By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
(Zero-Fluff, Hands-On Guide for AWS Solutions Architect – Associate)
CloudTrail is AWS’s audit log service. It records who did what, when, and from where across your AWS accounts. Think of it like a security camera for your cloud infrastructure—if someone deletes an S3 bucket, modifies an IAM policy, or spins up an EC2 instance, CloudTrail logs it.
p4d.24xlarge
You’re a cloud engineer at a fintech startup. Your CISO just asked: - "How do we track every time someone modifies an IAM policy in our production account?" - "Can we log every S3 object deletion across all our accounts in one place?" - "If a developer accidentally exposes an S3 bucket to the public, how do we detect it within 5 minutes?"
CloudTrail is the answer. But if you don’t configure it correctly, you’ll miss critical events—or drown in useless logs.
CreateBucket
DeleteUser
RunInstances
CreateVPC
AttachRolePolicy
DeleteTable
PutObject
Invoke
PutItem
us-west-1
us-east-1
DeleteBucket
GetObject
✅ AWS account with AdministratorAccess (or cloudtrail:* permissions).✅ AWS CLI installed (aws --version).✅ (Optional) AWS Organizations set up (for Organization Trail).
cloudtrail:*
aws --version
(Best practice: Store logs in a separate account for security.)
aws s3api create-bucket \ --bucket my-company-cloudtrail-logs \ --region us-east-1 \ --create-bucket-configuration LocationConstraint=us-east-1
Enable Bucket Versioning & Encryption:
aws s3api put-bucket-versioning \ --bucket my-company-cloudtrail-logs \ --versioning-configuration Status=Enabled aws s3api put-bucket-encryption \ --bucket my-company-cloudtrail-logs \ --server-side-encryption-configuration '{ "Rules": [{ "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } }] }'
Block Public Access:
aws s3api put-public-access-block \ --bucket my-company-cloudtrail-logs \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
(Replace my-company-cloudtrail with your trail name.)
my-company-cloudtrail
aws cloudtrail create-trail \ --name my-company-cloudtrail \ --s3-bucket-name my-company-cloudtrail-logs \ --is-multi-region-trail \ --enable-log-file-validation \ --is-organization-trail # Only if using AWS Organizations
Enable S3 Data Events (Log All S3 Object-Level Actions):
aws cloudtrail put-event-selectors \ --trail-name my-company-cloudtrail \ --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::"] }] }]'
Enable Lambda Data Events (Log All Lambda Invocations):
aws cloudtrail put-event-selectors \ --trail-name my-company-cloudtrail \ --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{ "Type": "AWS::Lambda::Function", "Values": ["arn:aws:lambda"] }] }]'
Verify the Trail:
aws cloudtrail get-trail --name my-company-cloudtrail
Expected Output:
{ "Trail": { "Name": "my-company-cloudtrail", "S3BucketName": "my-company-cloudtrail-logs", "IsMultiRegionTrail": true, "LogFileValidationEnabled": true, "IsOrganizationTrail": false } }
(Example: Alert on DeleteBucket or CreateAccessKey.)
CreateAccessKey
Create a CloudWatch Logs Group:
aws logs create-log-group --log-group-name CloudTrail/Logs
Create a Metric Filter (Alert on DeleteBucket):
aws logs put-metric-filter \ --log-group-name CloudTrail/Logs \ --filter-name "DeleteBucket-Alert" \ --filter-pattern '{ $.eventName = "DeleteBucket" }' \ --metric-transformations metricName=DeleteBucketCount,metricNamespace=CloudTrail,metricValue=1
Create a CloudWatch Alarm:
aws cloudwatch put-metric-alarm \ --alarm-name "CloudTrail-DeleteBucket-Alarm" \ --metric-name DeleteBucketCount \ --namespace CloudTrail \ --statistic Sum \ --period 300 \ --threshold 1 \ --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 \ --alarm-actions arn:aws:sns:us-east-1:123456789012:SecurityAlerts
Trigger a Test Event (Delete an S3 Object):
aws s3api put-object --bucket my-test-bucket --key test.txt --body test.txt aws s3api delete-object --bucket my-test-bucket --key test.txt
Check CloudTrail Logs in S3:
aws s3 ls s3://my-company-cloudtrail-logs/AWSLogs/123456789012/CloudTrail/us-east-1/$(date +%Y/%m/%d)/ --recursive
Download and Inspect a Log File:
aws s3 cp s3://my-company-cloudtrail-logs/AWSLogs/123456789012/CloudTrail/us-east-1/$(date +%Y/%m/%d)/123456789012_CloudTrail_us-east-1_$(date +%Y%m%dT%H%MZ).json.gz .gunzip 123456789012_CloudTrail_us-east-1_*.json.gz cat 123456789012_CloudTrail_us-east-1_*.json | jq '.Records[] | select(.eventName == "DeleteObject")'
{ "eventVersion": "1.08", "eventTime": "2023-10-01T12:00:00Z", "eventSource": "s3.amazonaws.com", "eventName": "DeleteObject", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.42", "userAgent": "[aws-cli/2.13.0]", "requestParameters": { "bucketName": "my-test-bucket", "key": "test.txt" }, "responseElements": { "x-amz-request-id": "EXAMPLE123456789", "x-amz-id-2": "EXAMPLEabcdef123456789" }, "resources": [ { "type": "AWS::S3::Object", "ARN": "arn:aws:s3:::my-test-bucket/test.txt" } ], "eventType": "AwsApiCall", "managementEvent": false, "readOnly": false, "recipientAccountId": "123456789012" }
cloudtrail:PutEventSelector
Environment=Production
Team=Security
TrailNotLogging
ap-southeast-1
DeleteObject
❌ "CloudTrail Insights" (detects anomalies, doesn’t log events).
"How do you centralize logs for 50 AWS accounts?"
❌ "Create a trail in each account" (manual and error-prone).
"What’s the difference between a single-region and all-regions trail?"
All-regions: Logs all regions (recommended for security).
"How do you detect who deleted an S3 bucket?"
You’re a security engineer. Your CISO asks: "We just had an incident where someone deleted a critical S3 bucket. How do we ensure we log every bucket deletion across all accounts in real time?"
Your Task:1. Create an Organization Trail in the management account.2. Enable Management Events for DeleteBucket.3. Set up a CloudWatch Alarm to notify the security team when a bucket is deleted.
Create an Organization Trail: bash aws cloudtrail create-trail \ --name org-wide-security-trail \ --s3-bucket-name my-org-cloudtrail-logs \ --is-multi-region-trail \ --is-organization-trail \ --enable-log-file-validation
bash aws cloudtrail create-trail \ --name org-wide-security-trail \ --s3-bucket-name my-org-cloudtrail-logs \ --is-multi-region-trail \ --is-organization-trail \ --enable-log-file-validation
Enable CloudWatch Logs Integration: bash aws cloudtrail update-trail \ --name org-wide-security-trail \ --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/Logs:* \ --cloud-watch-logs-role-arn arn:aws:iam::123456789012:role/CloudTrail-CloudWatchLogs-Role
bash aws cloudtrail update-trail \ --name org-wide-security-trail \ --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/Logs:* \ --cloud-watch-logs-role-arn arn:aws:iam::123456789012:role/CloudTrail-CloudWatchLogs-Role
Create a CloudWatch Alarm for DeleteBucket: ```bash aws logs put-metric-filter \ --log-group-name CloudTrail/Logs \ --filter-name "DeleteBucket-Alert" \ --filter-pattern '{ $.eventName = "DeleteBucket" }' \ --metric-transformations metricName=DeleteBucketCount,metricNamespace=CloudTrail,metricValue=1
aws cloudwatch put-metric-alarm \ --alarm-name "CloudTrail-DeleteBucket-Alarm" \ --metric-name DeleteBucketCount \ --namespace CloudTrail \ --statistic Sum \ --period 300 \ --threshold 1 \ --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 \ --alarm-actions arn:aws:sns:us-east-1:123456789012:SecurityAlerts ```
Why This Works:- Organization Trail ensures logs from all accounts are centralized.- CloudWatch Alarm triggers immediately when DeleteBucket occurs.- Log File Validation ensures logs can’t be tampered with.
aws cloudtrail create-trail
--is-multi-region-trail
aws cloudtrail put-event-selectors
--data-resources
aws cloudtrail get-trail
IsMultiRegionTrail
LogFileValidationEnabled
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.