AWS CloudTrail | Overview & Hands-On.

AWS CloudTrail - Overview & Hands-On.

Scope:

• The Concept of AWS CloudTrail,
• Core Concepts (Terminology),
• CloudTrail Lifecycle & Flow,
• CloudTrail Architecture,
• Key Integrations,
• Best Practices,
• Sample Use Cases,
• Project: Hands-On.

1. The Concept of AWS CloudTrail.

• AWS CloudTrail is a logging and auditing service. 
• AWS CloudTrail records API calls and account activity across AWS. 
• AWS CloudTrail helps twtech with security, compliance, operational troubleshooting, and governance by addressing concerns to the following question:

• Who made the request?
• When was it made?
• From where (IP, region)?
• What resources were affected?
• What was the outcome (success/failure)?

 NB:

Think of AWS CloudTrail as the “black box recorder” for twtech AWS environment.

 2. Core Concepts (Terminology)

• Events – Log entries of AWS API activity. Two types:
• Management Events – Operations on resources (e.g., CreateBucket, RunInstances).
• Data Events – Access to resource data (e.g., GetObject in S3, InvokeFunction in Lambda).
• Trails – Configurations that define what events to capture, where to deliver them (S3, CloudWatch Logs, EventBridge).
• Event History – Default 90-day history of management events, available without setting up a trail.
• Insight Events – Detect unusual API usage patterns (e.g., anomalous logins, spikes in resource creation).

 3. CloudTrail Lifecycle & Flow

Here’s how CloudTrail works step by step:

1. User/Service Action
• Any AWS API call (via console, CLI, SDK, or service-to-service).
2. Event Capture
• CloudTrail automatically records this event.
3. Event Processing
• Events are categorized (Management / Data / Insight).
• Enriched with metadata (region, identity, source IP, request parameters).
4. Event Delivery
• Event History – 90-day default retention.
• S3 Buckets – Long-term storage & archiving.
• CloudWatch Logs – Real-time monitoring & alerting.
• EventBridge – Event-driven automation & remediation.
5. Event Analysis
• Search in CloudTrail Console / Lake.
• Query with Athena (SQL on S3).
• Feed into SIEM/SOAR tools for compliance/security.

 4. CloudTrail Architecture

• Sources: AWS Services, IAM Users, Roles, Federated Identities.
• CloudTrail Core: Event recording, enrichment, log file integrity validation.
• Destinations:
• S3 (long-term log storage, auditing, replay).
• CloudWatch Logs (real-time monitoring, alarms).
• EventBridge (automation workflows).
• Analytics:
• CloudTrail Lake – Managed data lake for event querying (7 years retention).
• Athena – SQL queries on S3 logs.
• OpenSearch / Splunk / ELK – external SIEM analysis.

 

5. Key Integrations

• CloudWatch Alarms → Alert on suspicious activity (e.g., root login).
• EventBridge Rules → Auto-remediation (e.g., disable public S3 bucket).
• AWS Config → Track compliance drift.
• Security Hub & GuardDuty → Threat detection & compliance checks.
• Macie → Data security on S3 logs.

 6. Best Practices

1. Enable CloudTrail in All Regions – Avoid missing global API calls.
2. Use Organization Trails – Centralize logs in multi-account setups.
3. Enable Log File Validation – Detect tampering.
4. Encrypt with SSE-KMS – Protect logs at rest.
5. Send to Central S3 Bucket (logging account) – Isolate and secure.
6. Integrate with CloudWatch + EventBridge – For real-time detection.
7. Use CloudTrail Lake – Simplify querying and compliance retention.
8. Limit Access – Apply least privilege IAM policies.

 7. Sample Use Cases

• Security Forensics – Who deleted a production database?
• Compliance – PCI-DSS, HIPAA, GDPR auditing.
• Operational Troubleshooting – Why did an EC2 instance terminate?
• Anomaly Detection – Detect unusual activity with Insight Events.
• Automation – Automatically quarantine an IAM user after suspicious behavior.

Project: Hands-On

• How twtech uses Cloud Trail to records API calls and account activity (all API calls made on the accounts) across AWS. 

Search for aws service: CloudTrail

• Check event History from the menu panel:

• Go to EC2 UI (console) from another windows (to start an instance) then: monitor the events on CloudTrail.

From: stopped state

• Start instance to: Running State

• Wait a couple of minutes (about 5 mins) to: verify the new event created in CloudTrail.

Yes,

The event is recorded in CloudTrail as: StartInstance.

How twtech gets full details of an event in CloudTrai.

• Select Event in CloudTrail and click open: StartInstance

Details:

Resources referenced (1)

• Resources referenced describes the name or ID of resources that were read or changed by an event

# twtech-sample-event-record: JSON view

{

"eventVersion": "1.10",

"userIdentity": {

"type": "Root",

"principalId": "98xxxxxxxxxx",

"arn": "arn:aws:iam::98xxxxxxxxx:root",

"accountId": "98xxxxxxxxxx",

"accessKeyId": "SIA6IY35xxxxxxxxxx",

"userName": "twtechpat",

"sessionContext": {

"attributes": {

"creationDate": "2025-09-28T11:39:02Z",

"mfaAuthenticated": "false"

}

}

},

"eventTime": "2025-09-28T17:35:30Z",

"eventSource": "ec2.amazonaws.com",

"eventName": "StartInstances",

"awsRegion": "us-east-2",

"sourceIPAddress": "75.xx.xxx.xxx",

"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36",

"requestParameters": {

"instancesSet": {

"items": [

{

"instanceId": "i-02609axxxxxxxxx"

}

]

}

},

"responseElements": {

"requestId": "c5564ad-xxxxxxxxxxx-xxxxxxxx-xxxx",

"instancesSet": {

"items": [

{

"instanceId": "i-02609axxxxxxxxxxx",

"currentState": {

"code": 0,

"name": "pending"

},

"previousState": {

"code": 80,

"name": "stopped"

}

}

]

}

},

"requestID": "2c5564adxxxxx-xxxxxxx-xxx",

"eventID": "39efbb33-d87b-4a68-xxxxxx-xxxxxxxx",

"readOnly": false,

"eventType": "AwsApiCall",

"managementEvent": true,

"recipientAccountId": "98xxxxxxxxxx",

"eventCategory": "Management",

"tlsDetails": {

"tlsVersion": "TLSv1.3",

"cipherSuite": "TLS_AES_128_xxxx_xxxxx_xxx",

"clientProvidedHostHeader": "ec2.us-east-2.amazonaws.com"

},

"sessionCredentialFromConsole": "true"

}