AWS Management & Governance Blog

AWS CloudTrail best practices

Thanks to the following AWS CloudTrail experts for their work on this post:

  • Avneesh Singh, Senior Product Manager, AWS CloudTrail
  • Jeff McRae, Software Development Manager, AWS CloudTrail
  • Keith Robertson, Software Development Manager, AWS CloudTrail
  • Susan Ferrell, Senior Technical Writer, AWS

Are you taking advantage of all the features and functionality that AWS CloudTrail offers? Here are some best practices, tips, and tricks for working with CloudTrail to help you get the most out of using it.

This service is enabled for you when you create your AWS account, and it’s easy to set up a trail for continuous logging and history. This post answers some frequently asked questions that people ask about CloudTrail.

What is CloudTrail?

CloudTrail is an AWS service that enables governance, compliance, and operational and risk auditing of your AWS account. Use the information recorded in CloudTrail logs and in the CloudTrail console to review information about actions taken by a user, role, or AWS service. Each action is recorded as an event in CloudTrail, including actions taken in the AWS Management Console and with the AWS CLI, AWS SDKs, and APIs.

How does CloudTrail work across Regions?

Keep AWS Regions in mind when working with CloudTrail. CloudTrail always logs events in the AWS Region where they occur, unless they are global service events.

If you sign in to the console to perform an action, the sign-in event is a global service event, and is logged to any multi-region trail in the US East (N.Virginia) Region, or to a single-region trail in any Region that contains global service events. But if you create a trail that only logs events in US East (Ohio), without global service events, a sign-in event would not be logged.

How do I start using CloudTrail?

Create a trail! Although CloudTrail is enabled for you by default in the CloudTrail console, the Event history only covers the most recent 90 days of management event activity. Anything that happened before then is no longer available—unless you create a trail to keep an ongoing record of events.

When creating your first trail, we recommend creating one that logs management events for all Regions. Here’s why:

  • Simplicity. A single trail that logs management events in all Regions is easier to maintain over time. For example, if you create a trail named LogsAllManagementEventsInAllRegions, it’s obvious what events that trail logs, isn’t it? No matter how your usage changes or how AWS changes, the scope remains the same. Over time, as new AWS Regions are added, and you work in more than one AWS Region, that trail still does what it says: logs all management events in every AWS Region. You have a complete record of all management events that CloudTrail logs.
  • No surprises. Global service events are included in your logs, along with all other management events. If you create a trail in a single AWS Region, you only log events in that Region—and global service events may not necessarily be logged in that Region.
  • You know what you’re paying. If this is your first trail, and you log all management events in all AWS Regions, it’s free. Then, create additional trails to meet your business needs. For example, you can add a second trail for management events that copies all management events to a separate S3 bucket for your security team to analyze, and you are charged for the second trail. If you add a trail to log data events for Amazon S3 buckets or AWS Lambda functions, even if it’s the first trail capturing data events, you are charged for it, because a trail that captures data events always incurs charges. For more information about CloudTrail costs, see AWS CloudTrail Pricing.

How do I manage costs for CloudTrail?

That’s a common request. Here are some ways to get started:

I created a trail. What should I do next?

Consider two important things: who has access to your log files, and how to get the most out of those log files. Then do the following:

Understanding log files and what’s in them helps you become familiar with your AWS account activity and spot unusual patterns.

Over time, you’ll find there are many log files with a lot of data. CloudTrail makes a significant amount of data available to you. To get the most out of the data collected by CloudTrail, and to make that data actionable, you might want to leverage the query power of Amazon Athena, an interactive, serverless query service that makes it easy for anyone with SQL skills to quickly analyze large-scale datasets. You could also set up Amazon CloudWatch to monitor your logs and notify you when specific activities occur. For more information, see AWS Service Integrations with CloudTrail Logs.

Is there a better way to log events for several AWS accounts instead of creating a trail for each one?

Yes, there is! To manage multiple AWS accounts, you can create an organization in AWS Organizations. Then create an organization trail, which is a single trail configuration that is replicated to all member accounts automatically. It logs events for all accounts in an organization, so you can log and analyze activity for all organization accounts.

Only the master account for an organization can create or modify an organization trail. This makes sure that the organization trail captures all log information as configured for that organization. An organization trail’s configuration cannot be modified, enabled, or disabled by member accounts. For more information, see Creating a Trail for an Organization.

Why can’t I find a specific event that I’m looking for?

While the log files from multi-region trails contain events from all Regions, the events in Event history are specific to the AWS Region where they’re logged.

If you don’t see events that you expect to find, double-check which AWS Region you’re logged into in the selector. If necessary, change the setting to the AWS Region where the event occurred.

Also, keep in mind that the console only shows you events that occurred up to 90 days ago in your AWS account. If you’re looking for an older event, you won’t see it. That’s one reason it’s so important to have a trail that logs events to an S3 bucket; that data stays there until you decide not to keep it.

What are some best practices for working with CloudTrail?

Be familiar with your CloudTrail logs. Having a general familiarity and understanding of your CloudTrail log file data and structure help you spot and troubleshoot any issues that might arise.

Here are some things to avoid doing under most circumstances:

Avoid creating trails that log events for a single AWS Region

Although CloudTrail supports this, we recommend against creating this kind of trail for several reasons.

Some AWS services appear as “global” (the action can be called locally, but is run in another AWS Region), but they do not log global service events to CloudTrail. A trail that logs events in all AWS Regions shows data about all events logged for your AWS account, regardless of the AWS Region in which they occur.

For example, Organizations is a global service, but it only logs events in the US East (N. Virginia) Region. If you create a trail that only logs events in US East (Ohio), you do not see events for this service in the log files delivered to your S3 bucket.

Also, a trail that logs events in a single AWS Region can be confusing when it comes to cost management. Only the first instance of a logged event is free. If you have a trail that logs events in a single AWS Region, and you create a multi-region trail, it incurs costs for the second and any subsequent trails. For more information, see AWS CloudTrail Pricing.

Avoid using the create-subscription and update-subscription commands to create and manage your trails

We recommend that you do not use the create-subscription or update-subscription commands, because these commands are on a deprecation path, and might be removed in a future release of the CLI. Instead, use the create-trail and update-trail commands. If you’re programmatically creating trails, use an AWS CloudFormation template.

What else should I know?

Talk to us! We always want to hear from you! Tell us what you think about CloudTrail, and let us know features that you want to see or content that you’d like to have. You can reach us through the following resources: