AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.
With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
- Amazon S3 Bucket level API calls are now available in AWS CloudTrail
- Introducing support for looking up API activity in AWS CloudTrail
- CloudFormation template to create CloudWatch alarms and receive email notifications for critical network and security API calls made in your AWS account
- AWS CloudTrail integration with Amazon CloudWatch Logs now available in Sydney, Singapore, Frankfurt and Tokyo regions
- AWS CloudTrail is now available in the US GovCloud region
CloudTrail provides increased visibility into your user activity by recording AWS API calls. You can answer questions such as, what actions did a given user take over a given time period? For a given resource, which user has taken actions on it over a given time period? What is the source IP address of a given activity? Which activities failed due to inadequate permissions?
CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably and inexpensively. You can use Amazon S3 lifecycle configuration rules to further reduce storage costs. For example, you can define rules to automatically delete old log files or archive them to Amazon Glacier for additional savings.
CloudTrail is a fully managed service; you simply turn on CloudTrail for your account using the AWS Management Console, the Command Line Interface, or the CloudTrail SDK and start receiving CloudTrail log files in the Amazon Simple Storage Service (Amazon S3) bucket that you specify.
CloudTrail can be configured to publish a notification for each log file delivered, thus enabling you to automatically take action upon log file delivery. CloudTrail uses the Amazon Simple Notification Service (SNS) for notifications.
Multiple partners including AlertLogic, Boundary, Loggly, Splunk and Sumologic offer integrated solutions to analyze CloudTrail log files. These solutions include features like change tracking, troubleshooting, and security analysis. For more information, see the CloudTrail partners section.
CloudTrail can be configured to aggregate log files across multiple accounts and regions so that log files are delivered to a single bucket. For detailed instructions, refer to the Aggregating CloudTrail Log Files to a Single Amazon S3 Bucket section of the user guide.
CloudTrail continuously transports events from AWS services using a highly available and fault tolerant processing pipeline. CloudTrail typically delivers events within 15 minutes of the API call.
You can troubleshoot operational issues or perform security analysis by looking up API activity that was captured for your AWS account. Using the AWS CloudTrail console, AWS CLI, or AWS SDKs, you can quickly and easily answer questions related to API activity for the last 7 days and take immediate action. For more details, refer to this section of CloudTrail documentation for looking up API activity.
By default, CloudTrail encrypts all log files delivered to the specified Amazon S3 bucket using Amazon S3 server-side encryption (SSE). Optionally, you can add an additional layer of security to your CloudTrail log files by encrypting the log files with your AWS Key Management Service (KMS) key. Amazon S3 will automatically decrypt your log files if you have decrypt permissions. For more details, refer to encrypting log files using your KMS key.
You can validate the integrity of CloudTrail log files stored in your Amazon S3 bucket and detect whether the log files were unchanged, modified, or deleted since CloudTrail delivered them to your Amazon S3 bucket. You can use the log file integrity validation as an aid in your IT security and auditing processes.
Currently, CloudTrail supports the following services:
- Amazon Elastic Compute Cloud (Amazon EC2)
- Elastic Load Balancing (ELB)
- Amazon EC2 Container Service
- AWS Lambda
- Amazon Simple Storage Service (Amazon S3)
- Amazon Elastic Block Store (Amazon EBS)
- AWS Storage Gateway
- Amazon Glacier
- Amazon CloudFront
- Amazon Relational Database Service (Amazon RDS)
- Amazon Redshift
- Amazon Elasticache
- Amazon DynamoDB
- AWS Direct Connect
- Amazon Virtual Private Cloud (Amazon VPC)
- Amazon Route 53
- AWS Simple Queue Service (AWS SQS)
- Amazon Simple Notification Service (AWS SNS)
- Amazon Simple WorkFlow
- Amazon Cloudsearch
- Amazon Elastic Transcoder
- Amazon Simple Email Service
- AWS CloudFormation
- AWS OpsWorks
- AWS CodeDeploy
- AWS Elastic Beanstalk
- AWS Identity and Access Management (AWS IAM)
- AWS Security Token Service (AWS STS)
- AWS CloudTrail
- AWS Key Management Service
- Amazon CloudWatch
- AWS Config
- AWS Directory Service
- Amazon Kinesis
- Amazon Elastic Map Reduce (EMR)
- AWS Data Pipeline
- Amazon WorkDocs
- Amazon WorkSpaces
Currently, CloudTrail supports the following regions:
- US East (Northern Virginia)
- US West (Oregon)
- US West (Northern California)
- EU (Ireland)
- EU (Frankfurt)
- AP Northeast (Tokyo)
- AP Southeast (Sydney)
- AP Southeast (Singapore)
- SA East (Sao Paulo)
- GovCloud (US)
- Beijing (China)
You can use the AWS API call history produced by CloudTrail as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns.
You can use the AWS API call history produced by CloudTrail to track changes to AWS resources, including creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.
You can use the AWS API call history produced by CloudTrail to troubleshoot operational issues. For example, you can quickly identify the most recent changes made to resources in your environment.