Chapter 70: AWS Auditing
AWS Auditing
When people say “AWS Auditing”, they usually mean one (or a combination) of these three things:
- The ability to audit who did what inside your AWS account (the forensic / accountability part)
- The ability to prove to auditors that your AWS usage is secure & compliant (the evidence / reporting part)
- The tools AWS provides so you can continuously monitor configuration drift and compliance posture
In real life (especially in India 2026), all three are usually needed — particularly if you are:
- handling personal data (DPDP Act 2023)
- processing payments (RBI guidelines, PCI-DSS)
- selling to enterprises / banks / government (SOC 2, ISO 27001, IRAP, MeitY empanelment)
- or just want to know “who deleted the production bucket at 2 a.m.?”
Let’s do this like a real classroom session — slow, clear, with everyday Hyderabad analogies, actual startup/fintech/edtech examples from Telangana in 2026, and the exact tools & patterns most Indian teams actually use.
1. The Two Main Meanings of “AWS Auditing”
| Meaning | What it really focuses on | Primary AWS services used | Typical Hyderabad company asking this question |
|---|---|---|---|
| 1. Audit trail / forensic logging | “Who did what, when, from which IP?” | CloudTrail, CloudTrail Lake, Athena, CloudWatch Logs | “Someone deleted prod data — how do we find out who?” |
| 2. Compliance posture & continuous auditing | “Are we still compliant right now?” (no drift) | AWS Config, Security Hub, Audit Manager, Config Rules | “We need to pass RBI / SOC 2 / DPDP audit next month” |
Both are needed — but most startups start with #1 (CloudTrail) and only add #2 when customers or regulators start asking hard questions.
2. Part 1 — Audit Trail / Forensic Logging (CloudTrail — The Black Box)
CloudTrail is the single most important auditing tool in AWS — it logs every single AWS API call made in your account.
What it records (every entry is a JSON object):
- eventTime — exact timestamp
- eventSource — which service (s3.amazonaws.com, iam.amazonaws.com…)
- eventName — exact action (PutObject, DeleteBucket, RunInstances…)
- userIdentity — who (IAM user, role assumed by federated user, root…)
- sourceIPAddress — where the call came from
- requestParameters & responseElements — what was asked & what happened
- errorCode — if it failed
Two types of events (critical distinction):
| Type | What it logs | Enabled by default? | Cost? | Typical volume in Hyderabad startup | Example events |
|---|---|---|---|---|---|
| Management events | Create/delete/modify resources | Yes | Free (first copy) | 1,000–50,000/day | CreateBucket, DeleteRole, AttachPolicy |
| Data events | Read/write actual data | No — must enable | Pay per event | Millions/day if enabled | S3 GetObject, DynamoDB PutItem, Lambda Invoke |
Most common 2026 setup in Hyderabad:
- Multi-region trail (captures events from all regions)
- Logs go to encrypted S3 bucket
- Lifecycle rule → move to Glacier after 90 days (cheap long-term storage)
- Data events enabled on critical buckets/tables/functions (extra cost but forensic gold)
Real incident example (very common 2026):
- Friday night — leaked developer access key used to launch expensive GPU instances (crypto-mining)
- Saturday morning — finance sees cost spike in Cost Explorer
- Security opens CloudTrail Event history (last 90 days, free) → filters for “RunInstances”
- Sees:
- eventTime: 2026-02-21 23:47 IST
- userIdentity: IAM user “dev-temp-key”
- sourceIPAddress: 185.220.101.xxx (known Tor exit)
- requestParameters: InstanceType = g5.12xlarge
→ Key revoked, instances terminated, total loss ~₹12,000 instead of ₹2 lakh
Without CloudTrail: “We don’t know who or when” → weeks of investigation
3. Part 2 — Compliance Posture & Continuous Auditing (The “Are We Still Compliant?” Layer)
This is where AWS Config, Security Hub, Audit Manager, and Organizations SCPs come in.
| Service | What it really does | Typical use-case in Hyderabad (2026) |
|---|---|---|
| AWS Config | Continuous monitoring of resource configuration | Rule: “S3 bucket must have encryption” → alert on violation |
| AWS Security Hub | Central dashboard that collects GuardDuty + Config + Inspector + Macie findings | One place to see all security & compliance issues |
| AWS Audit Manager | Automates evidence collection for SOC 2, PCI, RBI, ISO… | Generate audit report for RBI auditor in 2 days instead of 2 months |
| AWS Organizations SCPs | Prevent dangerous actions across all accounts | SCP: deny anyone from disabling CloudTrail or making S3 public |
Real compliance example — fintech startup in Financial District
Goal: Pass RBI audit + SOC 2 Type II for enterprise banking client
What they did (very typical 2026):
- AWS Organizations → SCPs:
- Deny disabling CloudTrail
- Deny making S3 buckets public
- Deny launching instances in non-approved regions
- AWS Config rules:
- “S3 bucket should have server-side encryption”
- “RDS instance should be Multi-AZ”
- “No security group allows 0.0.0.0/0 on port 22/3389”
- Security Hub enabled → pulls Config, GuardDuty, Macie, Inspector → Compliance score 94/100 → shows remaining gaps
- Audit Manager assessment:
- Choose “RBI Cloud Security Guidelines” framework
- Choose “SOC 2 Type II” framework
- Auto-collects evidence (CloudTrail logs, Config compliance, KMS key usage…)
- Generates report → shared with RBI auditor
Result:
- Audit passed in 3 weeks instead of 3 months
- Monthly compliance tooling cost: ~₹5,000–15,000
4. Quick Hands-On – Feel Basic Auditing Setup
- CloudTrail console → Event history → filter for your username → see your own actions (free, no setup needed)
- Enable a trail (if not already):
- Multi-region trail
- Enable data events on S3 & DynamoDB
- Logs to encrypted S3 bucket
- Enable AWS Config → add rule “S3 bucket should have encryption”
- Enable Security Hub → see aggregated compliance score
- Open AWS Artifact → download latest SOC 2 Type II report (free)
Summary Table — AWS Auditing Cheat Sheet (2026 – India Focus)
| Goal / Question | Primary Service(s) | Golden Rule / Best Practice |
|---|---|---|
| “Who did what, when, from where?” | CloudTrail (management + data events) | Enable multi-region trail + data events on critical resources |
| “Are we still compliant right now?” | AWS Config + Security Hub | Add rules like “no public S3”, “encryption on EBS/RDS” |
| “How do we prove compliance to auditors?” | AWS Audit Manager + AWS Artifact | Run assessments for RBI / SOC 2 / ISO — download reports |
| Prevent dangerous actions across accounts | AWS Organizations SCPs | Deny disabling CloudTrail, deny public S3 buckets |
Teacher’s final note (real talk – Hyderabad 2026):
Auditing is the black box flight recorder + compliance evidence locker of your AWS account.
The biggest pain points in India right now are not AWS being hacked — they are:
- No CloudTrail → “who deleted prod?” mystery
- No Config / Security Hub → compliance drift (public bucket, unencrypted RDS)
- No Audit Manager → 3-month manual evidence collection for RBI audit
Do these four things today and you’ll be safer & more audit-ready than most:
- Enable multi-region CloudTrail + data events on critical resources
- Enable AWS Config + add 5–10 basic rules (encryption, no public access)
- Enable Security Hub → one dashboard for everything
- Bookmark AWS Artifact — download SOC/PCI/ISO reports when needed
Got it? This is the “prove what happened & prove we’re doing things right” lesson.
Next?
- Step-by-step: Enable multi-region CloudTrail + data events + Athena query?
- Deep dive: AWS Audit Manager for RBI / DPDP / SOC 2 assessments?
- Or how to investigate a real incident using CloudTrail Lake?
Tell me — next whiteboard ready! 🚀📜🕵️♂️
