In this post, we are going to take a high level view of CloudTrail service of AWS without going into the details much. Read on...
Cloudtrail is a product which logs API calls/activities which affect AWS accounts as CloudTrail Events
It is a record of an activity in an AWS account.
It could be any action taken by a user, role or service like starting an EC2 instance, deleting an S3 bucket and so on.
It stores the events in the CloudTrail event history for the last 90 days by default w/o any costs
To customise CloudTrail for more than 90 days, a trail needs to be created.
Three types of events : Management events and Data events and Insight events
management events provide info about management operations that are performed on resources in your AWS account, a.k.a control plane operations e.g creating/terminating an EC2 inst. or creating VPC
Data events : Provide info about resource operations performed on or in a resource. e.g object uploaded to S3, accessing obj. in S3, invoking Lamda function
By default only management operations are logged or recorded because data events take up a high volume of storage very quickly. For example, logging every access to an S3 object
CT trail is a unit of configuration within the CT product. It is a way of providing config to CT on how to operate.
A trail logs event for the AWS region that it’s created in by default Global trail needs to be enabled by default
CT is a region-based service.
2 methods of config for operating CT: One region trail or All-region trail
A single region trail will be logged in the region it is created in.
- an all region trail functions as one logical trail. Any new region is added the cloud trail config is automatically updated.
Most services log events in the region where the event occurred.
A small number of services (IAM, STS or Cloudfront) log global events to one region and are known as global service events and to log events related to that, they need to enabled in that trail.
When a cloudtrail is created management events are captured and if enabled manually, data events are also captured.
We need to manually enable data event capturing. It is not enabled by default.
After creating the trail, the events are stored as compressed JSON log files in S3 in a compressed format.
These logs can be passed to any tool which is capable of reading and intepreting them.
CT can be integrated with CloudWatch logs. The data can be stored in it. The data then can be searched or assigned a metric and interpreted.
A recent feature added to the cloudtrail product is that an org trail can be created, if the trail is created from the management account of an org, then all information from all the member accounts in the org is stored in the CT product