Ref: https://learn.cantrill.io/courses/1820301/lectures/41301376

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301377

• Summary
• Contents:

AWS CloudTrail (CT) - Overview

• 🔧 Logs API actions and events in an AWS account
  • e.g. creating EC2 instance, deleting S3 bucket, changing SG…
  • Actions registered as CloudTrail Events (activities taken by an identity or service)
  • 💡 Often used to trace actions/API calls in account, or diagnose security/performance
• 3 types of CT Events:
  1. Management Events
     • Control plane operations = management actions performed on account resources
       • e.g. creating EC2 instance, deleting S3 bucket, creating a VPC…
     • Logged by default
       • First copy of management events free and logged by default → additional copies cost more
  2. Data Events
     • Resource operations = actions performed on or in a resource
       • e.g. object upload to S3, Lambda function invoked…
     • NOT logged by default, because can be very high in volume
       • e.g. every time one accesses an S3 bucket (can happen a lot of times…)
  3. Insight Events (not important for SAA-C03)
• CT Events logged by default inside CT event history (limited to 90 days)
  • To store in other destinations (S3 or CW), must configure a trail
• ‼️ NO real-time logging!! (limitation of CT)
  • Up to 15-min delay, registers CT events in batches (multiple times per hour)

AWS CloudTrail - Trail

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0600-IAM_ACCOUNTS_ORGS/00_LEARNINGAIDS/Cloudtrail-1.png

• 🔧 Trail = Unit of configuration within CT
• Types
  1. Single-region trail: logs events in its region → CT is a regional service
  2. All-region trail: logs events in ALL regions
     • Actually a collection of trails (one trail per region), but managed as one logical trail
     • Automatically updated when AWS updates its regions
  3. Organizational trail: logs events of ALL accounts in ALL regions of an AWS organization
     • Also collection of trails, managed as one logical trail
• Global services (IAM, STS, CloudFront…) log their events globally
  • ❗ Global service events logged to us-east-1 region (N. Virginia)
  • CT trail must enable tracking global service events, otherwise won't register them!
    • Normally enabled if creating CT trail in the UI
• Apart from storing inside CT event history, CT trails can additionally store output in:
  • S3 (output formatted in JSON, very convenient)
  • CWLogs → can set metrics (more features than S3)
  • 💡 CT event history → limited to 90 days; S3 & CW Logs → stored indefinitely

AWS CloudTrail - Pricing

• ‼️ Basic service enabled by default
  • Stores 90 days of (management) event history, inside CT
  • No cost (FREE)
  • No need to configure a trail
  • For additional, custom functionality, must create 1+ Trails (incurs costs)