AWS CloudTrail Cookbook

Hemalatha Chockalingam
3 min readJan 30, 2022


Image Creation Credit:

One liner definition: Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.

AWS Tool Category: Management and Governance

Use cases: Audit Activity, Identify Security Incidents, Troubleshoot Operational Issues

Image source: AWS

AWS CloudTrail Track user activity and API usage. It enables auditing, security monitoring, and operational troubleshooting by tracking your user activity and API usage. It is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. You can easily view events in the CloudTrail console by going to Event history. Event history allows you to view, search, and download the past 90 days of activity in your AWS account.

A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify. All event types use a CloudTrail JSON log format. You can create two types of trails for an AWS account:

A trail that applies to all regions

A trail that applies to one region

For both types of trails, you can specify an Amazon S3 bucket from any region. By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key. You can store your log files in your bucket for as long as you want.

There are three types of events that can be logged in CloudTrail:

Management events — Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations.

Data events — Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations.

CloudTrail Insights events — CloudTrail Insights events capture unusual API call rate or error rate activity in your AWS account.

By default, trails log management events, but not data or Insights events.

AWS CloudTrail Lake is designed to be a fully managed solution for capturing, storing, accessing, and analyzing user and API activity on AWS. It is a managed data lake for audit and security information, enabling you to aggregate, immutably store your activity logs (control plane and data plane) for up to 7 years, and query logs within seconds for search and analysis.

With CloudTrail Lake, you are charged for the volume of data that you ingest, the volume of data you scan for analysis, and data storage, if you choose to store it for longer than 7 years.

How do you run complex queries on events logged by CloudTrail?

CloudTrail Lake lets you run fine-grained SQL-based queries on your events. You do not need to have a trail configured in your account to use CloudTrail Lake.