CLF-C02 Recap
Amazon CloudTrail

Amazon CloudTrail

AWS CloudTrail

AWS CloudTrail records API calls for your account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, and more. You can think of CloudTrail as a “trail” of breadcrumbs (or a log of actions) that someone has left behind them.

Recall that you can use API calls to provision, manage, and configure your AWS resources. With CloudTrail, you can view a complete history of user activity and API calls for your applications and resources.

Events are typically updated in CloudTrail within 15 minutes after an API call. You can filter events by specifying the time and date that an API call occurred, the user who requested the action, the type of resource that was involved in the API call, and more.

Example: AWS CloudTrail Event

Suppose that the coffee shop owner is browsing through the AWS Identify and Access Management (IAM) section of the AWS Management Console. They discover that a new IAM user named Mary was created, but they do not know who, when, or method created the user.

To answer these questions, the owner navigates to AWS CloudTrail.

Z5Fe-ggMQn2RXvoIDHJ9aQ_91b0299eb8e04b23bfa23c1059e70c1c_CloudTrail.png

In the CloudTrail Event History section, the owner applies a filter to display only the events for the CreateUser API action in IAM. The owner locates the event for the API call that created an IAM user for Many. This event record provides complete details about what occurred:

On January 1, 2020 at 9:00 AM, IAM user John created a new IAM user (Many) through the AWS Management Console.

CloudTrail Insights

Within CloudTrail, you can also enable CloudTrail Insights. This optional feature allows CloudTrail to automatically detect unusual API activities in your AWS account.

For example, CloudTrail Insights might detect that a higher number of Amazon EC2 instances than usual have recently launched in your account. You can then review the full event details to determine which actions you need to take next.