AWS CloudTrail
AWS CloudTrail records API calls for customer’s account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, and more. CloudTrail can be thought of as a “trail” of breadcrumbs (or a log of actions) that someone has left behind them.
Recall that customer can use API calls to provision, manage, and configure your AWS resources. With CloudTrail, customer can view a complete history of user activity and API calls for customer’s applications and resources.
Events are typically updated in CloudTrail within 15 minutes after an API call. You can filter events by specifying the time and date that an API call occurred, the user who requested the action, the type of resource that was involved in the API call, and more.
Example : AWS CloudTrail event
Suppose that the coffee shop owner is browsing through the AWS Identity and Access Management (IAM) section of the AWS Management Console. They discover that a new IAM user named Mary was created, but they do not know who, when, or which method created the user.
To answer these questions, the owner navigates to AWS CloudTrail.
In the CloudTrail Event History section, the owner applies a filter to display only the events for the “CreateUser” API action in IAM. The owner locates the event for the API call that created an IAM user for Mary. This event record provides complete details about what occurred:
On January 1, 2020 at 9:00 AM, IAM user John created a new IAM user (Mary) through the AWS Management Console.
CLoudTrail Insights
Within CloudTrail, you can also enable CloudTrail Insights. This optional feature allows CloudTrail to automatically detect unusual API activities in your AWS account.
For example, CloudTrail Insights might detect that a higher number of Amazon EC2 instances than usual have recently launched in your account. You can then review the full event details to determine which actions you need to take next.
