How to Use AWS CloudTrail to Monitor Account Activity

AWS Logo

CloudTrail is an auditing, compliance monitoring, and governance tool designed to watch over your AWS account history and to keep detailed logs of all events. You can use this event history to simplify security analysis and to detect unusual activity in your account.

Using CloudTrail

You can use CloudTrail to monitor the last 90 days free of charge. However, if you want to keep extended logs, you need to pay for the associated S3 storage as well as a small fee per 100,000 events logged. Still, it’s relatively cheap, and it doesn’t hurt to get started with it.

CloudTrail automatically logs the last 90 days, so you’ll be able to head over to the CloudTrail Console and view the latest logs in your account. On the home screen, you’ll see the most recent events:

cloudtrail dashboard

Under “Event History” in the sidebar, you’ll be able to view the full list of events, in chronological order.

cloudtrail event log

This is a lot of data, so you’ll probably want to filter for just whatever you’re looking for. If you’re auditing specific employee accounts, you can filter by username or AWS access key, or other factors such as source IP address and resource types. You can also focus in on specific time ranges.

Filter by username, AWS access key, or another factor

If you click on an event, you can view all the data collected for that event. Some are simple, like “ConsoleLogin,” which tracks login times for different users. Others are more specific, and will show more details about the underlying API action.

Click on an event, you can view all the data collected for it

You can view the full JSON data for the event with the “View Event” button.

Creating a Trail

If you want to keep records for longer than 90 days, or keep extended logs for S3 and Lambda data events, you can create a Trail. Keep in mind that you will incur data charges for S3 log storage, as well as charges per 100,000 logged events.

From “Trails” in the sidebar, create a new trail. You have the option of using this trail for every region, as well as applying it to every account in an AWS Organization. You can also select which kinds of events to log, as well as enabling CloudTrail Insights for this trail.

Create a new trail to keep records

The next section is “Data Events,” which can be used to keep extended logs on S3 buckets or Lambda functions. For S3, CloudTrail will log bucket-level operations, such as PutObject. For Lambda, CloudTrail will log any invocation of the given Lambda function. You can enable this for all buckets, or specify one by ARN.

data logs

Finally, you’ll need a new or existing bucket in which to keep the events. You can use this to keep track of how much data your trail is using.

give the bucket a name

Events logged by the trail will remain in the event history indefinitely. With a trail, you can activate CloudTrail Insights from the “Insights” tab in the sidebar:

Without an activated trail, use CloudTrail Insights for records

This will take up to 36 hours to analyze your trail, and once it’s done, you’ll be able to browse through the findings.

If you want, you can also set up CloudTrail to send events to CloudWatch Logs, or use it with Elasticsearch for more detailed monitoring.