Q: What is AWS CloudTrail?
AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket.
Q: What are the benefits of CloudTrail?
CloudTrail provides visibility into user activity by recording API calls made on your account. CloudTrail records important information about each API call, including the name of the API, the identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service. This information helps you to track changes made to your AWS resources and to troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards. For more details, refer to the AWS compliance white paper “Security at scale: Logging in AWS”.
Q: Who should turn on CloudTrail?
Customers who need to track changes to resources, answer simple questions about user activity, demonstrate compliance, troubleshoot, or perform security analysis should turn on CloudTrail.
Q: How do I get started with CloudTrail?
The quickest way to get started with CloudTrail is to use the AWS Management Console. You can turn on CloudTrail in two clicks.
Q:How does CloudTrail deliver API call information?
CloudTrail delivers API call information by depositing log files in an Amazon S3 bucket that you choose and configure. Each log file can contain multiple events, and each event represents an API call.
Q:Do I turn on CloudTrail globally or regionally?
You turn on CloudTrail on a per-region basis. If you use multiple AWS regions, you can choose where log files are delivered for each region. For example, you can have a separate Amazon S3 bucket for each region, or you can aggregate log files from all regions in a single S3 bucket.
Q:What services are supported by CloudTrail?
Currently, API calls are recorded and delivered for the following services:
- Amazon Elastic Compute Cloud (Amazon EC2)
- Amazon Elastic Block Store (Amazon EBS)
- Amazon Elastic MapReduce (EMR)
- Amazon Redshift
- Amazon Relational Database Service (Amazon RDS)
- Amazon Virtual Private Cloud (Amazon VPC)
- Amazon CloudWatch
- Amazon CloudFront
- Amaon Kinesis
- Elastic Load Balancing (ELB)
- Amazon Simple Workflow
- AWS CloudTrail
- AWS CloudFormation
- AWS OpsWorks
- AWS DirectConnect
- AWS Elastic Beanstalk
- AWS Identity and Access Management (AWS IAM)
- AWS Security Token Service (AWS STS)
- AWS Simple Queue Service (AWS SQS)
- Amazon ElastiCache
CloudTrail will support other AWS services in the future. Your feedback on AWS forums will help us prioritize this on our roadmap.
Q:How are global AWS services supported?
API calls for global AWS services such as AWS IAM and AWS STS are recorded and delivered by CloudTrail along with regional events. By default, CloudTrail delivers API calls for global services in every region.
Q:What regions are supported?
Currently, CloudTrail is available in US East (Northern Virginia), US West (Oregon and Northern California), EU West (Ireland), AP Northeast (Tokyo), AP Southeast (Singapore), AP Southeast (Sydney) and SA East (Sao Paulo) regions. CloudTrail will be supported in other AWS regions in the future.
Q:Are API calls made from the AWS Management Console recorded?
Yes. CloudTrail records API calls made from any client. The AWS Management Console, AWS SDKs, command line tools, and higher level AWS services call AWS APIs, so these calls are recorded.
Q:Where are my log files stored and processed before they are delivered to my Amazon S3 bucket?
API call information for services with regional end points (EC2, RDS etc.) is captured and processed in the same region as to which the API call is made and delivered to the region associated with your Amazon S3 bucket. API call information for services with single end points (IAM, STS etc.) is captured in the region where the end point is located, processed in the region where the CloudTrail trail is configured and delivered to the region associated with your Amazon S3 bucket.
Q:How much does CloudTrail cost?
There is no additional charge for CloudTrail, but standard rates for Amazon S3 and Amazon Simple Notification Service (SNS) usage apply.
Q:How do the AWS partner solutions help me analyze the events recorded by CloudTrail?
Multiple partners offer integrated solutions to analyze CloudTrail log files. These solutions include features like change tracking, troubleshooting, and security analysis. For more information, see the CloudTrail partners section.
Q:How can I secure my CloudTrail log files?
By default, CloudTrail log files are encrypted using S3 Server Side Encryption (SSE) and placed into your S3 bucket. You can control access to log files by applying IAM or S3 bucket policies. You can add an additional layer of security by enabling S3 Multi Factor Authentication (MFA) Delete on your S3 bucket. For more details on creating and updating a trail, see the CloudTrail documentation.
Q:Where can I download a sample S3 bucket policy and an SNS topic policy?
You can download a sample S3 bucket policy and an SNS topic policy from CloudTrail S3 bucket. You need to update the sample policies with your information before you apply them to your S3 bucket or SNS topic.
Q:How long can I store my activity log files?
You control the retention policies for your CloudTrail log files. By default, log files are stored indefinitely. You can use Amazon S3 object lifecycle management rules to define your own retention policy. For example, you may want to delete old log files or archive them to Amazon Glaicer.
Q:What information is available in an event?
An event contains information about the associated API call: the identity of the caller, the time of the call, the source IP address, the request parameters, and the response elements returned by the AWS service. For more details, see the CloudTrail Event Reference section of the user guide.
Q:How long does it take CloudTrail to deliver an event for an API call?
Typically, CloudTrail delivers an event within 15 minutes of the API call.
Q:How often will CloudTrail deliver log files to my Amazon S3 bucket?
CloudTrail delivers log files to your S3 bucket approximately every 5 minutes. CloudTrail does not deliver log files if no API calls are made on your account.
Q:Can I be notified when new log files are delivered to my Amazon S3 bucket?
Yes. You can turn on Amazon SNS notifications so that you can take immediate action on delivery of new log files.
Q: What happens if CloudTrail is turned on for my account but my Amazon S3 bucket is not configured with the correct policy?
CloudTrail log files are delivered in accordance with the S3 bucket policies that you have in place. If the bucket policies are misconfigured, CloudTrail may not be able to deliver log files.
Q:I have multiple AWS accounts. I would like log files for all the accounts to be delivered to a single S3 bucket. Can I do that?
Yes. You can configure one S3 bucket as the destination for multiple accounts. For detailed instructions, refer to aggregating log files to a single Amazon S3 bucket section of the AWS CloudTrail User Guide
Q:What other logging support is available for AWS?
Amazon S3 provides server access logging, which enables logging for requests made against Amazon S3 buckets. Amazon CloudFront provides similar access logging support for CloudFront distributions.
Q:Will turning on CloudTrail impact the performance of my AWS resources, or increase API call latency?
No. Turning on CloudTrail has no impact on performance of your AWS resources or API call latency.