CloudTrail Events | Overview.

AWS CloudTrail Events - Overview.

Scope:

• Intro,
• Event Types,
• Key Features,
• The concept of CloudTrail Event (deep dive),
• Event Categories,
• CloudTrail Event Structure (sample JSON record Key fields),
• Key fields of CloudTrail Event Structure,
• Event Delivery & Retention,
• Advanced Event Types,
• Best Practices for Event Management,
• Sample Scenarios,
• Architecture,
• Comparison table of CloudTrail Event Types,
• Quick takeaway.

Intro:

• AWS CloudTrail records activity in twtech account.
• AWS CloudTrail captures actions taken by users, roles, or services as events.
• These CloudTrail events provide a history of both API and non-API activities performed through the AWS Management Console, SDKs, and command-line tools.

Event Types

• Management events: Provide information about control plane operations, such as creating an Amazon S3 bucket or an IAM user.
• Data events: Provide information about resource operations (data plane), such as Amazon S3 object-level activity (e.g., GetObject, PutObject) or AWS Lambda function executions.
• Insights events: Captured when CloudTrail detects unusual API activity patterns in twtech account.
•  Insight events help twtech identify and respond to potential security or operational issues.
• Network activity events: Recorded for actions that involve network-level resources, though these are not logged by default. 

Key Features

• Event history: The CloudTrail console offers a searchable history of management events for the last 90 days at no cost.
• Trails: For a permanent record and to capture data events, twtech must create a "trail," which delivers event logs to an Amazon S3 bucket or Amazon CloudWatch Logs.
• Advanced event selectors: Allow twtech to filter which events are logged to help manage costs and focus on high-value data, such as specific S3 buckets or read-only/write-only actions.
• Multi-region and organization trails: twtech can configure trails to collect events from all regions and all accounts within an AWS Organization.
• CloudTrail Lake: A managed data lake that lets twtech to store and query activity events for up to 10 years, including events from non-AWS sources.

1. The concept of CloudTrail Event (deep dive)

• A CloudTrail Event is a record of an API call made in twtech AWS account.
• CloudTrail Event contains:

• Who made the call (identity, role, user, service).
• When it happened (timestamp).
• Where it came from (region, IP, AWS service).
• What was requested (API name, parameters).
• Result of the action (success/failure, error codes).

NB:

•  Every API call (from Console, CLI, SDK, or AWS Service) can be captured.

 2. Event Categories

CloudTrail splits events into three categories:

1. Management Events (a.k.a. Control Plane)

• Default type collected.
• Capture configuration or management operations.
• Examples:
• CreateBucket (S3)
• RunInstances (EC2)
• CreateUser (IAM)
• Excludes data-plane activity (e.g., uploading a file).
• Excludes data-plane activity (e.g., uploading a file).

2. Data Events (a.k.a. Data Plane)

• Capture resource-level operations, usually high-volume.
• Examples:
• S3 → GetObject, PutObject, DeleteObject.
• Lambda → InvokeFunction.
• DynamoDB → PutItem, GetItem.
• Disabled by default (to avoid excessive logging cost).
• Disabled by default (to avoid excessive logging cost).

3. Insight Events

• Capture anomalous patterns in management events.
• Use machine learning to detect:
• API call volume anomalies (spikes/drops).
• Error rate anomalies (sudden surge in AccessDenied or throttling errors).
• Examples:
• A sudden spike in ConsoleLogin attempts.
• Unusual number of TerminateInstances calls.

 3. CloudTrail Event Structure (sample JSON record Key fields):

# json

{

  "eventVersion": "1.08",

  "userIdentity": {

    "type": "IAMUser",

    "userName": "twtechuser-pat"

  },

  "eventTime": "2025-09-27T21:22:48Z",

  "eventSource": "ec2.amazonaws.com",

  "eventName": "twtechStartInstances",

  "awsRegion": "us-east-2",

  "sourceIPAddress": "203.0.113.25",

  "userAgent": "aws-cli/2.11.0",

  "requestParameters": {

    "instancesSet": {

      "items": ["i-1234567890abcdef0"]

    }

  },

  "responseElements": {

    "instancesSet": { "items": [...] }

  },

  "requestID": "twtech-requestid-1234",

  "eventID": "twtech-eventid-9876",

  "readOnly": false,

  "eventType": "AwsApiCall",

  "managementEvent": true,

  "recipientAccountId": "accountID"

}

Key fields of CloudTrail Event Structure:

• userIdentity – who made the call.
• eventSource – AWS service (e.g., s3.amazonaws.com).
• eventName – API action.
• requestParameters / responseElements – input/output.
• readOnly – whether it modified a resource.
• eventType – e.g., AwsApiCall, AwsServiceEvent.
• errorCode / errorMessage – failure details.

 4. Event Delivery & Retention

• Event History (Management Events only) – 90 days in the console.
• Trails – Store events in:
• S3 (long-term archive).
• CloudWatch Logs (real-time monitoring).
• EventBridge (trigger automation).
• CloudTrail Lake
• CloudTrail Lake – Queryable storage (up to 7 years).

 5. Advanced Event Types

• Service Events – AWS services generate internal events (e.g., AWSHealth, CloudFormation StackUpdate).
• Global Events – For global services (IAM, STS, CloudFront). Recorded in all regions.
• Console Login Events – Capture ConsoleLogin success/failure with MFA context.
• Delegated Access Events – Captures activity from STS-assumed roles or federated users.

 6. Best Practices for Event Management

1. Enable both Management & Data Events for critical resources (S3, Lambda, DynamoDB).
2. Filter Data Events to specific buckets/functions (avoid cost explosions).
3. Enable Insight Events to detect anomalies.
4. Send events to CloudWatch Logs for real-time alarms (e.g., failed root login).
5. Use EventBridge rules for auto-remediation (e.g., disable a compromised IAM key).
6. Query in Athena / CloudTrail Lake for investigations.
7. Validate integrity with log file validation (SHA-256 + digest files).

 7. Sample Scenarios

• Security Incident: Who deleted an IAM user? (Check Management Event DeleteUser).
• Data Breach: Who downloaded objects from an S3 bucket? (Check Data Event GetObject).
• Anomaly: Why so many AccessDenied errors in a short window? (Insight Event).
• Compliance Audit: Prove MFA was used for logins (Console Login Event + MFA context).

Arechiteture

 Comparison table of CloudTrail Event Types.

Feature	Management Events	Data Events	Insight Events
Purpose	Capture control plane actions (resource creation, deletion, modification).	Capture data plane actions (accessing/using resource contents).	Detect anomalous API activity (spikes, errors).
Examples	CreateBucket, RunInstances, AttachRolePolicy, DeleteUser	GetObject (S3), PutObject (S3), InvokeFunction (Lambda), GetItem (DynamoDB)	Sudden spike in ConsoleLogin failures, unusual surge in TerminateInstances calls
Default Enabled?	✅ Yes (always recorded in Event History – 90 days)	❌ No (must explicitly enable, can be high-volume/costly)	❌ No (must explicitly enable)
Volume	Low to medium	Very high (can generate millions of events in busy workloads)	Low (only when anomalies detected)
Use Cases	Security audits, compliance, forensics, operational troubleshooting	Data access auditing, sensitive data monitoring, insider threat detection	Detect abnormal API usage, brute-force attempts, error spikes
Retention	90 days in Event History (longer if delivered to S3/CloudTrail Lake)	Only if explicitly configured (S3/CloudTrail Lake)	Stored in CloudTrail Lake (if enabled)
Cost Impact	Low (included by default)	Higher (charged per 100,000 events logged)	Low (charged per event recorded)

 twtech Quick takeaway:

• Management = “What happened to resources”
• Data = “Who accessed/used the data”
• Insight = “Was the activity normal or suspicious?”