Start course
1h 9m

Any information that helps to secure your Cloud infrastructure is of significant use to security engineers and architects. With AWS CloudTrail, you have the ability to capture all AWS API calls made by users and/or services.

Whenever an API request is made within your environment AWS CloudTrail can track that request with a host of metadata and record it in a Log which is then sent to AWS S3 for storage allowing your to view historical data of your API calls.

Having this information has a number of uses from both a security and a day-to-day operational perspective, but it also allows for additional compliance. Having an audited trail of requests which can be tracked back to a user or service, and even the IP address used, helps to maintain your required compliance levels.

This course provides a full explanation of the CloudTrail service, looking at what it does, how it does it, and what components and services it uses. It breaks down each of the configurable components allowing you to see exactly how it works and to what degree it can be configured.

It dives into permissions required to run and implement CloudTrail, covering roles and policies, along with an overview of S3 Bucket permissions required for log storage. There are also a number of demonstrations within the course showing first hand how to configure Trails and set up various controls and permissions giving you clear guidance on what to do.

CloudTrail Logs are examined to show you exactly how APIs are recorded and how this sensitive information can be encrypted using KMS and also shared between AWS Accounts.

If you have any feedback on this course, please let us know at

Learning Objectives

  • Understand what AWS CloudTrail is and how it works
  • Understand permissions, trails, and logs in CloudTrail and how they are used
  • Learn how to perform monitoring activities with the service

Intended Audience

  • IT professionals responsible for cloud security: security consultants, security architects, security auditors, etc.
  • Those studying for an AWS certification that requires knowledge of AWS CloudTrail
  • Anyone with a general interest in AWS security


To get the most out of this course, you should have a basic understanding of the following AWS services: Simple Storage Service (S3), Identity and Access Management (IAM), AWS CloudWatch, Simple Notification Service (SNS), and the Key Management Service (KMS).


Hello, and welcome to this short lecture to close the course on AWS CloudTrail.

At this point, you should now have a greater understanding of what CloudTrail is and what it can do and some of the use cases for this service. It's a very powerful tool in a never-ending attempt of enhancing your security solution. Being able to capture every API call made within your environment allows for exceptional auditing which, in turn, makes way for a compliance against certain governance controls.

Having the ability to create multiple Trails allows for different teams and departments to use CloudTrail for different use cases. For example, you may find that your security team want to use CloudTrail linked with CloudWatch and SNS to quickly identify unusual or restricted API calls that are not expected. Whereas another team, might want to a Trail to help with day-to-day operational issues when they occur. Being able to look at the last few API calls leading up to an outage or service interruption could be invaluable in identifying the root cause quickly and effectively.

Although the CloudTrail dashboard, via the management console, allows you to view events from the past seven days that relate to any modified create or delete API call, in a simple query, there are many third-party partners out there that are endorsed by AWS that can provide enhanced analysis of your Logs and Events providing yet an even greater insight into what's happening within your environment. Many of them offer different unique selling points. So, be sure to look at the wide range of partners available. It's possible you may already be using one of them within your organization for another service. The list of available partners can be found here.

So, to quickly recap on a few things that we have covered. We have learned that CloudTrail captures all API calls in your environment and in all regions that it is configured to do so. For every API call captured, a related Event is recorded with associated metadata within a Log file. How to set up a Trail and understand the different configurable components. CloudTrail Logs are delivered to a specified bucket in S3. CloudTrail Logs from different accounts can be sent to the same S3 bucket in one AWS account through specific permissions and trusted associations between AWS accounts. CloudTrail Logs are encrypted using SSE-S3 by default, but they can be encrypted with SSE-KMS for increased security. There are a number of different permissions required for creating and reading CloudTrail Trails and Logs. CloudTrail Logs can also be sent to CloudWatch Logs to be monitored against specific metrics using metric filters and filter patterns allowing for greater analysis. Further, CloudWatch can work with SNS to send notifications when configured thresholds are reached.

If you have any feedback on this course, positive or negative, please leave a comment on the course landing page. We do look at the comments in earnest and your feedback is greatly appreciated.

So, that now brings us to the end of this lecture and the end of the course. I hope you have found it useful, and it has answered some questions for you may have had surrounding AWS CloudTrail. Thank you for your time and good luck with your continued learning of Cloud computing. Thank you.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.