Mastering AWS Security Specialty - Post 2: CloudTrail – Your First Line of Forensics
Suman Thallapelly
Introduction
In today's cloud-first world, visibility into your infrastructure is non-negotiable.
In AWS, CloudTrail is the service that provides this visibility — it records every API call, every management action, and every access to your critical resources.
Yet many AWS users enable CloudTrail without truly understanding how powerful — and dangerous when misconfigured — it is.
This guide will walk you step-by-step through what CloudTrail is, how it works, how to implement it securely, and how to use it for real-world auditing, compliance, monitoring, and security incident detection.
By the end, you'll be able to:
Design a CloudTrail architecture for an enterprise.
Implement it securely across multiple AWS accounts.
Understand how to monitor, detect anomalies, and investigate incidents.
🚨 This article is Part 2 of the blog series “Mastering AWS Security Specialty”
If you missed Part 1 on IAM, I recommend reading it first to understand identity foundations:
👉 Read Part 1: Deep Dive into IAM – Core of AWS Security
1. What is AWS CloudTrail
At its core, CloudTrail is an AWS service that records all API calls made in your AWS account.
Every action you or any AWS service takes is logged as an event.
Each event answers these important questions:
Who made the call?
What action was taken?
When was it taken?
From where (IP address, service) was it called?
On what resource was the action taken?
Key Point: CloudTrail is a recording system, not a blocking system. It logs the action after it happens.
2. Why is CloudTrail Important
CloudTrail underpins three major areas:
| Area | Why It Matters |
| Governance | Prove compliance with standards like PCI-DSS, HIPAA, ISO 27001 |
| Auditing | Track changes, perform forensic analysis after incidents |
| Operational Monitoring | Detect and alert on suspicious or unexpected changes |
Without CloudTrail:
You have no evidence of who did what.
You cannot investigate breaches effectively.
You cannot comply with regulations demanding audit logs.
3. How AWS CloudTrail Works
Here's the basic flow:
You or an AWS service calls an AWS API.
CloudTrail captures the call details (event).
The event is recorded in a log file.
Logs are delivered to:
An S3 bucket
Optionally to CloudWatch Logs
CloudTrail Lake (for advanced querying)
You can have:
Single-account trails
Organization trails (across all accounts in an AWS Organization)
Important: Even without creating a Trail, AWS automatically records the last 90 days of Management Events — accessible through the CloudTrail console.
4. Core Concepts of CloudTrail
Let's define some core concepts:
| Concept | Definition |
| Trail | A configuration to deliver captured events to storage (like S3) |
| Event | A record of an API call made against AWS resources |
| Management Event | Activities that change configuration (e.g., EC2 start, IAM create role) |
| Data Event | Resource operations on objects (e.g., S3 GetObject, Lambda Invoke) |
| CloudTrail Insights | Detects abnormal activity patterns |
| Organization Trail | Single trail that applies across multiple AWS accounts in AWS Organizations |
5. Understanding Event Types
There are three types of events:
| Type | Examples | Default Status |
| Management Events | EC2 start/stop, IAM create user | Enabled by default |
| Data Events | S3 object-level operations, Lambda Invoke | Must be manually enabled |
| Insight Events | Detection of spikes/anomalies in API calls | Must be manually enabled |
Note: Data Events are HIGH volume and can incur additional charges.
Example: A Management Event (JSON snippet)
{
"eventTime": "2024-04-01T12:00:00Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"userIdentity": {
"type": "IAMUser",
"userName": "adminUser"
},
"sourceIPAddress": "12.34.56.78",
"requestParameters": {
"userName": "newUser123"
}
}
6. CloudTrail Insights: Anomaly Detection
CloudTrail Insights helps detect when something unusual happens — like a sudden burst of API activity (e.g., 100 TerminateInstance calls).
It creates Insight Events when patterns deviate significantly from historical baselines.
two types of Insights exist are
ApiCallRateInsight,ApiErrorRateInsightEnabling Insights automatically hooks CloudTrail into EventBridge, events sends to default EB.
Use CloudTrail Insights to:
Detect compromised IAM credentials.
Identify operational issues (e.g., massive Lambda invoke errors).
7. Typical Secure Architectures for CloudTrail
Setup:
One multi-region trail — captures activity in ALL regions.
Deliver logs to a centralized S3 bucket.
Enable encryption using SSE-KMS (AWS Key Management Service).
Enable log file integrity validation to detect tampering.
Set up Organization Trail for all AWS accounts centrally.
Forward critical events to CloudWatch Alarms.
8. Best Practices for Secure CloudTrail Implementation
Always enable multi-region trails.
Encrypt logs with customer-managed KMS keys (not AWS-managed).
Restrict S3 bucket access (only CloudTrail and auditors).
Enable log file validation to detect modifications.
Monitor CloudTrail delivery failures via CloudWatch Alarms.
Integrate CloudTrail with AWS Config, Security Hub, GuardDuty.
Enable Insights for key accounts or production environments.
9. Real-World Enterprise Use Cases for CloudTrail
A quick summary table of different use cases we are going to discuss in detail.
| Scenario | Key Feature | Real-World Use |
| Compliance | Multi-region trail, S3 encryption, Object Lock | Proving audit logs for regulations |
| Anomaly Detection | CloudTrail Insights | Detecting credential misuse or spikes |
| S3/Lambda Audit | Data Events | Tracking sensitive data and critical functions |
| Fast Incident Investigation | CloudTrail Lake | SQL-like analysis of historical events |
| Centralized Logging | Organization Trail | Single-pane-of-glass for multi-account setups |
Let’s dive deep ..
1. CloudTrail for Compliance and Auditing
Problem Statement:
An enterprise must prove to regulators (like PCI DSS, SOX, GDPR) that all AWS actions are audited and retained securely for 7+ years.
Requirements:
Record every AWS API call.
Ensure logs are immutable and encrypted.
Retain logs for 7 years.
Provide audit-ready access to compliance teams.
How CloudTrail Solves It:
Trail captures all management and data events.
S3 stores the logs with encryption (KMS).
Object Lock ensures logs can't be modified or deleted.
Multi-region Trail ensures full global capture.
Solution Approach:
Create a multi-region CloudTrail trail.
Send logs to an encrypted S3 bucket.
Enable Object Lock on S3.
Enable log file validation for tamper-proof detection.
Example AWS CLI Code:
# 1. Create S3 bucket with Object Lock
aws s3api create-bucket --bucket my-compliance-cloudtrail-bucket --object-lock-enabled-for-bucket
# 2. Enable versioning (required for Object Lock)
aws s3api put-bucket-versioning --bucket my-compliance-cloudtrail-bucket --versioning-configuration Status=Enabled
# 3. Create CloudTrail trail
aws cloudtrail create-trail --name compliance-trail \
--s3-bucket-name my-compliance-cloudtrail-bucket \
--is-multi-region-trail \
--enable-log-file-validation \
--kms-key-id arn:aws:kms:region:account-id:key/key-id
# 4. Start logging
aws cloudtrail start-logging --name compliance-trail
2. CloudTrail Insights for Anomaly Detection
Problem Statement:
An e-commerce platform suddenly experiences unusual API activity (like 10x more RunInstances calls), possibly signaling a compromised credential or malicious insider.
They need:
Real-time detection of this anomaly.
Alerting via Slack/Email/PagerDuty automatically.
Possibly triggering an auto-remediation Lambda.
Requirements:
Detect abnormal API behavior automatically.
Alert security teams immediately.
Analyze and act on anomalies.
How CloudTrail Solves It:
CloudTrail Insights detects rate anomalies (like spikes in
RunInstancesAPI calls).Findings are delivered to EventBridge as events.
EventBridge Rules can route findings:
Send alerts (email/SNS/Slack)
Trigger Lambda (auto-remediation)
Forward to SIEM systems for deep analysis.
Solution Approach:
Enable Insights events on your Trail.
Route anomalies to EventBridge for automated response.
Send SNS notification.
Example AWS CLI Code:
# Enable Insights
aws cloudtrail update-trail --name my-existing-trail --insight-selectors '[{"InsightType": "ApiCallRateInsight"}]'
# Create EventBridge rule
aws events put-rule --name "cloudtrail-insight-detection" \
--event-pattern '{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail Insight"]
}' \
--state ENABLED
# Create SNS topic for anomaly alerts
aws sns create-topic --name AnomalyNotificationTopic
# Add SNS topic as target
aws events put-targets --rule "cloudtrail-insight-detection" --targets '[
{
"Id": "SendAnomalyToSNS",
"Arn": "arn:aws:sns:region:account-id:AnomalyNotificationTopic"
}
]'
3. Data Event Logging for S3 and Lambda
Problem Statement:
An insurance company needs to know who is accessing sensitive policy documents stored in S3 and who is invoking critical Lambda functions.
Requirements:
Track read/write events on sensitive S3 buckets.
Audit invocations of specific Lambda functions.
Maintain least privilege and forensic visibility.
How CloudTrail Solves It:
Data Events capture detailed read/write/invoke activity.
You can filter events by resource type (S3/Lambda).
Solution Approach:
Enable Data Events specifically for S3 and Lambda.
Select only specific buckets/functions to minimize noise.
Example AWS CLI Code:
# 1. Add Data Events for specific S3 bucket and Lambda function
aws cloudtrail put-event-selectors --trail-name my-sensitive-trail --event-selectors '[
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": ["arn:aws:s3:::sensitive-bucket/"]
},
{
"Type": "AWS::Lambda::Function",
"Values": ["arn:aws:lambda:region:account-id:function:sensitiveLambdaFunction"]
}
]
}
]'
4. CloudTrail Lake for Advanced Query and Analysis
Problem Statement:
A tech SaaS company needs to investigate security incidents quickly and correlate historical API activity across services, but traditional S3 storage is too slow to query.
Requirements:
Fast, SQL-like queries on historical CloudTrail events.
Correlate across time ranges and services.
Avoid complicated Athena setups.
How CloudTrail Solves It:
CloudTrail Lake provides built-in event storage + SQL querying.
Analyze user activities during incidents easily.
Solution Approach:
Create a CloudTrail Lake event data store.
Start ingesting events automatically.
Query using SQL-like interface.
Example AWS CLI Code:
# 1. Create an Event Data Store
aws cloudtrail create-event-data-store --name my-security-investigations-store \
--advanced-event-selectors '[{
"FieldSelectors": [
{"Field": "eventSource", "Equals": ["ec2.amazonaws.com", "iam.amazonaws.com"]}
]
}]' \
--retention-period 365
# 2. Start ingestion
aws cloudtrail start-ingestion --event-data-store my-security-investigations-store
5. Delegated Administration for Centralized Logging
Problem Statement:
A large enterprise has 50 AWS accounts (separated by dev, test, prod, finance, etc.) and wants one master account to collect all CloudTrail logs centrally.
Requirements:
Centralize logging across Organization.
Avoid manual setup per account.
Enforce organization-wide security controls.
How CloudTrail Solves It:
Use Organization Trail with delegated administration.
Auto-enroll new accounts to send their events.
Solution Approach:
Enable AWS Organizations.
Delegate CloudTrail administration rights.
Create Organization Trail from master security account.
Example AWS CLI Code:
# 1. Enable trusted access for CloudTrail in Organizations (Root/Management Account)
aws organizations enable-aws-service-access --service-principal cloudtrail.amazonaws.com
# 2. Register Delegated Admin (security account)
aws organizations register-delegated-administrator \
--account-id 111122223333 \
--service-principal cloudtrail.amazonaws.com
# 2. Create Organization Trail in Security Account
aws cloudtrail create-trail \
--name OrgTrail \
--s3-bucket-name org-cloudtrail-logs-111122223333 \
--is-organization-trail \
--kms-key-id arn:aws:kms:us-east-1:111122223333:key/xxxxxxx-xxxx-xxxx-xxxx \
--include-global-service-events \
--is-multi-region-trail \
--enable-log-file-validation
# 3. Start logging
aws cloudtrail start-logging --name org-trail
# Note. Create S3 bucket and optionally KMS keys in Security Account
# and Allow Add bucket policy to allow all org accounts to write logs
10. Implementation: Setting Up CloudTrail
How to Set Up a Basic Trail:
Go to AWS Management Console → CloudTrail.
Click Create Trail.
Choose Apply trail to all regions.
Select an existing or new S3 bucket (enable encryption).
Enable Log file validation.
(Optional) Send logs to CloudWatch Logs for near real-time alerting.
(Optional) Enable CloudTrail Insights for anomaly detection.
Your trail is ready!
11. Advanced Tips: Querying and Automation
Use Athena to run SQL queries directly against CloudTrail logs in S3.
Use CloudTrail Lake to natively query and analyze events inside CloudTrail.
Automate responses to suspicious activities using EventBridge rules + Lambda.
Monitor S3 access logs through Data Events to detect potential data exfiltration.
12. Summary and Next Steps
You now understand AWS CloudTrail:
How it records API activity.
How to set it up securely.
How to use it for security, compliance, and operations.
How to detect anomalies.
CloudTrail is the foundation of AWS auditing. Without it, you cannot truly monitor or secure your cloud environments.
Thank you for taking the time to read my post. If you found it helpful, a like or share would go a long way in helping others discover and benefit from it too. Your support is genuinely appreciated. 🙏
Subscribe to my newsletter
Read articles from Suman Thallapelly directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Suman Thallapelly
Suman Thallapelly
Hey there! I’m a seasoned Solution Architect with a strong track record of designing and implementing enterprise-grade solutions. I’m passionate about leveraging technology to solve complex business challenges, guiding organizations through digital transformations, and optimizing cloud and enterprise architectures. My journey has been driven by a deep curiosity for emerging technologies and a commitment to continuous learning. On this space, I share insights on cloud computing, enterprise technologies, and modern software architecture. Whether it's deep dives into cloud-native solutions, best practices for scalable systems, or lessons from real-world implementations, my goal is to make complex topics approachable and actionable. I believe in fostering a culture of knowledge-sharing and collaboration to help professionals navigate the evolving tech landscape. Beyond work, I love exploring new frameworks, experimenting with side projects, and engaging with the tech community. Writing is my way of giving back—breaking down intricate concepts, sharing practical solutions, and sparking meaningful discussions. Let’s connect, exchange ideas, and keep pushing the boundaries of innovation together!