Tuturials

Chapter 68: AWS CloudTrail

AWS CloudTrail

Many people treat CloudTrail like an optional checkbox they enable “if they have time”. That is a very expensive mistake.

CloudTrail is not just logging. It is the audit trail, the forensic evidence chain, the “who did what, when, from where” record that answers almost every post-incident question:

  • Who deleted the production S3 bucket?
  • Who launched 200 expensive GPU instances at 3 AM?
  • When did someone start using a leaked access key?
  • Did the intern accidentally change the security group on the database?
  • Was this API call made by our code or by an attacker?

Without CloudTrail, these questions usually have only one answer: “We don’t know” — and that answer can cost lakhs in fines, lost trust, or surprise bills.

Let me explain CloudTrail the way I wish someone had explained it to me on day one — like a real teacher who wants you to never be the person saying “we have no logs” in a crisis meeting.

1. What CloudTrail Actually Is (Very Simple First)

AWS CloudTrail is a fully managed service that records every single AWS API call made in your account — who called it, when, from which IP, which parameters were used, and whether it succeeded or failed.

It logs management events (control-plane actions: CreateBucket, RunInstances, DeleteTable, AttachRolePolicy…) and data events (actual data-plane actions: S3 GetObject, Lambda Invoke, DynamoDB PutItem… — these are optional and cost extra).

Every log entry is a JSON object that contains:

  • eventTime
  • eventSource (s3.amazonaws.com, dynamodb.amazonaws.com…)
  • eventName (GetObject, PutItem…)
  • userIdentity (who — IAM user, role, root…)
  • sourceIPAddress
  • requestParameters
  • responseElements
  • errorCode / errorMessage (if failed)

Official short line (still perfect): “CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.”

In plain Hyderabad language: CloudTrail is the CCTV camera system of your AWS account — but instead of blurry video, it records every single action with timestamp, user, IP, exact parameters, and outcome.

You don’t have to install anything. AWS turns it on for you (management events are logged by default since 2013). You just decide where to store the logs and how long to keep them.

2. Two Types of Events (Very Important Distinction – 2026)

Type What it logs Enabled by default? Cost? Typical volume in Hyderabad startup Example events
Management events Control-plane actions (create/delete/modify resources) Yes Free (first copy) 1,000–50,000/day CreateBucket, RunInstances, DeleteRole, AttachPolicy
Data events Data-plane actions (reading/writing actual data) No — must enable Pay per event Can be millions/day S3 GetObject, DynamoDB PutItem, Lambda Invoke, RDS Data API calls

2026 reality in India:

  • Almost every account has management events on by default (free)
  • Serious teams enable data events on critical buckets/tables/functions → costs ₹500–5,000/month but gives forensic gold

3. Where CloudTrail Logs Are Stored & How Long They Last

By default, CloudTrail writes logs to an S3 bucket you choose (or creates one for you).

Key options (2026):

  • Retention — you decide (1 day → forever) via S3 lifecycle rules
    • Most teams keep 90–365 days (compliance requirement)
    • Some keep forever in S3 Glacier Deep Archive (~₹0.09/GB/month)
  • Multi-region trail — one trail that collects events from all regions (recommended)
  • Organization trail — one trail for all accounts in AWS Organization (enterprise standard)

Encryption — logs are encrypted by default (SSE-S3 or SSE-KMS)

4. Real Hyderabad Example — CloudTrail Saves the Day

Your startup “TeluguBites” (restaurant discovery & food ordering):

Incident (very common 2026 scenario):

  • Friday night 11 PM — someone using a leaked developer access key starts launching expensive GPU instances (crypto-mining)
  • Saturday morning — finance sees unusual cost spike in Cost Explorer

How CloudTrail helps (what actually happened):

  1. Finance opens CloudTrail Event history (last 90 days, free) → Filters for “RunInstances” API calls → Sees:
    • eventTime: 2026-02-21 23:47:12 IST
    • userIdentity: IAM user “dev-temp-key”
    • sourceIPAddress: 185.220.101.xxx (known Tor exit node)
    • requestParameters: InstanceType = g5.12xlarge (very expensive)
  2. Finance → security team
  3. Security opens CloudTrail Lake or exports logs to Amazon Athena → Runs query:
    SQL

    → Confirms attacker launched 8 instances across 2 regions

  4. Security revokes the leaked key, terminates instances
  5. Finance sees bill spike stopped within ~6 hours
  6. Total loss: ~₹12,000 (instead of ₹2 lakh if discovered Monday)

Without CloudTrail:

  • No way to know who launched instances
  • No IP to block
  • No timeline → weeks of investigation

5. Quick Hands-On – See CloudTrail in Action

  1. AWS Console → CloudTrail → Event history → Filter by Event name = CreateBucket or RunInstances → See last 90 days of management events (free, no setup needed)
  2. Enable a trail (if not already):
    • CloudTrail → Create trail
    • Name: “all-management-and-data-events”
    • Multi-region trail: Yes
    • Data events: enable S3 GetObject, DynamoDB PutItem
    • Storage: new or existing S3 bucket
  3. Wait 5–15 min → new events appear in S3 → use CloudTrail Lake or Athena to query

Cost? Management events free (first copy). Data events ~₹0.10–0.50 per 100,000 events.

Summary Table — AWS CloudTrail Cheat Sheet (2026 – India Focus)

Question Answer (Beginner-Friendly)
What is CloudTrail? Service that logs every AWS API call — who, what, when, from where
Management events vs Data events? Management = free & default (create/delete resources) Data = paid & optional (GetObject, PutItem…)
How long are logs kept by default? 90 days in Event history (free) Forever if you store in S3
Where are logs stored? S3 bucket you choose (encrypted)
Best practice for Hyderabad startup? Enable multi-region trail + data events on critical buckets/tables + encrypt logs
First thing to do today? Open Event history → filter for your own username → see your actions

Teacher’s final note (real talk – Hyderabad 2026):

CloudTrail is the black box flight recorder of your AWS account.

When something goes wrong (bill shock, deleted resource, suspected breach), CloudTrail is usually the only way to answer “what happened and who did it?”.

Most serious incidents in India right now are discovered because CloudTrail was enabled — not despite it.

Do this today:

  1. Confirm management events trail is enabled (multi-region)
  2. Enable data events on at least your most important S3 buckets & DynamoDB tables
  3. Store logs in encrypted S3 bucket with lifecycle to Glacier after 90 days

Got it? This is the “when bad things happen, we can actually find out what happened” lesson.

Next?

  • Step-by-step: Enable multi-region trail + data events + Athena query?
  • Deep dive: CloudTrail vs GuardDuty vs CloudWatch Logs?
  • Or how to investigate a real incident using CloudTrail Lake?

Tell me — next whiteboard ready! 🚀📜🕵️‍♂️

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Best web teacher © 2025. All Rights Reserved bestwebteacher.com.

Home
About Us
Terms of Use
Disclaimer
Contact Us

WhatsApp

+91 9433 511 250

Email

info@bestwebteacher.com

Connect with us

Facebook-f Twitter Youtube Jki-instagram-1-light

Best web teacher © 2024 . All Rights Reserved