AWS CloudTrail: How to Use?

A Quick Guide How to Use AWS CloudTrail

1. CloudTrail the “Event history” – Management Events Only

AWS comes with default “Event history” where you can search for management event records of the past 90 days.

  • It’s “immutable”: You can only view the records
  • It’s Regional: it’s logging management events in an AWS Region only.
  • It contains “Management events” only. (For futher information like “Data Event” or “Insight Events” You need to create “Trail” or “Lake”, the detail in below sessions)
  • It’s FREE.

There are some filters that help to filter data, Options to download records to CSV/JSON files, or even create a new Athena table for query.

Most of the cases, the Event History is good enough for us for auditing purpose, tracking all activities.

But what if:

  • You want to query data past 90 days or even longer months, years…
  • You want to write data logs to S3 for compliance, security, integration…? or export to CloudWatch Log Groups for Insight query
  • You want to have data events or insight events

It’s time to create a new “Trail”

NOTICE: all below services incur costs, so please check from AWS pricing for more detail before creating anything.

2. AWS “Trails” – Data Events

You can choose to create a single Trail for everything or separating Trails like this:

It’s better to have multiple trails as below: Easier to manage & query information

  • a Trail for Management Events
  • a Trails for Data Event: S3
  • a Trails for Data Event: Lambda
  • and so on…

Now we have events either on:

3. AWS CloudTrail “Lake” – run SQL-based queries on your events

“Lake” is like a database where you can query events using SQL-based. It’s supporting source data from AWS or from 3rd party that AWS Supported.

Once you create a “Lake” you can query data just as below screen. Usually If we have Events on S3 or CloudWatch Logs, we can use CloudWatch Log Insight or Athena without enable this feature.

4. “Insights”

You can enable “Insight events” for identify unusual activity, errors… on both “Trail” or “Lake”

Below is an example to enable Insight Events on Trail

Once you enable it, from the dashboard you can see the Insights report: (it might take up to 36 hours for CloudTrail delivers insight events to the dashboard)

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *