CloudTrail
Definition
AWS service that records all API calls made in your account for security and compliance. Like a detailed security log that tracks who did what and when.
Use Cases
- Netflix: Security investigations and compliance auditing across a large AWS footprint by tracking changes to IAM, networking, and compute resources. — Enabled AWS CloudTrail organization trails to centrally capture management events across multiple AWS accounts, delivered logs to a dedicated S3 bucket with restricted access and retention policies, and used automated analysis/alerting on suspicious API activity. (Improved incident response by providing a reliable, centralized history of account activity and configuration changes, supporting audit requirements and faster root-cause analysis.)
- Capital One: Auditability and detection of unauthorized or risky changes (for example, IAM policy updates, security group modifications, and key management actions). — Configured CloudTrail to log management events across accounts, stored logs in S3 with strong access controls and retention, and integrated log analysis to support security monitoring and investigations. (Stronger governance and traceability of administrative actions, enabling quicker investigation of security events and improved compliance reporting.)
Provider Equivalents
- AWS: AWS CloudTrail
- Azure: Azure Activity Log
- GCP: Cloud Audit Logs
- OCI: OCI Audit
Frequently Asked Questions
- What's the difference between AWS CloudTrail and Amazon CloudWatch?
- CloudTrail records AWS API activity (who called which API, when, from what IP, and whether it succeeded). CloudWatch is primarily for metrics, alarms, and operational logs from applications and AWS resources. In practice, you often send CloudTrail events to CloudWatch Logs to create alerts on specific API actions.
- When should I use CloudTrail?
- Use CloudTrail whenever you need an audit trail of activity in AWS: security investigations, compliance evidence, tracking configuration changes, and detecting suspicious behavior (like unexpected IAM changes or disabling security controls). Most organizations enable it by default for all accounts and regions, then add alerting for high-risk actions.
- How much does CloudTrail cost?
- Pricing depends on what you enable and where you send logs. CloudTrail typically includes a free tier for basic event history, while delivering events to S3/CloudWatch Logs, enabling data events (like S3 object-level or Lambda invoke events), Insights, and long-term storage/analysis can add cost. Main cost drivers are the volume of logged events (especially data events), CloudWatch Logs ingestion/retention if used, and S3 storage plus any query/analytics tools you run on the logs.
Category: security
Difficulty: intermediate
Related Terms
See Also