CloudTrail is a review, monitoring and control tool designed to monitor your AWS account history and to keep detailed logs of all events. You can use this event history to simplify security analysis and to detect unusual activity in your account.
You can use CloudTrail to monitor the last 90 days free of charge. But if you want to keep extended logs, you have to pay for associated S3 storage and a small fee per 100,000 logged events. Still, it is relatively inexpensive and it does not hurt to get started with it.
CloudTrail automatically logs in the last 90 days, so you can go to the CloudTrail Console and see the latest logs in your account. On the home screen you will see the latest events:
Under “Event History” in the sidebar, you can see the entire list of events in chronological order.
This is a lot of data, so you will probably want to filter by exactly what you are looking for. If you review specific employee accounts, you can filter by username or AWS access key or other factors such as the source’s IP address and resource types. You can also focus on specific time intervals.
If you click on an event, you can view all the data collected for that event. Some are simple, like “ConsoleLogin”, which tracks login times for different users. Others are more specific and show more information about the underlying API action.
You can view the entire JSON data for the event with the “View Event” button.
Create a track
If you want to keep records longer than 90 days or have extended logs for S3 and Lambda data events, you can create a track. Keep in mind that you will incur data costs for S3 storage as well as fees per 100,000 logged events.
Create a new track from “Track” in the sidebar. You have the ability to use this track for each region, as well as to use it on all accounts in an AWS organization. You can also select the types of events to log, and enable CloudTrail Insights for this track.
The next section is “Data Events”, which can be used to keep extended logs on S3 buckets or Lambda functions. For S3, CloudTrail logs operations at the bucket level, such as PutObject. For Lambda, CloudTrail logs all calls on the given Lambda function. You can activate this for all buckets, or enter one of ARN.
Finally, you need a new or existing bucket to hold the events. You can use this to keep track of how much data your track uses.
Events logged by the track will remain in the event history indefinitely. With a track, you can activate CloudTrail Insights from the “Insights” tab in the sidebar:
It takes up to 36 hours to analyze your track, and when done, you can browse through the results.
If you wish, you can also set up CloudTrail to send events to CloudWatch logs, or use it with Elasticsearch for more detailed monitoring.