AWS CloudTrail

AWS CloudTrail is an AWS Service that records all activities performed in an AWS account (via cli or Mgmt Console or SDKs). This logging and auditing service from AWS can also be integrated in SIEM Solution for helping not only in Visibility, Incident Response, Debugging as well as fulfil the compliance requirements.

Event Logging in AWS:

As shown above, there are mainly two types of events, management events: (control plane operations) and data events (data plane operations) and both types of events will log AWS Account, User ID/Role, IP Address, Time and resource details etc.

Events from 90 days can be viewed from Event History.

Some of the things that should be considered while setting up CloudTrail

• Not all services are supported

• Only 5 trails per region are allowed

The logs collected in CloudTrail can be used with S3, Lamda, Athena and even CloudWatch for analysing, storage etc.

CloudTrail Creation:

To create an audit trail in this service, steps can be as follows:

Quick Trail Console:

More Detailed Console:

Finally create the trail:

Event History would look something like this: