🔧 Learning AWS Day by Day — Day 64 — AWS CloudTrail

Exploring AWS !!

Day 64

AWS CloudTrail

• Helps enabling operational and risk auditing, governance, and compliance of the AWS account.
• Any actions taken by user, roles or AWS account services, are being recorded as events by CloudTrail.
• The CloudTrail is active in your AWS account since you create the account, also each and every action is being recorded.

3 ways to record events:

1. Event history — provides a history of 90 days of management events.
2. CloudTrail lake — data lake for storing and accessing user and API activity for auditing and security purposes. CloudTrail lake converts JSON format events to Apache ORC format. ORC is columnar format data for fast retrieval of data. The event data store can store data for approximately 10 years. Any existing event data logs in S3 can be stored in new or existing event data store.
3. Trails — captures a record of activities, delivering and storing these events in S3, and also in CloudWatch or Eventbridge, which is optional. Athena can be used to search and analyze your logs.

How it works?

You have a direct access to Event History, which keeps a track since your account gets created. You can view, search or download these logs as per your requirement. The event history is accessible and viewable for 90 days, and event history is not connected to any trail or event data stores, so any configurations or changes you make do not affect trails and data stores.
An event data store can be created to log CloudTrail events, CloudTrail Insights events, AWS Audit Manager evidence, AWS Config configuration items, or events outside of AWS. Event data store used for integration events logs outside AWS, must be single region only, and not multi-region.

Tasks that can be performed on event data stores: View lake Dashboards, Log managements events, Log data events, Log insights events, Copy trail events, Enable federation on an event data store, Stop or start event ingestion on an event data store, Create an integration with an event source outside of AWS, View Lake sample queries in the CloudTrail console, Create or edit a query, Save query results to an S3 bucket, Download saved query results and Validate saved query results.

CloudTrail channels:
Channels for CloudTrail Lake integrations with event sources outside of AWS:
CloudTrail Lake uses channels to bring events from outside of AWS into CloudTrail Lake from external partners that work with CloudTrail, or from your own sources.
Service-linked channels:
AWS services can create a service-linked channel to receive CloudTrail events on your behalf.

CloudTrail logs 3 types of events:
Management events, Data events, Insights events
Management events: Configuring security, registering devices, configuring rules, setting up logging
Data events: provides information about resource operations performed on resource or in resource, also known as data plane.
Insights events: capture unusual API call rate or error rate activity