CloudTrail
💡 Definition
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. It records API calls and related events made by an IAM user, role, or an AWS service in your account.
🔑 Key Concepts
- API Call Logging: Records virtually all actions taken by a user, role, or AWS service (console, CLI, SDK).
- Event History: Provides a 90-day history of events in the CloudTrail console.
- Trails: A configuration that enables CloudTrail to deliver log files of events to an S3 bucket for long-term storage, analysis, and processing.
- Management Events: Actions performed on resources (ee.g., creating an EC2 instance).
- Data Events: High-volume events, like S3 object-level API activity or Lambda function invocations.
⚙️ How it Works
- Automatic Activation: CloudTrail is enabled on your AWS account when you create it.
- Log Events: Records events and delivers them to the CloudTrail console (Event history) or to an S3 bucket (via a Trail).
- Audit: Use the logs to answer "who did what, when, where, and how."
🎯 Use Cases
- Security Analysis: Investigating unauthorized access or changes.
- Compliance: Demonstrating adherence to regulatory requirements (e.g., by providing audit trails).
- Operational Troubleshooting: Identifying the source of an issue or misconfiguration.
- Resource Tracking: Keeping a detailed record of resource creation, modification, and deletion.
💰 Pricing Model
- Management Events: Logging for management events is usually free for a single trail per Region.
- Data Events: Logging for data events (e.g., S3 object access) incurs charges.
- S3 Storage: You pay for the S3 storage of log files.
📝 Exam Tips (CLF-C02)
- CloudTrail is for auditing and governance ("who did what").
- Logs API calls.
- Enabled by default, but creating a "Trail" is needed for long-term storage and delivery to S3.
- Often used in conjunction with CloudWatch (CloudWatch can create alarms based on CloudTrail logs).
See Also: * CloudWatch * IAM * S3