Day 86 of 90 Days of DevOps Challenge: Master AWS Auditing with CloudTrail

Vaishnavi DVaishnavi D
3 min read

Yesterday, I explored Amazon CloudWatch, the service that helps monitor applications, services, and infrastructure in real time through metrics, logs, and alarms. It was eye-opening to see how observability makes systems more reliable and keeps operations in check.

Today, I’m diving into AWS CloudTrail, not a monitoring tool, but a governance, compliance, and auditing service. If CloudWatch tells you what’s happening with your AWS resources, CloudTrail tells you who did what, when, and from where.

What is AWS CloudTrail?

CloudTrail is an audit and governance service that records all actions (API calls) made in your AWS account, whether through the AWS Management Console, CLI, SDKs, or other services.

Think of CloudTrail as a security camera system for your AWS environment. Every action is logged, from creating an EC2 instance to deleting an S3 bucket or even modifying IAM permissions. These logs provide visibility and accountability, making it easier to investigate issues and ensure compliance.

Why do we need AWS CloudTrail?

  • Security & Compliance → Meets standards like HIPAA, PCI-DSS, and GDPR.

  • Accountability → Identifies which user or role performed specific actions.

  • Troubleshooting → Helps pinpoint “who changed what” during incidents.

  • Forensics → Acts as a source of evidence in investigations.

  • Governance → Ensures infrastructure changes follow best practices.

Key Features of CloudTrail

  • Event Logging → Captures management events (e.g., launching EC2), data events (e.g., S3 object access), and anomalies via CloudTrail Insights.

  • Integration → Works with CloudWatch & EventBridge for monitoring and automation.

  • Multi-Region Logging → Consolidates logs across AWS regions.

  • Event History → Provides a default 90-day history of management events.

  • Insights → Detects unusual activities like spikes in IAM changes.

  • Encryption & Security → Supports KMS encryption for secure log storage.

  • Centralized Storage → Delivers logs to S3 for long-term retention and analysis.

Common Use Cases

  • Performing security audits and compliance checks.

  • Tracking resource modifications across accounts.

  • Investigating unexpected deletions or changes.

  • Triggering alerts on suspicious activity using CloudWatch alarms.

Pricing of AWS CloudTrail

  • Free Tier → Management event history for the last 90 days (no cost).

  • Paid Features:

    • S3 & Lambda Data Events: $0.10 per 100,000 events.

    • CloudTrail Insights: $0.35 per 100,000 write events analyzed.

    • Additional Trails (delivering to S3/CloudWatch): Charged based on logs and storage.

So, costs mainly depend on the volume of API activity in your account.

Limitations of AWS CloudTrail

  • 90-Day Retention Limit → Free event history is only available for 90 days unless logs are stored in S3.

  • No Real-Time Alerts by Default → CloudTrail only records events; to get alerts, you must integrate it with CloudWatch or EventBridge.

  • Data Event Costs → Tracking high-volume S3/Lambda data events can get expensive.

  • Regional Configuration → By default, logs are created per region. You need to enable multi-region trails for full coverage.

  • Not a Monitoring Tool → It tells you who did what, but not how your resources are performing. For that, CloudWatch is still required.

Real-Life Example

Imagine you’re part of a DevOps team managing multiple AWS accounts:

  • One day, you notice that an EC2 instance was terminated unexpectedly.

  • With CloudWatch, you can see the metric dip as the instance goes offline.

  • With CloudTrail, you dig deeper and find that a developer with the IAM role “DevOps-Admin” terminated the instance at 3:45 PM from a specific IP address.

  • This level of visibility is critical for security, accountability, and troubleshooting.

Final Thoughts

AWS CloudTrail is like having CCTV for your AWS account; it doesn’t just watch, it records everything for later review. Whether for compliance, governance, or troubleshooting, it’s an essential service for ensuring accountability and traceability in cloud environments.

Mastering CloudTrail isn’t just about keeping logs, it’s about building a culture of security, compliance, and peace of mind in DevOps.

0
Subscribe to my newsletter

Read articles from Vaishnavi D directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Devops#90daysofdevops#90daysofdevops chanllengeAWSAWS CloudWatchcloudtrailaws securityzerotoroot

Written by

Vaishnavi D
Vaishnavi D