Amazon Web Services (AWS) has considerably increased the number of services supported by AWS CloudTrail to cover the majority of the extensive AWS service portfolio. This now includes most compute and networking and all deployment and management services, thereby providing comprehensive end to end auditing of almost any changes to customer’s infrastructure.
AWS has also expanded CloudTrail coverage to the US West (Northern California), EU (Ireland) and Asia Pacific (Sydney) regions after initially offering the service in US East (Northern Virginia) and US West (Oregon). CloudTrail is "scheduled to soon support" the remaining globally accessible regions.
AWS CloudTrail records all API calls made in an AWS account no matter of their origin, be it the AWS Management Console, the AWS Command Line Interface or third party applications using any of the various AWS SDKs. It stores the resulting log files in an Amazon S3 bucket in JSON format and provides optional notification to an Amazon SNS topic each time a file is published so that third party and custom log analytics solutions can avoid polling and ingest new log files on arrival instead.
The various logging and auditing use cases include security analysis, change tracking, compliance aid and operational troubleshooting. For example, several third party monitoring and analytics providers offer correlation of CloudTrail events with application performance monitoring charts, possibly identifying changes to AWS resources that might have caused or impacted an observed performance regression.
The comprehensive JSON log records provide information such as:
- Who made the API call? – AWS identity type (root account, IAM user or role, federated user), friendly user name, access key ID, account number etc.
- When was the API call made? – event time and date in ISO 8601 format
- What was the API call? – API call and service, e.g. 'RunInstances' on EC2
- What were the resources that were acted up on in the API call? – request parameters and partial response elements (results from read-only call results like Describe*, Get*, List* are excluded to prevent event size inflation)
- Where was the API call made from? – apparent caller IP address and target region
A post by analyst René Büst stresses CloudTrail’s significant (and as of today fairly unique) value proposition for respectively sensitive users and use cases:
AWS CloudTrail is one of the most important services for enterprise customers that Amazon has released in recent times. The collected logs support the compliance with government regulations by allowing recording of all accesses to AWS services. One can operate more successful security audits […], identifying the precise origin of vulnerabilities and unauthorized or erroneous hits on data.
CloudTrail "delivers an event within 15 minutes of the API call" and the resulting "log files to your S3 bucket approximately every 5 minutes". This renders it unsuitable for tight real-time operational and security monitoring, however, near real-time change tracking, security analysis and operational troubleshooting are still guaranteed.
Log files can be aggregated across AWS regions and even multiple AWS accounts for operational and security reasons. For example, one might want to consolidate audit logging from development and production accounts to a dedicated auditing account with an even higher security profile and limited staff access, similar to how a consolidated billing account is used to isolate billing and cost management to dedicated stakeholders.
The CloudTrail documentation offers the usual user guide and API reference. The CloudTrail API is already supported by the cross platform AWS Command Line Interface, the AWS Tools for Windows PowerShell and most AWS SDKs. Customer support is available via the AWS CloudTrail forum. CloudTrail itself is free of charge, the Amazon S3 storage and optionally Amazon SNS notifications incur the standard cost for these services.