What is AWS CloudTrail?


Introduction to Amazon CloudWatch
Amazon CloudWatch Operations
Anomaly Detection
PREVIEW14m 35s
Amazon EventBridge
Deeper Dive
AWS CloudTrail
AWS Cost Management Tools
6m 51s
What is AWS CloudTrail?
3h 30m

This section of the SysOps Administrator - Associate learning path introduces you to the different monitoring and reporting services and tools that are relevant to the SOA-C02 exam. We look at both the monitoring of your infrastructure, in addition to the reporting of your bills.

Learning Objectives

  • Understand how Amazon CloudWatch is used to monitoring the performance of your infrastructure
  • Learn how to identify anomalies in your infrastructure using Amazon CloudWatch
  • Learn how Amazon EventBridge makes it easier to build event-driven applications at scale
  • Learn about the different methods of logging that are available
  • Understand how to review your costs and optimize them going forward

Hello, and welcome to this lecture. In this lecture, I will explain the basic fundamentals of AWS CloudTrail to give you an overview of the service, before we look deeper at the inner workings revealing how the different elements work together.

So what is CloudTrail and what does it do? CloudTrail is a service that has a primary function to record and track all AWS API requests made. These API calls can be programmatic requests initiated from a user using an SDK, the AWS Command Line Interface, from within the AWS Management Console, or even from a request made by another AWS service.

For example, when Auto Scaling automatically sends an API request to launch or terminate an instance, these API requests are all recorded by CloudTrail. When an API request is initiated, AWS CloudTrail captures the request as an event and records this event within a log file, which is then stored on S3. Each API call represents a new event within the log file.

CloudTrail also records and associates other identifying metadata with all the events. For example, the identity of the caller, the timestamp of when the request was initiated, and the source IP address. For greater management, new log files are typically created every five minutes, which are then delivered and stored within an S3 bucket that is defined by you during your CloudTrail configuration. This allows you to easily go back and review the history of all API requests made.

There's also an option to have these logs delivered to a CloudWatch Logs log file as well. Having this association with CloudWatch enables custom metrics to be converted, to monitor specific API requests. Thresholds can be set against these metrics and when crossed the Simple Notification Service, SNS, can be triggered to notify your security teams to investigate. That, at a very high level, is the overall function of the AWS CloudTrail service.

Now let's take a look at the CloudTrail architecture to understand where it can be implemented from an AWS region standpoint and which services can be supported. AWS CloudTrail is a global service with support for all regions.

In addition to this worldwide coverage CloudTrail also provides support for over 60 AWS services and features across a wide range of service categories. As you can imagine with this extensive coverage, CloudTrail can capture a vast amount of data if you have a multi-region, multi-service infrastructure environment deployed.

So armed with this information, what can you do with it? How can you use this data to help you manage and support your AWS infrastructure? Well there are a number of ways you can use the data captured by CloudTrail to help you enhance your AWS environment.

Firstly, it can be used very effectively as a security analysis tool. CloudTrail events provide very specific information about where an API call originated from and who or what initiated the request. As a result, if malicious activity was detected via irregular trends or restricted API call thresholds with the use of CloudWatch, then a number of security controls can be quickly implemented to prevent the user from causing additional damage.

Another common use for CloudTrail is to help resolve and manage day-to-day operational issues and problems. Using built-in filtering mechanisms it's possible to quickly find who, what, and when a particular API was used, which could have potentially caused an outage or service interruption. This enables quicker root cause identification resulting in a speedy resolution. Appropriate actions could then be taken to ensure the incident does not reoccur in your environment. As API calls to add, modify, or delete resources are captured, CloudTrail can be an effective method of tracking changes to resources within your environment.

There is another AWS service that is specifically designed to audit and track changes to resources, which is called AWS Config, which CloudTrail interacts with. However, CloudTrail can be used to capture the actual API request and all associated data, which made the change. And if you're not using AWS Config, then this at least provides some base level of monitoring and tracking.

From a governance and security legislation perspective, many certifications require the ability to recall and provide evidence of log files relating to specific changes to resources. CloudTrail provides all of this by default through the use of capturing events and writing them to a log file, which is then stored on S3. AWS has a great white paper on achieving compliance using CloudTrail entitled "Logging in AWS How AWS CloudTrail can help you achieve compliance by logging API calls and changes to resources." The following URL will take you to that white paper.

If you need to be able to capture and track API requests within your AWS account, for any of these reasons mentioned, or perhaps for other reasons you may have of your own, then CloudTrail can do this for you and deliver the output as a log file into an S3 bucket of your choice.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.