A Deep Dive into AWS CloudTrail

Andreas Wittig – 18 Mar 2021

Who made changes to sensitive parts of your cloud infrastructure? Capture audit logs with AWS CloudTrail. Learn how to analyze the audit logs with the help of CloudWatch Logs Insights or Athena. On top of that, we discuss how to rollout CloudTrail to all AWS accounts belonging to your organization. Last but not least, you will learn about the blind spots and how to avoid extensive costs.

A Deep Dive into AWS CloudTrail

What to expect from the video?

Andreas and Michael Wittig

Hej, Andreas & Michael here!

We launched the cloudonaut blog in 2015. Since then, we have published 323 articles: small tips and tricks, best practices, and service reviews. We enjoy writing about all things AWS a lot.

Do you like our blog posts and podcast episodes? Have you learned something new? Consider supporting us create in-depth and independent AWS content. Please help us with a monthly or one-time payment through GitHub Sponsors.

Start supporting us today!
  • Demo: Querying audit logs with CloudWatch
  • Demo: Querying audit logs with Athena
  • Best practices for configuring CloudTrail (multi-account)
  • About blind spots: S3, DynamoDB, SQS, SNS, …
  • About extensive costs: data events are expensive
  • Demo: Real-time alerts (CIS AWS Foundations)

Enjoy the video!

Capturing and storing audit logs is only half of the job. It would be best if you were capable of analyzing the logs as well. Here are some examples of queries for CloudWatch Logs Insights.

Which regions are used within the account?

fields @timestamp, @message
| stats count() by awsRegion
| sort awsRegion asc

Did anyone make use of leaked AWS credentials?

fields @timestamp, @message
| filter userIdentity.accessKeyId = 'AKIA36A2NNHBPCARNKJG'

Besides that, Athena offers a powerful way to search through audit logs captured by CloudTrail as well.

Andreas Wittig

Andreas Wittig

I'm an independent consultant, technical writer, and programming founder. All these activities have to do with AWS. I'm writing this blog and all other projects together with my brother Michael.

In 2009, we joined the same company as software developers. Three years later, we were looking for a way to deploy our software—an online banking platform—in an agile way. We got excited about the possibilities in the cloud and the DevOps movement. It’s no wonder we ended up migrating the whole infrastructure of Tullius Walden Bank to AWS. This was a first in the finance industry, at least in Germany! Since 2015, we have accelerated the cloud journeys of startups, mid-sized companies, and enterprises. We have penned books like Amazon Web Services in Action and Rapid Docker on AWS, we regularly update our blog, and we are contributing to the Open Source community. Besides running a 2-headed consultancy, we are entrepreneurs building Software-as-a-Service products.

We are available for projects.

You can contact me via Email, Twitter, and LinkedIn.

Briefcase icon
Hire me