AWS CloudTrail
AWS CloudTrail

The services within the AWS Management Fundamentals course focus on maintaining and monitoring AWS applications and systems, to ensure they are compliant, properly configured, operating at required utilization thresholds, and protected from any potential external threats.

This course covers a range of different services, including:

Learning Objectives

  • Describe the basic functions that each service in this course performs within a cloud solution
  • Recognize basic components and features of each AWS management service in this course
  • Understand the role each service plays to maintain a properly operating application on AWS

Intended Audience

This course is designed for:

  • Anyone preparing for the AWS Certified Cloud Practitioner exam
  • Managers, sales professionals, and other non-technical roles


Before taking this course, you should have a general understanding of basic cloud computing concepts. If you are familiar with common compliance requirements for IT systems, this will also help.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Hello, and welcome to this lecture. In this lecture I will explain the basic fundamentals of AWS CloudTrail to give you an overview of the service before we look deeper at the inner workings, revealing how the different elements work together. So what is CloudTrail and what does it do? CloudTrail is a service that has a primary function to record and track all AWS API requests made. These API calls can be programmatic requests initiated from a user using an SDK, the AWS Command Line Interface, from within the AWS management console, or even from a request made by another AWS service.

For example, when auto scaling automatically sends and API request to launch or terminate an instance. These API requests are all recorded by CloudTrail. When an API request is initiated, AWS CloudTrail captures the request as an event and records this event within a log file, which is then stored on S3. Each API call represents a new event within the log file. CloudTrail also records and associates other identifying metadata with all the events.

For example, the identity of the caller, the timestamp of when the request was initiated, and the source IP address. In a later lecture entitled Insight Into CloudTrail Logs, I will look at these log files deeper, while I'll provide an example of a log file showing the different attributes recorded. For greater management, new log files are typically created every five minutes. Which are then delivered and stored within an S3 bucket that is defined by you during your CloudTrail configuration.

This allows you to easily go back and review the history of all API requests made. There's also an option to have these logs delivered to a CloudWatch Logs log file as well. Having this association with CloudWatch enables custom metrics to be converted to monitor specific API requests. Thresholds can be set against these metrics and when crossed, the simple notification service, SNS, can be triggered to notify your security teams to investigate. That, at a very high level, is the overall function of the AWS CloudTrail service.

Now let's take a look at the CloudTrail architecture to understand where it can be implemented from an AWS region standpoint, and which services can be supported. AWS CloudTrail is a global service with support for all regions. Support for the latest region, EU London was added in mid December, 2016. In addition to this worldwide coverage, CloudTrail also provides support for over 60 AWS services and features across a wide-range of service categories.

As you can imagine, with this extensive coverage, CloudTrail can capture a vast amount of data if you have a multi-region, multi-service infrastructure environment deployed. So armed with this information, what can you do with it? How can you use this data to help you manage and support your AWS infrastructure? Well there are a number of ways you can use the data captured by CloudTrail to help you enhance your AWS environment. Firstly, and as mentioned earlier, it can be used very effectively as a security analysis tool. CloudTrail events provide very specific information about where an API call originated from and who, or what initiated the request.

As a result, if malicious activity was detected via irregular trends or restricted API call thresholds, with the use of CloudWatch, then a number of security controls can be quickly implemented to prevent the user from causing additional damage. Another common use for CloudTrail is to help resolve and manage day to day operational issues and problems. Using built-in filtering mechanisms, it's possible to quickly find who, what and when a particular API was used, which could have potentially caused an outage or service interruption. This enables quicker root cause identification, resulting in a speedy resolution.

Appropriate actions can then be taken to ensure the incident does not reoccur in your environment. As API calls to add, modify or delete results are captured CloudTrail can be an effective method of tracking changes to resources within your environment. There is another AWS service that is specifically designed to order and track changes to resources, which is called AWS Config, which CloudTrail interacts with, however, CloudTrail can be used to capture the actual API request, and all associated data which made the change. And if you're not using AWS Config then this at least provides some base level of monitoring and tracking.

From a governance and security legislation perspective, many certifications require the ability to recall and provide evidence of log files relating to specific changes to resources. CloudTrail provides all of this by default, through the use of capturing events and writing them to a log file, which is then stored on S3. AWS has a great whitepaper on achieving compliance, using CloudTrail entitled Logging in AWS, How AWS CloudTrail Can Help You Achieve Compliance by logging API calls and Changes to Resources.

The following URL will take you to that whitepaper. If you need to be able to capture and track API requests within your AWS account, for any of these reasons mentioned, or perhaps for other reasons you may have of your own, then CloudTrail can do this for you and deliver the output as a log file into an S3 bucket of your choice.



About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.