AWS CloudTrail
Audit AWS account activity with CloudTrail.
Create Trail
Create organization trail
aws cloudtrail create-trail
--name org-audit-trail
--s3-bucket-name audit-logs-bucket
--is-organization-trail
--is-multi-region-trail
--enable-log-file-validation
--kms-key-id arn:aws:kms:...
Start logging
aws cloudtrail start-logging --name org-audit-trail
Event Selectors
Log all management and data events
aws cloudtrail put-event-selectors
--trail-name org-audit-trail
--event-selectors '[{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [{
"Type": "AWS::S3::Object",
"Values": ["arn:aws:s3:::sensitive-bucket/"]
}]
}]'
CloudTrail Lake
-- Query events SELECT eventTime, userIdentity.userName, eventName, sourceIPAddress FROM cloudtrail_logs WHERE eventTime > '2024-01-01' AND eventName LIKE '%Delete%' ORDER BY eventTime DESC LIMIT 100
Best Practices
-
Organization-wide trails
-
Enable log file validation
-
Encrypt with KMS
-
CloudWatch Logs integration
-
Event alerting