AWS CloudTrail now provides relevant user statistics to act on anomalies detected by CloudTrail Insights

Posted on: Aug 25, 2020

CloudTrail Insights now helps you correlate user identities, user agents, and error codes associated with unusual levels of API activity. Now, you can identify the IAM users and roles with the highest levels of API activity during both periods of anomalous activity, and normal activity. This capability helps you analyze and act on anomalies without manually searching through a large number of CloudTrail events.

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. CloudTrail Insights, a feature of CloudTrail, helps you identify anomalous operational activity in your AWS accounts such as spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity.  

To get started, you'll need to have CloudTrail Insights enabled on at least one trail. After you log Insights events, choose an Insights event in your AWS CloudTrail console to view the event's details, and open the Attributions tab. You'll see statistics about up to the top five user identities, user agents, and error codes associated with the Insights event.  

This update is now available in all AWS Regions where AWS CloudTrail is offered, excluding China (Beijing) and China (Ningxia). To learn more about AWS CloudTrail Insights, see the AWS CloudTrail page and CloudTrail Insights documentation.