You control the retention policies for your CloudTrail log files. By default, log files are stored indefinitely. You can use S3 Object lifecycle management rules to define your own retention policy. For example, you might want to delete old log files or archive them to Amazon Simple Storage Service Glacier (S3 Glacier).
Event message, timeliness, and delivery frequency
46. What information is available at an event?
An event contains information about the associated activity: who made the request, the services used, the actions performed, the parameters for the action, and the response elements returned by the AWS service.
47. How long does it take CloudTrail to deliver an event for an API call?
CloudTrail typically delivers events for API calls within 15 minutes of the API call being made. The actual delivery time may vary depending on a number of factors, such as the volume of API calls being made and the number of trails that are configured to capture events
48. How often will CloudTrail deliver log files to my S3 bucket?
CloudTrail delivers log files to your S3 bucket approximately every five minutes. CloudTrail does not deliver log files if no API calls are made to your account.
49. Can I be notified when new log files are delivered to my S3 bucket?
Yes. You can turn on Amazon SNS notifications to take immediate action on the delivery of new log files.
50. What happens if CloudTrail is turned on for my account but my S3 bucket is not configured with the correct policy?
CloudTrail log files are delivered in accordance with the S3 bucket policies that you have in place. If the bucket policies are misconfigured, CloudTrail will not be able to deliver log files.
51. What are data events?
Data events provide insights into the resource (data plane) operations performed on or within the resource itself. Data events are often high-volume activities and include operations such as S3 object-level API operations and AWS Lambda function invoke API. Data events are deactivated by default when you configure a trail. To record CloudTrail data events, you must explicitly add the supported resources or resource types you want to collect activity on. Unlike management events, data events incur additional costs.
52. How can I consume data events?
Data events that are recorded by CloudTrail are delivered to S3, similar to management events. Once enabled, these events are also available in Amazon CloudWatch Events.
53. What are S3 data events? How do I record them?
S3 data events represent API activity on S3 Objects. To get CloudTrail to record these actions, you specify an S3 bucket in the data events section when creating a new trail or modifying an existing one. Any API actions on the Objects within the specified S3 bucket are recorded by CloudTrail.
54. What are Lambda data events? How do I record them?
Lambda data events record the runtime activity of your Lambda functions. With Lambda data events, you can get details on Lambda function runtime. Examples of Lambda function runtime include which IAM user or service made the Invoke API call, when the call was made, and which function was applied. All Lambda data events are delivered to an S3 bucket and CloudWatch Events. You can turn on logging for Lambda data events using the CLI or CloudTrail console and select which Lambda functions get logged by creating a new trail or editing an existing trail.
55. Can I add a delegated administrator to my organization?
Yes, you can add a delegated administrator to your organization in AWS Organizations. A delegated administrator is an IAM user or role that is granted permission to perform certain management tasks within your organization.
CloudTrail now supports adding up to three delegated administrators per organization.
56. Who is the owner of an organization trail or event data store at the organizational level created by a delegated admin?
The management account will remain the owner of any organization trails or event data stores created at the organization level, regardless of whether it was created by a delegated admin account or by a management account.
57. In which Regions is delegated administrator support available?
Currently, delegated administrator support for CloudTrail is available in all Regions where AWS CloudTrail is available, except for China (Beijing, operated by Sinnet) and China (Ningxia, operated by NWCD).
58. What are CloudTrail Insights events?
CloudTrail Insights events help you identify unusual activity in your AWS accounts such as spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity. CloudTrail Insights uses machine learning (ML) models that continually monitor CloudTrail write management events for abnormal activity.
When abnormal activity is detected, CloudTrail Insights events are shown in the console, and delivered to CloudWatch Events, your S3 bucket, and optionally to the CloudWatch Logs group. This makes it easier to create alerts and integrate them with existing event management and workflow systems.
59. What type of activity does CloudTrail Insights help identify?
CloudTrail Insights detects unusual activity by analyzing CloudTrail write management events within an AWS account and a Region. An unusual or abnormal event is defined as the volume of AWS API calls that deviates from what is expected from a previously established operating pattern or baseline. CloudTrail Insights adapts to changes in your normal operating patterns by considering time-based trends in your API calls and applying adaptive baselines as workloads change.
CloudTrail Insights can help you detect misbehaving scripts or applications. Sometimes a developer changes a script or application that begins a repeating loop or makes a large number of calls to unintended resources such as databases, data stores, or other functions. Often this behavior isn’t noticed until the month-end billing cycle when costs have increased unexpectedly or an actual outage or disruption occurs. CloudTrail Insights events can make you aware of these changes in your AWS account so that you can take corrective action quickly.
60. How does CloudTrail Insights work with other AWS services that use anomaly detection?
CloudTrail Insights identifies unusual operational activity in your AWS accounts that help you address operational issues, minimizing operational and business impact. Amazon GuardDuty focuses on improving security in your account, providing threat detection by monitoring account activity. Amazon Macie is designed to improve data protection in your account by discovering, classifying, and protecting sensitive data. These services provide complementary protections against different types of problems that could arise in your account.
61. Do I need to have CloudTrail set up in order for CloudTrail Insights to work?
Yes. CloudTrail Insights events are configured on individual trails, so you must have at least one trail set up. When you turn on CloudTrail Insights events for a trail, CloudTrail starts monitoring the write management events captured by that trail for unusual patterns. If CloudTrail Insights detects unusual activity, a CloudTrail Insights event is logged to the delivery destination specified in the trail definition.
62. What kinds of events do CloudTrail Insights monitor?
Amazon CloudTrail Insights is a feature of Amazon CloudTrail that monitors and analyzes events in your AWS account. CloudTrail Insights monitors events related to the following services:
- IAM (Identity and Access Management)
- EC2 (Elastic Compute Cloud)
- S3 (Simple Storage Service)
- VPC (Virtual Private Cloud)
- RDS (Relational Database Service)
CloudTrail Insights also monitors events related to the management of your AWS account, such as the creation or deletion of users, groups, and roles. It can also monitor API calls made to the AWS Management Console, AWS SDKs, and command line interfaces (CLIs).
63. How do I get started?
You can enable CloudTrail Insights events on individual trails in your account by using the console, the CLI, or the SDK. You can also enable CloudTrail Insights events across your organization by using an Organizational trail configured in your AWS Organizations management account. You can turn on CloudTrail Insights events by choosing the radio button in your trail definition.
64. Why should I use CloudTrail Lake?
CloudTrail Lake helps you examine incidents by querying all actions logged by CloudTrail and configuration items recorded by AWS Config. It simplifies incident logging by helping remove operational dependencies and provides tools that can help reduce your reliance on complex data process pipelines that span across teams. CloudTrail Lake does not require you to move and ingest CloudTrail logs elsewhere, which helps maintain data fidelity and decreases dealing with low-rate limits that throttle your logs. It also provides near real-time latencies as it is fine-tuned to process high-volume structured logs, making them available for incident investigation. Also, CloudTrail Lake provides a familiar, multi-attribute query experience with SQL and is capable of scheduling and handling multiple concurrent queries.
65. How does this feature relate to and work with other AWS services?
CloudTrail is the canonical source of logs for user activity and API usage across AWS services. You can use CloudTrail Lake to examine activity across AWS services once the logs are available in CloudTrail. You can query and analyze user activity and impacted resources, and use that data to address issues such as identifying bad actors and baselining permissions.
66. When do you recommend using AWS Config advanced query instead of CloudTrail Lake for querying configuration items from AWS Config?
AWS Config advanced query is recommended for customers who want to aggregate and query on current state AWS Config configuration items (CI). This helps customers with inventory management, security and operational intelligence, cost optimization, and compliance data. AWS Config advanced query is free if you are an AWS Config customer.
CloudTrail Lake supports query coverage for AWS Config configuration items, including resource configuration and compliance history. Analyzing configuration and compliance history for resources with related CloudTrail events helps infer who, when, and what changed on those resources. This helps with root-cause analysis of incidents related to security exposure or non-compliance. CloudTrail Lake is recommended if you must aggregate and query data across CloudTrail events and historical configuration items.
67. If I enable ingestion of configuration items from AWS Config today into CloudTrail Lake, will Lake ingest my historical configuration items (generated before the creation of Lake) or collect only the newly recorded configuration items?
CloudTrail Lake will not ingest AWS Config configuration items that were generated before CloudTrail Lake was configured. Newly recorded configuration items from AWS Config, at an account level or organization level, will be delivered to the specified CloudTrail Lake event data store. These configuration items will be available in the Lake for a query for the specified retention period and can be used for historical data analysis.
68. Can I always know which user made a particular configuration change by querying CloudTrail Lake?
If multiple configuration changes are attempted on a single resource by multiple users in quick succession, only one configuration item may be created that would map to the end state configuration of the resource. In this and similar scenarios, it may not be possible to provide a 100% correlation on which user made what configuration changes by querying CloudTrail and configuration items for a specific time range and resource id.
69. If I’ve used trails before, can I bring existing CloudTrail logs into my existing or new CloudTrail Lake event data store?
Yes. The CloudTrail Lake import capability supports copying CloudTrail logs from an S3 bucket that stores logs from across multiple accounts (from an organization trail) and multiple AWS Regions. You can also import logs from individual accounts and single-region trails. The import capability also lets you specify an import date range, so that you import only the subset of logs that are needed for long-term storage and analysis in CloudTrail Lake. After you’ve consolidated your logs, you can run queries on your logs, from the most recent events collected after you enabled CloudTrail Lake, to historic events brought over from your trails.
70. Does this import capability impact the original trail in S3?
The import capability copies the log information from S3 to CloudTrail Lake and keeps the original copy in S3 as is.
71. What CloudTrail events can I query after enabling the CloudTrail Lake feature?
You can enable CloudTrail Lake for any of the event categories collected by CloudTrail, depending on your internal troubleshooting needs. Event categories include management events that capture control plane activities such as CreateBucket and TerminateInstances and data events that capture data plane activities such as GetObject and PutObject. You do not need a separate trail subscription for any of these events. You can choose your event retention duration for up to seven years, and you can query that data anytime.
72. After I enable the CloudTrail Lake feature, how long do I need to wait to begin writing queries?
You can begin querying the activities that occur after enabling the feature almost immediately.
73. What are some of the common security and operational use cases that I can solve using CloudTrail Lake?
Common use cases include investigating security incidents, like unauthorized access or compromised user credentials, and enhancing your security posture by performing audits to regularly baseline user permissions. You can perform necessary audits to make sure the right set of users are making changes to your resources (such as security groups), and track any changes not adhering to your organization’s best practices. Additionally, you can track actions taken on your resources and assess modifications or deletions, and get deeper insights on your AWS services bills including the IAM users subscribing to services.
74. How do I get started?
If you are a current or new CloudTrail customer, you can immediately begin using the CloudTrail Lake capability to run queries by enabling the feature through the API or the CloudTrail console. Select the CloudTrail Lake tab on the left panel of the CloudTrail console, and select the Create Event Data Store button to choose the event retention duration (up to seven years). Then, make event selections from all event categories logged by CloudTrail (Management and Data events) to get started.
Additionally, you can use sample queries to start writing queries for common scenarios, such as identifying records of authorization failures for AssumeRole or creating your own queries to begin your search.
Log file Aggregation
75. I have multiple AWS accounts. I would like log files for all the accounts to be delivered to a single S3 bucket. Can I do that?
Yes. You can configure one S3 bucket as the destination for multiple accounts.
Integration with CloudWatch Logs
76. What is CloudTrail integration with CloudWatch Logs?
CloudTrail integration with CloudWatch Logs delivers management and data events captured by CloudTrail to a CloudWatch Logs log stream in the CloudWatch Logs log group you specify.
77. What are the benefits of CloudTrail integration with CloudWatch Logs?
This integration helps you receive SNS notifications of account activity captured by CloudTrail. For example, you can create CloudWatch alarms to monitor API calls that create, modify, and delete Security Groups and Network access control lists (ACLs).
78. How do I turn on CloudTrail integration with CloudWatch Logs?
You can turn on CloudTrail integration with CloudWatch Logs from the CloudTrail console by specifying a CloudWatch Logs log group and an IAM role. You can also use the AWS SDKs or the AWS CLI to turn on this integration.
79. What happens when I turn on CloudTrail integration with CloudWatch Logs?
After you turn on the integration, CloudTrail continually delivers account activity to a CloudWatch Logs log stream in the CloudWatch Logs log group you specified. CloudTrail also continues to deliver logs to your S3 bucket as before.
80. In which AWS Regions is CloudTrail integration with CloudWatch Logs supported?
CloudTrail integration with CloudWatch Logs is supported in all AWS Regions where CloudTrail and CloudWatch Logs are available. CloudTrail is available in all regions, while CloudWatch Logs is available in most regions.
81. How does CloudTrail deliver events containing account activity to my CloudWatch Logs?
CloudTrail assumes the IAM role you specify to deliver account activity to CloudWatch Logs. You limit the IAM role to only the permissions it requires to deliver events to your CloudWatch Logs log stream.
82. What charges do I incur once I turn on CloudTrail integration with CloudWatch Logs?
we enable CloudTrail integration with CloudWatch Logs, you will incur charges for the following:
- CloudWatch Logs: You will be charged for storing and transferring your CloudTrail logs to CloudWatch Logs.
- CloudTrail: You will be charged for the data events recorded by CloudTrail.
- Data Transfer: If you choose to transfer your CloudTrail logs to a different AWS Region, you will be charged for the data transfer.
- For details, go to the CloudWatch pricing page.
CloudTrail Log File Encryption using AWS Key Management Service (KMS)
83. What is the benefit of CloudTrail log file encryption using server-side Encryption with AWS KMS?
CloudTrail log file encryption using SSE-KMS helps you add an additional layer of security to CloudTrail log files delivered to an S3 bucket by encrypting the log files with a KMS key. By default, CloudTrail will encrypt log files delivered to your S3 bucket using S3 server-side encryption.
84. I have an application that ingests and processes CloudTrail log files. Do I need to make any changes to my application?
With SSE-KMS, S3 will automatically decrypt the log files so that you do not need to make any changes to your application. As always, you must make sure that your application has appropriate permissions such as S3 GetObject and AWS KMS Decrypt permissions.
85. How do I configure CloudTrail log file encryption?
You can use the AWS Management Console, or AWS CLI, or AWS SDKs to configure log file encryption.
86. What charges do I incur once I configure encryption using SSE-KMS?
If you configure CloudTrail log file encryption using SSE-KMS , you will incur charges for the following:
- CloudTrail: You will be charged for the data events recorded by CloudTrail.
- Key Management Service (KMS): You will be charged for the use of the KMS key that you use to encrypt your CloudTrail logs. This includes charges for key usage and key management.
CloudTrail log file Integrity Validation
87. What is CloudTrail log file integrity validation?
The CloudTrail log file integrity validation feature helps you determine whether a CloudTrail log file was unchanged, deleted, or modified since CloudTrail delivered it to the specified S3 bucket.
88. What is the benefit of the CloudTrail log file integrity validation?
The CloudTrail log file integrity validation feature allows you to verify the authenticity and integrity of your CloudTrail logs. This is beneficial because it helps you ensure that your CloudTrail logs have not been tampered with or modified in any way. With log file integrity validation, you can confidently use your CloudTrail logs for auditing and compliance purposes, knowing that the logs are reliable and trustworthy.
89. How do I enable CloudTrail log file integrity validation?
To enable CloudTrail log file integrity validation, you can follow these steps:
- Sign in to the AWS Management Console and navigate to the CloudTrail service.
- Select the trail that you want to enable log file integrity validation for.
- Under “Advanced Settings,” click the “Edit” button next to “Log file integrity validation.”
- Select the “Enable log file integrity validation” option and click “Save” to save your changes.
You can also use the CloudTrail API or the AWS CLI to enable log file integrity validation for your CloudTrail trails. For more information, see the Amazon CloudTrail documentation.
90. What happens once I turn on the log file integrity validation feature?
Once you turn on the log file integrity validation feature, CloudTrail will deliver digest files on an hourly basis. The digest files contain information about the log files that were delivered to your S3 bucket and hash values for those log files. They also contain digital signatures for the previous digest file and the digital signature for the current digest file in the S3 metadata section.
91. Where are the digest files delivered to?
The digest files are delivered to the same S3 bucket where your log files are delivered. However, they are delivered to a different folder so that you can enforce granular access control policies.
92. How can I validate the integrity of a log file or digest file delivered by CloudTrail?
You can use the AWS CLI to validate the integrity of a log file or digest file. You can also build your own tools to do the validation.
93. I aggregate all my log files across all Regions and multiple accounts into one single S3 bucket. Will the digest files be delivered to the same S3 bucket?
Yes. CloudTrail will deliver the digest files across all Regions and multiple accounts into the same S3 bucket.
AWS CloudTrail Processing Library
94. What is the AWS CloudTrail Processing Library?
The AWS CloudTrail Processing Library is a Java library that makes it easier to build an application that reads and processes CloudTrail log files. You can download the CloudTrail Processing Library from GitHub.
95. What functionality does CloudTrail Processing Library provide?
CloudTrail Processing Library provides functionality to handle tasks such as continually polling an SQS queue and reading and parsing Amazon Simple Queue Service (SQS) messages It can also download log files stored in S3, and parse and serialize log file events in a fault-tolerant manner.
96. What software do I need to start using the CloudTrail Processing Library?
You need aws-java-sdk version 1.9.3 and Java 1.7 or higher.
97. How do I get charged for CloudTrail?
CloudTrail helps you view, search, and download the last 90 days of your account’s management events for free. You can deliver one copy of your ongoing management events to S3 for free by creating a trail. Once a CloudTrail trail is set up, S3 charges apply based on your usage.
You can deliver additional copies of events, including data events, using trails. You will be charged for data events or additional copies of management events.
98. If I have only one trail with management events and apply it to all Regions, will I incur charges?
No. The first copy of management events is delivered free of charge in each Region.
99. If I enable data events on an existing trail with free management events, will I get charged?
Yes. You will be charged for only the data events. The first copy of management events is delivered free of charge.
100. How do the AWS Partner Solutions help me analyze the events recorded by CloudTrail?
Multiple partners offer integrated solutions to analyze CloudTrail log files. These solutions include features like change tracking, troubleshooting, and security analysis.
101. Will turning on CloudTrail impact the performance of my AWS resources or increase API call latency?
No. Turning on CloudTrail has no impact on the performance of your AWS resources or API call latency.