CloudTrail workflow - AWS CloudTrail

CloudTrail workflow

This section provides information about CloudTrail features and the tasks you can perform for these features.

Event history

View event history for your AWS account

You can view and search the last 90 days of events recorded by CloudTrail in the CloudTrail console or by using the AWS CLI. For more information, see Working with CloudTrail Event history.

Download events

You can download a CSV or JSON file containing up to the past 90 days of CloudTrail events for your AWS account. For more information, see Downloading events.

CloudTrail Lake

Enable CloudTrail Lake

CloudTrail Lake lets you run fine-grained SQL-based queries on events from both AWS sources, and sources outside of AWS. Events are aggregated into event data stores, which are immutable collections of events based on criteria that you select by applying advanced event selectors. You can keep the event data in an event data store for up to 3,653 days (about 10 years) if you choose the One-year extendable retention pricing option, or up to 2,557 days (about 7 years) if you choose the Seven-year retention pricing option. CloudTrail Lake is part of an auditing solution that helps you perform security investigations and troubleshooting. For more information, see Working with AWS CloudTrail Lake.

Create an event data store

When you create an event data store in CloudTrail Lake, you choose the type of events to include in your event data store. For more information, see Create an event data store.

View Lake dashboards

You can use CloudTrail Lake dashboards to visualize the events in an event data store. You can select from several different dashboard types. For more information, see View Lake dashboards.

Log management and data events

Configure your event data stores to log read-only, write-only, or all management and data events. By default, event data stores log log management events. For more information, see Create an event data store for CloudTrail events, Logging management events, and Logging data events.

Log Insights events

Configure your event data stores to log Insights events to help you identify and respond to unusual activity associated with management API calls. For more information, see Create an event data store for CloudTrail Insights events and Logging Insights events.

Additional charges apply for Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see AWS CloudTrail Pricing.

Copy trail events to CloudTrail Lake

You can copy existing trail events to a CloudTrail Lake event data store to create a point-in-time snapshot of events logged to the trail. For more information, see Copy trail events to an event data store.

Enable federation on an event data store

You can federate an event data store to see the metadata associated with the event data store in the AWS Glue Data Catalog and run SQL queries on the event data using Amazon Athena. The table metadata stored in the AWS Glue Data Catalog lets the Athena query engine know how to find, read, and process the data that you want to query. For more information, see Federate an event data store.

Stop or start event ingestion on an event data store

You can stop and start event ingestion on event data stores that collect CloudTrail management and data events, or AWS Config configuration items. For more information about how to stop event ingestion in the CloudTrail console, see Stop and start event ingestion. For more information about how to stop event ingestion by using the AWS CLI, see Stop ingestion on an event data store with the AWS CLI.

Create an integration with an event source outside of AWS

You can use CloudTrail Lake integrations to log and store user activity data from outside of AWS; from any source in your hybrid environments, such as in-house or SaaS applications hosted on-premises or in the cloud, virtual machines, or containers. For information about creating an integration in the CloudTrail console, see Create an integration with an event source outside of AWS. For information about creating an integration by using the AWS CLI, see Create an integration to log events from outside AWS with the AWS CLI.

View Lake sample queries in the CloudTrail console

The CloudTrail console provides a number of sample queries that can help you get started writing your own queries. For more information, see Viewing sample queries in the CloudTrail console.

Create or edit a query

Queries in CloudTrail are authored in SQL. You can build a query on the CloudTrail Lake Editor tab by writing the query in SQL from scratch, or by opening a saved or sample query and editing it. For more information, see Create or edit a query and CloudTrail Lake SQL constraints.

Save CloudTrail Lake query results to an Amazon S3 bucket

When you run a query, you can save the query results to an S3 bucket. For more information, see Run a query and save query results.

Download saved query results

You can download a CSV file containing your saved CloudTrail Lake query results. For more information, see Download your CloudTrail Lake saved query results.

Validate saved query results

You can use CloudTrail query results integrity validation to determine whether the query results were modified, deleted, or unchanged after CloudTrail delivered the query results to the S3 bucket. For more information, see Validate saved query results.

Manage user permissions

Use AWS Identity and Access Management (IAM) to manage which users have permissions to create, configure, or delete event data stores and channels; start and stop event ingestion; and copy trail events to an event data store. For more information, see Granting permissions for CloudTrail administration.

Register a delegated administrator to manage your organization's CloudTrail resources

You can register a delegated administrator to manage your organization's CloudTrail event data stores. For more information, see Organization delegated administrator.

Work with partner solutions

Analyze your CloudTrail output with a partner solution that integrates with CloudTrail. Partner solutions offer a broad set of capabilities, such as change tracking, troubleshooting, and security analysis. For more information, see the AWS CloudTrail partner page.

Trails

Create a trail

A trail enables CloudTrail to deliver log files to your Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the S3 bucket that you specify. For more information, see Creating a trail for your AWS account.

Log management and data events

Configure your trails to log read-only, write-only, or all management and data events. By default, trails log management events. For more information, see Logging management events and Logging data events.

Log Insights events

Configure your trails to log Insights events to help you identify and respond to unusual activity associated with management API calls. For more information, see Logging Insights events.

Additional charges apply for Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see AWS CloudTrail Pricing.

View Insights events

After you enable CloudTrail Insights on a trail, you can view up to 90 days of Insights events by using the CloudTrail console or the AWS CLI. For more information, see Viewing CloudTrail Insights events for trails.

Download Insights events

After you enable CloudTrail Insights on a trail, you can download a CSV or JSON file containing up to the past 90 days of Insights events for your trail. For more information, see Downloading Insights events.

Copy trail events to CloudTrail Lake

You can copy existing trail events to a CloudTrail Lake event data store to create a point-in-time snapshot of events logged to the trail. For more information, see Copying trail events to CloudTrail Lake.

Create and subscribe to an Amazon SNS topic

Subscribe to a topic to receive notifications about log file delivery to your bucket. Amazon SNS can notify you in multiple ways, including programmatically with Amazon Simple Queue Service. For information, see Configuring Amazon SNS notifications for CloudTrail.

Note

If you want to receive SNS notifications about log file deliveries from all Regions, specify only one SNS topic for your trail. If you want to programmatically process all events, see Using the CloudTrail Processing Library.

View your log files

Use Amazon S3 to retrieve log files. For information, see Getting and viewing your CloudTrail log files.

Monitor events with CloudWatch Logs

You can configure your trail to send events to CloudWatch Logs. You can then use CloudWatch Logs to monitor your account for specific API calls and events. For more information, see Monitoring CloudTrail Log Files with Amazon CloudWatch Logs.

Note

If you configure a trail that applies to all Regions to send events to a CloudWatch Logs log group, CloudTrail sends events from all Regions to a single log group.

Enable log encryption

Log file encryption provides an extra layer of security for your log files. For more information, see Encrypting CloudTrail log files with AWS KMS keys (SSE-KMS).

Enable log file integrity

Log file integrity validation helps you verify that log files have remained unchanged since CloudTrail delivered them. For more information, see Validating CloudTrail log file integrity.

Share log files with other AWS accounts

You can share log files between accounts. For more information, see Sharing CloudTrail log files between AWS accounts.

Aggregate logs from multiple accounts

You can aggregate log files from multiple accounts to a single bucket. For more information, see Receiving CloudTrail log files from multiple accounts.

Manage user permissions

Use AWS Identity and Access Management (IAM) to manage which users have permissions to create, configure, or delete trails; start and stop logging; and access buckets that have log files. For more information, see Granting permissions for CloudTrail administration.

Register a delegated administrator to manage your organization's CloudTrail resources

You can register a delegated administrator to manage your organization's CloudTrail trails. For more information, see Organization delegated administrator.

Work with partner solutions

Analyze your CloudTrail output with a partner solution that integrates with CloudTrail. Partner solutions offer a broad set of capabilities, such as change tracking, troubleshooting, and security analysis. For more information, see the AWS CloudTrail partner page.