AWS CloudTrail Questions & Answers

CloudTrail is a service provided by Amazon Web Services (AWS) that records and stores API call activities and events within the AWS account. It captures information such as the identity of the caller, the time of the API call, the actions performed, and the response received. This data is stored in a log file, which can be viewed and analyzed for security, compliance, and troubleshooting purposes.

CloudTrail is helpful for security as it logs all API requests and actions performed in the cloud environment which enables responding to security threats faster.

CloudTrail transfers a log file into the Amazon S3 bucket and KMS responds to this request by generating a special data key which is sent to Amazon S3 in two copies, one as plaintext and the other as encrypted along with the specific KMS key.

CloudTrail logs API calls. It captures all API requests made by or on behalf of the Amazon cloud account.

Any change in the resources can be recorded using CloudTrail. With this tool, the client can keep track of who made the change, when the change was made, and who did the change.

Logs for the last 90 days, can be viewed in the console of the CloudTrail. They can also be downloaded based on a filter or a time range. They may contain all the information or a subset depending on the client’s needs.

In the pre-defined settings, CloudTrail stores the logs indefinitely. However, the user can use the S3 Object Lifecycle to define their own policy for the retention of logs for as long as they require.

By logging API activity, the two use cases solved by AWS CloudTrail are Operational and Security.

AWS CloudTrail can be integrated with Amazon Athena, which queries the logs, and AWS CloudWatch, which monitors the logs, to store activities performed in the environment.

The AWS CloudTrail logs only management events in the JSON log format by default. Insight events or data events are not logged by default, but they are logged after the client configures CloudTrail to do so.