AWS CloudTrail is an AWS service used to record and track historical operations of API calls and related events in AWS accounts. CloudTrail can help users gain a comprehensive understanding of changes in account activities and resources, and provide security, compliance and auditing functions.
1.The core functions of AWS CloudTrail
Record API call history
- CloudTrail records all API calls made by users, roles, or services to AWS services and resources, including calls between the AWS management console, AWS CLI, SDK, and other AWS services.
- The event record of each call will contain detailed information such as the executed operation, request parameters, resource changes, the source IP address of the call, and the identity that initiated the call.
Manage event logs
- Support continuous collection of account activities and record them in Amazon S3 storage in JSON format.
- You can customize the CloudTrail tracking range, such as tracking activities in all areas or specific areas.
- The storage period of event logs can be flexibly set, supporting long-term retention, which is convenient for compliance requirements.
Event classification
- Management events: Record management operations performed on resources in the account (such as creation, deletion, update, etc.).
- Data events: Record direct interaction operations on specific resources (such as access to S3 objects, calls to Lambda functions, etc.).
- Insight Events: Monitoring and analyzing abnormal account activities, such as sudden surges in API calls, helps detect potential security risks.
CloudTrail Insights
- Analyze the normal patterns of account activities through machine learning to detect abnormal API calls or behaviors. For instance, if the frequency of an API call suddenly increases, an alert can be triggered and further investigation can be conducted.
- Help identify abnormal activity patterns, such as brute-force attacks, abuse of permissions or misconfiguration, etc.
Event viewing and querying
- Provide the Event History interface, allowing users to query CloudTrail events within the past 90 days, supporting search and filtering.
- The specified event records can be queried through AWS CLI or AWS SDK programming.
Integrate CloudWatch for real-time monitoring
- CloudTrail events can be streamed to CloudWatch Logs for real-time monitoring.
- In conjunction with CloudWatch alerts, you can receive immediate notifications or take automated response measures when critical events such as resource deletion or permission changes occur.
2. Usage scenarios of AWS CloudTrail
- Compliance audit: Store and analyze account activities to help enterprises meet legal and industry compliance requirements (such as GDPR, PCI-DSS).
- Security incident investigation: Track and analyze abnormal account activities, quickly locate the source and impact scope of security incidents.
- Operation and Change tracking: Records all changes to resources to help administrators understand the operation history of resources in their accounts.
- Real-time detection and response: Utilize CloudTrail Insights and CloudWatch for real-time monitoring to promptly identify and respond to abnormal activities.
3. Advantages of AWS CloudTrail
- Fine-grained tracking: Supports precise recording and tracking of each API call and operation, providing detailed activity records.
- Automation and ease of use: Easy to configure and supports automatic collection and storage of event logs.
Integration with other AWS services: It can be integrated with CloudWatch and S3 to meet more advanced monitoring, alarm and storage requirements. - Long-term data storage: Use S3 to store activity logs, supporting long-term archiving, providing guarantees for security audits and compliance.
4. Summary
AWS CloudTrail is a core security auditing tool in the AWS platform, helping users achieve comprehensive activity tracking and event logging of accounts and resources. Whether in security monitoring, compliance auditing, or troubleshooting, CloudTrail provides AWS users with powerful and flexible support