In this post, I make available my notes about CloudTrail made from Adrian Cantrill’s course AWS Certified Solutions Architect – Associate (SAA-C02). The Q&A session below can be used to validate your knowledge or create Flashcards for study. Since this is a piece of knowledge in construction there may be mistakes, drop a comment for any suggestions.
CloudTrail is a product that records API calls and activities that affect your AWS account, it can be customized with the configuration of a Trail. By default, a Trail records up to 90 days of data in the Event History without additional costs. For extending that history limit, you configure an S3 bucket to send data. Into that S3, data are stored in plain JSON, and you are charged only by the storage. Additionally, you can also integrate to store logs on CloudWatch, where you can perform searches or filters.
CloudTrail Events are events generated by Trails and you have three types: Management Event, Data Event, and Insight Events. The Management event record management operations, like create or delete resources, login, etc., is the only one enabled by default. Insight Events records unusual activities and Data Events records resource operations like interacting with the S3 bucket etc.. Data Events is not recorded by default due to the high volume of data, and you need to enable it with an extra cost.
A Trail can be applied on a Single Region where it record only events for that region, or on All-Region that records Global Service Event. For recording events of global services like IAM, CloudFront, STS you must have a Trail created on All-Region. It’s also possible to create an Organization Trail that records changes across all member accounts in your organization.
It’s good to know that Cloud Trail is not real-time logging, a delay between the action and the log can occur.
What is CloudTrail?
A product that records API calls and activities that affect your AWS account.
What is a Trail?
A configuration that allows you to customize CloudTrail
What is CloudTrail event history?
It is where Trail records events data and allows you to view and search.
How long are recorded data on CloudTrail event history by default without additional charge?
How you can extend the storage limit of the CloudTrail event history?
By configuring data to be sent to an S3 bucket or send it to CloudWatch log where you can perform searches and filters.
What are CloudTrail events?
Are events generated by Trails.
What are the 3 types of CloudTrail events?
What are Management Events?
Events that record management operations like create or delete resources, login in, etc,
What are Data Events?
Events that records resources operations like interacting with S3 bucket etc.,
What are Insight Events?
Events that record unusual activities in your account.
What type of CloudTrail event is enabled by default when you create a CloudTrail?
Where you can apply a Trail?
On a Single Region or All Regions
How does CloudTrail behave regionally?
Single Region CloudTrail can record only events for that region
How does CloudTrail behave globally?
All-Region CloudTrail can record Global Service Events like IAM, CloudFront, STS.
What are organization trails?
A Trail that records changes across all member accounts in your organization.