AWS CloudTrail Insights - Deep Dive.
Scope:
- Intro,
- Core Capabilities,
- Key Features,
- Getting Started,
- Getting Started,
- Links to official documentation,
- The Concept of CloudTrail Insights (deep dive),
- What the Insights Monitor,
- Types of Insight Events,
- Event Lifecycle,
- Architecture,
- Sample Insight Event (JSON),
- Key fields of Insight Event (JSON),
- Enabling Insights,
- Pricing,
- Use Cases,
- Best Practices,
- Quick takeaway.
Intro:
- AWS CloudTrail Insights helps twtech identify and respond to unusual operational activity in your AWS accounts
- AWS CloudTrail Insights help twtech to detect anomalies in API call rates and error rates.
- AWS CloudTrail Insights establishes a baseline of normal behavior and generates an Insights event when it detects significant deviations.
Core Capabilities
- Anomalous Activity Detection: Automatically identifies spikes in resource provisioning, bursts of IAM activity, or gaps in periodic maintenance.
- Event Coverage: Analyzes both management events (e.g., control plane actions) and data events (e.g., S3 object-level activity or Lambda invocations).
- Insight Types:
- ApiCallRateInsight: Detects unusual surges in the volume of API calls.
- ApiErrorRateInsight: Identifies increased rates of failed API calls resulting in error codes.
Key Features
- Automated Baselines: Continuously analyzes historical event data to define what "normal" looks like for twtech specific account usage.
- Dashboard Visualization: View insights directly in the CloudTrail console dashboard to quickly spot trends and anomalies.
- Integration: Delivers events to S3 buckets, Amazon CloudWatch Events, and optionally CloudWatch Logs for automated alerting.
- Multi-Region Support: Insights are generated in the same region where the underlying anomalous management or data event occurred.
- Enable Insights: twtech must explicitly enable Insights on its trail or event data store via the AWS Management Console or AWS CLI.
- Learning Period: It can take up to 36 hours for the first insights to appear as CloudTrail establishes a baseline.
- Pricing: twtech is charged based on the volume of management and data events analyzed.
- Review the AWS CloudTrail Pricing page for specific costs.
Links to official documentation:
- https://aws.amazon.com/cloudtrail/pricing/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/insights-events-CLI-enable.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/insights-events-enable.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-insights-events-console.html
1. The Concept of CloudTrail
Insights (deep dive)
- CloudTrail Insights is an add-on
feature of CloudTrail that automatically detects unusual API activity in twtech AWS
environment.
- CloudTrail Insights uses statistical
baselining + anomaly detection to highlight operational or security
anomalies without twech needing to write custom rules.
👉NB:
- Think of it as “CloudTrail with anomaly detection for Management Events”.
2. What the Insights Monitor.
CloudTrail Insights focuses on Management
Events only (not Data Events).
It looks for “rate anomalies” such as:
- Write API Calls
- Sudden spikes/drops in frequency of operations like RunInstances,
CreateUser, PutBucketPolicy.
- Error API Calls
- Abnormal increase in error rates (e.g., many AccessDenied errors, throttling, or failed
login attempts).
3. Types of Insight Events
CloudTrail generates Insight
Events when it detects anomalies:
- Rate-based anomalies
- Example: A sudden spike in ConsoleLogin
attempts from multiple IPs.
- Error-based anomalies
- Example: A burst of AccessDenied or ThrottlingException errors.
4. Event Lifecycle
Here’s how an Insight Event flows:
- Baseline Creation
- CloudTrail monitors normal API usage patterns (per
region, per account).
- Anomaly Detection
- If activity deviates significantly from baseline →
anomaly flagged.
- Insight Event Generation
- CloudTrail creates a JSON Insight Event.
- Example: An event showing unusually high StartInstances
calls.
- Delivery
- Stored in the same trail as other events.
- Delivered to S3, CloudWatch Logs, EventBridge for
action.
Architecture
5. Sample Insight Event (JSON)
# json
{
"eventVersion": "1.08",
"eventTime": "2025-09-27T18:45:12Z",
"eventType": "AwsCloudTrailInsight",
"insightDetails": {
"state": "Start",
"eventSource": "ec2.amazonaws.com",
"eventName": "twtechStartInstances",
"insightType": "ApiCallRateInsight",
"baseline": { "average":
2.0 },
"insightContext": {
"statistics": { "baseline":
2.0, "insight": 15.0 }
}
},
"recipientAccountId": "accountID",
"region": "us-east-2"
}
# Key fields of Insight Event (JSON):
- insightType
– ApiCallRateInsight or ApiErrorRateInsight.
- baseline – historical average.
- insightContext
– actual observed deviation.
- state – Start
(anomaly begins) or End
(anomaly resolved).
6. Enabling Insights
- Must be explicitly enabled per trail.
- Can be turned on for:
- All management events, or
- Write-only management events.
- Events are recorded
- Events are recorded per region.
7. Pricing
- Charged per 100,000 Insight Events analyzed.
- Low-volume compared to Data Events, so cost is usually small.
8. Use Cases
- Security Detection
- Spike in ConsoleLogin failures → brute-force attempt.
- Surge in IAM CreateUser → suspicious activity.
- Operational Monitoring
- Sudden spike in EC2 TerminateInstances → automation error.
- Surge in PutBucketPolicy → possible misconfigured IaC pipeline.
- Compliance & Governance
- Track unusual API activity that may violate policies.
9. Best Practices
- Enable Insights in all org accounts (via Organization Trails).
- Send to EventBridge →
trigger automation (e.g., disable
an IAM user, send Slack alert).
- Integrate with CloudWatch Alarms → real-time alerts for anomaly detection.
- Correlate with GuardDuty & Security Hub → combine anomaly + threat detection.
- Review baselines periodically → normal behavior evolves over time.
twtech-Quick takeaway:
- Management Events tell you what happened.
- Data Events tell you who accessed the data.
- Insight Events tell you whether the activity was normal.
No comments:
Post a Comment