CloudTrail is an auditing, compliance monitoring, and governance tool designed to watch over your AWS account history and to keep detailed logs of all events. You can use this event history to simplify security analysis and to detect unusual activity in your account.
Using CloudTrail
You can use CloudTrail to monitor the last 90 days free of charge. However, if you want to keep extended logs, you need to pay for the associated S3 storage as well as a small fee per 100,000 events logged. Still, it’s relatively cheap, and it doesn’t hurt to get started with it.
CloudTrail automatically logs the last 90 days, so you’ll be able to head over to the CloudTrail Console and view the latest logs in your account. On the home screen, you’ll see the most recent events:
Under “Event History” in the sidebar, you’ll be able to view the full list of events, in chronological order.
This is a lot of data, so you’ll probably want to filter for just whatever you’re looking for. If you’re auditing specific employee accounts, you can filter by username or AWS access key, or other factors such as source IP address and resource types. You can also focus in on specific time ranges.
If you click on an event, you can view all the data collected for that event. Some are simple, like “ConsoleLogin,” which tracks login times for different users. Others are more specific, and will show more details about the underlying API action.
You can view the full JSON data for the event with the “View Event” button.
Creating a Trail
If you want to keep records for longer than 90 days, or keep extended logs for S3 and Lambda data events, you can create a Trail. Keep in mind that you will incur data charges for S3 log storage, as well as charges per 100,000 logged events.
From “Trails” in the sidebar, create a new trail. You have the option of using this trail for every region, as well as applying it to every account in an AWS Organization. You can also select which kinds of events to log, as well as enabling CloudTrail Insights for this trail.
The next section is “Data Events,” which can be used to keep extended logs on S3 buckets or Lambda functions. For S3, CloudTrail will log bucket-level operations, such as PutObject. For Lambda, CloudTrail will log any invocation of the given Lambda function. You can enable this for all buckets, or specify one by ARN.
Finally, you’ll need a new or existing bucket in which to keep the events. You can use this to keep track of how much data your trail is using.
Events logged by the trail will remain in the event history indefinitely. With a trail, you can activate CloudTrail Insights from the “Insights” tab in the sidebar:
This will take up to 36 hours to analyze your trail, and once it’s done, you’ll be able to browse through the findings.
If you want, you can also set up CloudTrail to send events to CloudWatch Logs, or use it with Elasticsearch for more detailed monitoring.