Operations Management

API Audit Logging with AWS CloudTrail - Trail Design and Security Analysis

Record all API activity and run advanced analysis with SQL queries in CloudTrail Lake. This article covers automatic anomaly detection with Insights and real-time detection through EventBridge integration.

約 3 分で読めます

Overview of CloudTrail

CloudTrail is a service that records API activity in your AWS account. Every API call is recorded, including EC2 instance launches, S3 bucket creation, and IAM policy changes. By default, management events from the past 90 days can be viewed for free, and creating a trail stores them indefinitely in an S3 bucket.

Trail Design and CloudTrail Lake

An organization trail applied to all regions is recommended. Events are stored in JSON format in an S3 bucket and encrypted with SSE-KMS. CloudTrail Lake retains events in an event data store for up to 7 years and allows searching and analysis with SQL queries. You can instantly run queries such as "events where an IAM user was created in the past 30 days" or "API calls from a specific IP address." Insights uses ML to learn the baseline of API calls and detects anomalous patterns, such as a 10x spike in API call volume.

Data Events and Insights

Data events record S3 object-level operations (GetObject, PutObject), Lambda function invocations, and DynamoDB table operations. Since the volume of data events is significantly higher than management events, you should narrow down the target resources before enabling them. CloudTrail Insights automatically detects anomalous patterns in management events, such as sudden spikes in API call counts or rising error rates, highlighting activity that deviates from normal behavior. For example, if RunInstances, which is normally called about 10 times a day, is suddenly called 1,000 times, an Insights event is generated. Integration with EventBridge enables real-time detection of specific API calls (such as DeleteBucket or StopLogging), triggering alerts via Lambda. For a comprehensive guide from basics to advanced usage of CloudTrail, check out books on Amazon.

CloudTrail Cost Optimization

The first trail for management events is free, and additional trails cost approximately $2 per 100,000 events. Data events cost approximately $0.10 per 100,000 events, and costs can surge rapidly in environments with heavy S3 read operations. CloudTrail Lake queries are billed based on the amount of data scanned, at approximately $0.005 per GB. To manage costs, limit data event targets to sensitive buckets and critical Lambda functions, and avoid blanket application across all resources. Use S3 lifecycle rules to manage the retention period of stored logs and migrate older logs to Glacier to reduce storage costs.

Summary

CloudTrail is an audit logging service that records all API activity in your AWS account. Use CloudTrail Lake for advanced analysis with SQL queries, and Insights for automatic detection of anomalous API call patterns. Centrally manage logs across all accounts with organization trails, and achieve real-time detection of security events through EventBridge integration.

Related Services

AWS CloudTrailA service that records and monitors API activity in your AWS accountAmazon S3A scalable object storage serviceAmazon GuardDutyA machine learning-powered threat detection service

Related Articles

Continuous Compliance Monitoring with AWS Config - Rule Evaluation and Auto-RemediationLearn how to record resource configurations with AWS Config, evaluate compliance using Config rules, and set up auto-remediation actions.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

CloudTrail Sees Everything - How API Calls Are Recorded and Practical Forensic InvestigationThis article explains how CloudTrail records AWS API calls, the differences between management events and data events, SQL analysis with CloudTrail Lake, and forensic investigation techniques when a security incident occurs.AWS CloudTrailAutomatically records all API calls in your AWS account, enabling you to track who did what and when for auditing and securityAudit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Building a Security Data Lake with Amazon Security Lake - Unified Analysis in OCSF FormatLearn about Security Lake's automatic aggregation of CloudTrail, VPC Flow Logs, and Route 53 logs, OCSF normalization, and integration with subscribers.