1. CloudTrail the “Event history” – Management Events Only
AWS comes with default “Event history” where you can search for management event records of the past 90 days.
- It’s “immutable”: You can only view the records
- It’s Regional: it’s logging management events in an AWS Region only.
- It contains “Management events” only. (For futher information like “Data Event” or “Insight Events” You need to create “Trail” or “Lake”, the detail in below sessions)
- It’s FREE.
![](https://awstasks.com/wp-content/uploads/2024/06/image-3-1024x374.png)
There are some filters that help to filter data, Options to download records to CSV/JSON files, or even create a new Athena table for query.
![](https://awstasks.com/wp-content/uploads/2024/06/image-6-1024x327.png)
Most of the cases, the Event History is good enough for us for auditing purpose, tracking all activities.
But what if:
- You want to query data past 90 days or even longer months, years…
- You want to write data logs to S3 for compliance, security, integration…? or export to CloudWatch Log Groups for Insight query
- You want to have data events or insight events
It’s time to create a new “Trail”
NOTICE: all below services incur costs, so please check from AWS pricing for more detail before creating anything.
2. AWS “Trails” – Data Events
You can choose to create a single Trail for everything or separating Trails like this:
![](https://awstasks.com/wp-content/uploads/2024/06/image-7-1024x414.png)
It’s better to have multiple trails as below: Easier to manage & query information
- a Trail for Management Events
- a Trails for Data Event: S3
- a Trails for Data Event: Lambda
- and so on…
Now we have events either on:
- S3 Bucket: you can download and see. Or using Athena for query (Ref: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html)
- CloudWatch Log Group: Using Log Insight or Filter to query your information
3. AWS CloudTrail “Lake” – run SQL-based queries on your events
“Lake” is like a database where you can query events using SQL-based. It’s supporting source data from AWS or from 3rd party that AWS Supported.
Once you create a “Lake” you can query data just as below screen. Usually If we have Events on S3 or CloudWatch Logs, we can use CloudWatch Log Insight or Athena without enable this feature.
![](https://awstasks.com/wp-content/uploads/2024/06/image-8-1024x544.png)
4. “Insights”
You can enable “Insight events” for identify unusual activity, errors… on both “Trail” or “Lake”
Below is an example to enable Insight Events on Trail
![](https://awstasks.com/wp-content/uploads/2024/06/image-9.png)
Once you enable it, from the dashboard you can see the Insights report: (it might take up to 36 hours for CloudTrail delivers insight events to the dashboard)
![](https://awstasks.com/wp-content/uploads/2024/06/trail-1-1024x166.png)
Leave a Reply