AWS CloudTrail FAQs

Q: What is AWS CloudTrail?
AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket.

Q: What are the benefits of CloudTrail?
CloudTrail provides visibility into user activity by recording API calls made on your account. CloudTrail records important information about each API call, including the name of the API, the identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service. This information helps you to track changes made to your AWS resources and to troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards. For more details, refer to the AWS compliance white paper “Security at scale: Logging in AWS”.

Q: Who should turn on CloudTrail?
Customers who need to track changes to resources, answer simple questions about user activity, demonstrate compliance, troubleshoot, or perform security analysis should turn on CloudTrail.

Q: How do I get started with CloudTrail?
The quickest way to get started with CloudTrail is to use the AWS Management Console. You can turn on CloudTrail in few clicks.

Q: How does CloudTrail deliver API call information? 
CloudTrail delivers API call information by depositing log files in an Amazon S3 bucket that you choose and configure.  Each log file can contain multiple events, and each event represents an API call.

Q: What services are supported by CloudTrail?

For a list of services supported by CloudTrail, refer to the CloudTrail documentation.

Q: How are global AWS services supported?

API calls for global AWS services such as AWS IAM and AWS STS are recorded and delivered by CloudTrail along with regional events. By default, CloudTrail delivers API calls for global services in every region.

Q: What regions are supported?
Please refer to Regional Products and Services for details of CloudTrail availability by region.

Q:Are API calls made from the AWS Management Console recorded?
Yes. CloudTrail records API calls made from any client. The AWS Management Console, AWS SDKs, command line tools, and higher level AWS services call AWS APIs, so these calls are recorded.

Q: Where are my log files stored and processed before they are delivered to my Amazon S3 bucket?

API call information for services with regional end points (EC2, RDS etc.) is captured and processed in the same region as to which the API call is made and delivered to the region associated with your Amazon S3 bucket. API call information for services with single end points (IAM, STS etc.) is captured in the region where the end point is located, processed in the region where the CloudTrail trail is configured and delivered to the region associated with your Amazon S3 bucket.

Q: What is applying a trail to all regions?
Applying a trail to all regions refers to creating the same trail in all regions in a partition. Currently, you can apply a trail to all regions in the aws partition that contains the following regions: US East (Northern Virginia), US West (Northern California), US West (Oregon), Europe (Ireland), Europe (Frankfurt), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo). For more details on regions and partitions, refer to the Amazon Resource Names and AWS Service Namespaces page.

Q: What are the benefits of applying a trail to all regions?
You can create and manage a trail across all regions in the partition in one API call or few clicks. You will receive a record of API activity made in your AWS account across all regions to one S3 bucket or CloudWatch logs log group. When AWS launches a new region, you will receive the log files containing API activity for the new region without taking any action.

Q: How do I apply a trail to all regions?
In the CloudTrail console, you select yes to apply to all regions in the trail configuration page. If you are using the SDKs or AWS CLI, You set the IsMultiRegionTrail to true.

Q: What happens when I apply a trail to all regions?
Once you apply a trail in all regions, CloudTrail will create a new trail in all regions by replicating the trail configuration. CloudTrail will record and process the log files in each region and will deliver log files containing API activity across all AWS regions to a single S3 bucket and a single CloudWatch Logs log group. If you specified an optional SNS topic, CloudTrail will deliver SNS notifications for all log files delivered to a single SNS topic.

Q: Can I apply an existing trail to all regions?

Yes. You can apply an existing trail to all regions. When you apply an existing trail to all regions, CloudTrail will create a new trail for you in all regions. If you previously created trails in other regions, you can view, edit and delete those trails from the CloudTrail console.

Q: How long will it take for CloudTrail to replicate the trail configuration to all regions?
Typically, it will take less than 30 seconds to replicate the trail configuration to all regions.

Q: How many trails can I create in an AWS region?
You can create up to five trails in an AWS region. A trail that applies to all regions exists in each region and is counted as one trail in each region.

Q: What is the benefit of creating multiple trails in an AWS region?
With multiple trails, different stakeholders such as security administrators, software developers and IT auditors can create and manage their own trails. For example, a security administrator can create a trail that applies to all regions and configure encryption using one KMS key. A developer can create a trail that applies to one region for troubleshooting operational issues.

Q: Does CloudTrail support resource level permissions?
Yes. Using resource level permissions, you can write granular access control policies to allow or deny access to specific users for a particular trail. For more details, go to CloudTrail documentation.

Q: How can I secure my CloudTrail log files?
By default, CloudTrail log files are encrypted using S3 Server Side Encryption (SSE) and placed into your S3 bucket. You can control access to log files by applying IAM or S3 bucket policies. You can add an additional layer of security by enabling S3 Multi Factor Authentication (MFA) Delete on your S3 bucket. For more details on creating and updating a trail, see the CloudTrail documentation.

Q: Where can I download a sample S3 bucket policy and an SNS topic policy?
You can download a sample S3 bucket policy and an SNS topic policy from CloudTrail S3 bucket. You need to update the sample policies with your information before you apply them to your S3 bucket or SNS topic.

Q: How long can I store my activity log files?
You control the retention policies for your CloudTrail log files. By default, log files are stored indefinitely. You can use Amazon S3 object lifecycle management rules to define your own retention policy. For example, you may want to delete old log files or archive them to Amazon Glacier.

Q: What information is available in an event?
An event contains information about the associated API call: the identity of the caller, the time of the call, the source IP address, the request parameters, and the response elements returned by the AWS service. For more details, see the CloudTrail Event Reference section of the user guide.

Q: How long does it take CloudTrail to deliver an event for an API call?
Typically, CloudTrail delivers an event within 15 minutes of the API call.

Q: How often will CloudTrail deliver log files to my Amazon S3 bucket?
CloudTrail delivers log files to your S3 bucket approximately every 5 minutes. CloudTrail does not deliver log files if no API calls are made on your account.

Q: Can I be notified when new log files are delivered to my Amazon S3 bucket?
Yes. You can turn on Amazon SNS notifications so that you can take immediate action on delivery of new log files.

Q: What happens if CloudTrail is turned on for my account but my Amazon S3 bucket is not configured with the correct policy?
CloudTrail log files are delivered in accordance with the S3 bucket policies that you have in place. If the bucket policies are misconfigured, CloudTrail may not be able to deliver log files.

Q: What are Data Events? 

Data Events represent API activity for data resources that you specify. If you enable Data Events for S3 Objects, you will capture all API activity, including calls such as Get Object and Get Object ACL, in CloudTrail. You can use these events to meet IT auditing or compliance requirements, perform security analysis, monitor for and alarm on specific patterns of user behavior in your AWS account or take immediate action on any object level API activity using CloudWatch Events.

Q: How can I consume Data Events?

Data Events that are recorded by CloudTrail are delivered to S3, similar to management events. Once enabled, these events are also available in CloudWatch Events.

Q: What are S3 Data Events? How do I record them?

S3 Data Events represent API activity on S3 Objects. To get CloudTrail to record these actions, you specify an S3 Bucket in the Event Selector. Any API actions on the objects within the specified S3 Bucket are recorded by CloudTrail.

Q: I have multiple AWS accounts. I would like log files for all the accounts to be delivered to a single S3 bucket. Can I do that?
Yes. You can configure one S3 bucket as the destination for multiple accounts. For detailed instructions, refer to aggregating log files to a single Amazon S3 bucket section of the AWS CloudTrail User Guide.

Q: What use cases can I solve by looking up API activity?

You can look up API activity captured by CloudTrail to troubleshoot operational and security incidents in your AWS account.

Q: Which API activity can I look up for my AWS account?

You can look up API activity related to creation, modification, and deletion of AWS resources in your AWS account for 28 AWS services, including Amazon EC2, Amazon VPC, Amazon RDS and AWS IAM. For a list of services, go to the CloudTrail documentation.

Q: How do I look up API activity captured by CloudTrail?

You can look up API activity captured by CloudTrail using the CloudTrail console, AWS SDKs, and AWS CLI.

Q: How do I look up API activity captured for my account?

If you have already turned on CloudTrail for your account, you do not need to do anything. Simply log on to the CloudTrail console to review the history of API activity for your AWS account. If you haven’t turned on CloudTrail for your account, you simply turn it on and, from that point onward, you can look up captured events.

Q: How far back in time can I look up API activity for my AWS account?

You can look up API activity captured for your AWS account for the last 7 days.

Q: What happens if I stop logging or delete a trail?

If you stop logging or delete a trail, CloudTrail will stop delivering events to your S3 bucket. You will not be able to look up events that occurred after you stopped logging or deleted a trail. You will still be able to look up events that occurred before you stopped logging or deleted a trail for 7 days. If you start logging again, CloudTrail will start delivering events to your S3 bucket, and you will be able to look up events that were captured after you resumed logging.

Q: What filters can I use to look up API activity?

You can specify one of the following attributes: Time range, Event name, User name, Resource name, and Resource type.

Q: In which regions can I look up API activity for my AWS account?

You can look up API activity for your AWS account in these AWS regions: US East (N. Virginia), US West (Oregon), US West (N. California), EU (Ireland), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo).

Q: What is CloudTrail integration with CloudWatch Logs?

CloudTrail integration with CloudWatch Logs delivers API activity captured by CloudTrail to a CloudWatch Logs log stream in the CloudWatch Logs log group you specify.

Q: What are the benefits of CloudTrail integration with CloudWatch Logs?

This integration enables you to receive SNS notifications of API activity captured by CloudTrail. For example, you can create CloudWatch alarms to monitor API calls that create, modify and delete Security Groups and Network ACL’s. For examples, go to the examples section of the user guide.

Q: How do I turn on CloudTrail integration with CloudWatch Logs?

You can turn on CloudTrail integration with CloudWatch Logs from the CloudTrail console by specifying a CloudWatch Logs log group and an IAM role. You can also use the AWS SDKs or the AWS CLI to turn on this integration.

Q: What happens when I turn on CloudTrail integration with CloudWatch Logs?

After you turn on the integration, CloudTrail continuously delivers API activity to a CloudWatch Logs log stream in the CloudWatch Logs log group you specified. CloudTrail also continues to deliver logs to your Amazon S3 bucket as before.

Q: In which AWS regions is CloudTrail integration with CloudWatch Logs supported?

This integration is supported in the regions where CloudWatch Logs is supported, i.e., the us-east-1 (N.Virginia), us-west-1 (N.California), us-west-2 (Oregon), eu-west-1 (Ireland), ap-northeast-1 (Tokyo), ap-southeast-1 (Singapore), ap-southeast-2 (Sydney) and eu-central-1 (Frankfurt) regions. In the future, this integration will be available in other regions.

Q: How does CloudTrail deliver events containing API activity to my CloudWatch Logs?

CloudTrail assumes the IAM role you specify to deliver API activity to CloudWatch Logs. You limit the IAM role to only the permissions it requires to deliver events to your CloudWatch Logs log stream. To review IAM role policy, go to the user guide of the CloudTrail documentation.

Q: What charges do I incur once I turn on CloudTrail integration with CloudWatch Logs?

After you turn on CloudTrail integration with CloudWatch Logs, you incur standard CloudWatch Logs and CloudWatch charges. For details, go to CloudWatch pricing page.

Q: What is the benefit of CloudTrail log file encryption using Server-side Encryption with KMS?  

CloudTrail log file encryption using SSE-KMS allows you to add an additional layer of security to CloudTrail log files delivered to an Amazon S3 bucket by encrypting the log files with a KMS key. By default, CloudTrail will encrypt log files delivered to your Amazon S3 bucket using Amazon S3 server-side encryption.

Q: I have an application that ingests and processes CloudTrail log files. Do I need to make any changes to my application?

With SSE-KMS, Amazon S3 will automatically decrypt the log files so that you do not need to make any changes your application. As always, you need to make sure that your application has appropriate permissions, i.e. Amazon S3 GetObject and KMS Decrypt permissions.

Q: How do I configure CloudTrail log file encryption?

You can use the AWS Management Console, or AWS CLI or the AWS SDKs to configure log file encryption. For detailed instructions, refer to the documentation.

Q:What charges do I incur once I configure encryption using SSE-KMS?

Once you configure encryption using SSE-KMS, you will incur standard AWS KMS charges. For details, go to AWS KMS pricing page.

Q: What is CloudTrail log file integrity validation?

CloudTrail log file integrity validation feature allows you to detect whether a CloudTrail log file was unchanged, deleted, or modified since CloudTrail delivered it to the specified Amazon S3 bucket.

Q: What is the benefit of CloudTrail log file integrity validation?
You can use the log file integrity validation as an aid in your IT security and auditing processes.

Q: How do I enable CloudTrail log file integrity validation?
You can enable the CloudTrail log file integrity validation feature from the AWS Management Console, AWS CLI or AWS SDKs.

Q: What happens once I turn on the log file integrity validation feature?

Once you turn on the log file integrity validation feature, CloudTrail will deliver digest files on an hourly basis. The digest files contain information about the log files that were delivered to your Amazon S3 bucket, hash values for those log files, digital signatures for the previous digest file, and the digital signature for the current digest file in the Amazon S3 metadata section. For more information about digest files, digital signatures and hash values, go to CloudTrail documentation.

Q: Where are the digest files delivered to?
The digest files are delivered to the same Amazon S3 bucket where your log files are delivered to. However, they are delivered to a different folder so that you can enforce granular access control policies. For details, refer to the digest file structure section of the CloudTrail documentation.

Q: How can I validate the integrity of a log file or digest file delivered by CloudTrail?
You can use the AWS CLI to validate that the integrity of log file or digest file. You can also build your own tools to do the validation. For more details on using the AWS CLI for validating the integrity of a log file, refer to the CloudTrail documentation.

Q: I aggregate all my log files across all regions and multiple accounts into one single Amazon S3 bucket. Will the digest files be delivered to the same Amazon S3 bucket?
Yes. CloudTrail will deliver the digest files across all regions and multiple accounts into the same Amazon S3 bucket.

Q: What is AWS CloudTrail Processing Library?

AWS CloudTrail Processing Library is a Java library that makes it easy to build an application that reads and processes CloudTrail log files.You can download CloudTrail Processing Library from GitHub.

Q: What functionality does CloudTrail Processing Library provide?
CloudTrail Processing Library provides functionality to handle tasks such as continuously polling a SQS queue, reading and parsing SQS messages, downloading log files stored in S3, parsing and serializing events in the log file in a fault tolerant manner. For more information, go to the user guide section of the CloudTrail documentation.

Q: What software do I need to start using the CloudTrail Processing Library?

You need aws-java-sdk version 1.9.3 and Java 1.7 or higher.

Q: Does CloudTrail provide a free tier?
Yes. The first copy of management events is delivered to your trail free of charge. You will be charged for any data events or additional copies of management events recorded in that region, per the published pricing plan.

Q: If I have only one trail with management events, and apply it to all regions, will I incur charges?
No. The first copy of management events is delivered free of charge in each region.

Q: If I enable Data Events on an existing trail with free management events, will I get charged?
Yes. You will only be charged for the data events. The first copy of management events is delivered free of charge.

Q: How do the AWS partner solutions help me analyze the events recorded by CloudTrail?
Multiple partners offer integrated solutions to analyze CloudTrail log files. These solutions include features like change tracking, troubleshooting, and security analysis. For more information, see the CloudTrail partners section.

Q: What other logging support is available for AWS?
Amazon S3 provides server access logging, which enables logging for requests made against Amazon S3 buckets. Amazon CloudFront provides similar access logging support for CloudFront distributions.

Q: Will turning on CloudTrail impact the performance of my AWS resources, or increase API call latency?
No. Turning on CloudTrail has no impact on performance of your AWS resources or API call latency.