AWS CloudTrail Flashcards
What types of logs am I capturing in CloudTrail?
You’re captioning Activity and Management lags, like API calls that are performed by the user from the CLI or the web interface.
What are the some benefits of using CloudTrail to capture logs across my organization?
Governance
compliance
Audit for your AWS account.
I need to collect AWS resource API event information for S3 and lambs; what options do I have?
You can enable data collection when creating a cloud trail, you can select individual objects or turn option on for every object.
Is the use of AWS CloudTrail free?
Generally, AWS CloudTrail is free for data that is there for 90 days;
after the 90 days,
you would have to implement sending the logs to another storage and visualization search function, and for these, you’d have to pay.
Where can I store cloud trails logs to?
- You can push logs s3 Bucket
-CloudTrail Data Lake
If I have issues understanding who would delete certain resources, what service could I use to understand this?
CloudTrail is ideal for this as it captures all of the e-management API calls across accounts
for compliance reasons, I have to have my management data encrypted at rest. Is this something that AWS CloudTrail does out of the box
CloudTrail data is encrypted out list
As part of regulatory, I need to capture all changes in AWS and also ensure the data can not be seen if the log data file was taken by hackers, I also need to ensure the log data files not tampered with, what are my best options?
- Use CloudTrail to capture all changes in AWS
- Use the advanced option of a CloudTrail to encrypt the files with a KMS SSK
- Use the advanced option to also sign the files
I have created a CloudTrail and I need to be able to know when files are delivered to the S3 bucket, what options do I have?
You can use the CloudTrail advance option of notification and select an SNS topic.
How long will cloud trail retain logs?
You can search back 90 days of hoistory, but if you have a CloudTrail pushing logs to s3, data is retained indefently, you can use life cycle policies to delete the logs files form s3 as needed.
In AWS, what is the limit of the number of trails I can create in any single account?
5: In AWS CloudTrail, you can create up to five trails per AWS Region within a single account. This limit applies to both single-region and multi-region trails. Multi-region region trail counts as one trail in each Region it applies to. citeturn0search0
When CloudTrail pushes logs to the S3 bucket, are they encrypted by default?
- By default CloudTrail encrypts the log files before placing in a S3 buckket.
How do I get charged for CloudTrail?
AWS CloudTrail allows you to view and download the last 90 days of your account activity for create, modify, and delete operations of supported services free of charge. There is no charge from AWS CloudTrail for creating a CloudTrail trail and the first copy of management events within each region is delivered to the S3 bucket specified in your trail free of charge.
If I have only one trail with management Events, and apply it to all regions, will I incur charges?
No. The first copy of management events is delivered free of charge in each region.
I need to process CloudTrail logs using a Java application I am creating; what are my options?
AWS CloudTrail Processing Library is a Java librar
What is CloudTrail log file integrity validation?
CloudTrail log file integrity validation feature allows you to determine whether a CloudTrail log file was unchanged, deleted, or modified since CloudTrail delivered it to the specified Amazon S3 bucket.
What is the benefit of CloudTrail log file integrity validation?
ensure the logs delivered to S3 are not tampered after delivery.
I shose to use KMS SSE with cloudtrail will I be charged?
Yes you will pay for KMS
How often will CloudTrail deliver log files to my Amazon S3 bucket?
CloudTrail delivers log files to your S3 bucket approximately every 5 minutes.
How long does it take CloudTrail to deliver an event for an API call?
Typically, CloudTrail delivers an event within 15 minutes of the API call.
What will CloudTrail log for you?
All api calls to your accounts. but not calls inside each sevice or resource, you can enable this capture for S3 and Lambds.
I need to keep my audit logs from AWS for two years, how cna |I do this?
You need to set up a CloudTrail-trail export and have cloud trail logs send to s3.
I need to have my cloud trail logs send to lambda, is this possible and if so how?
You can set up a CloudTrail-trail and have the log stream call a lambda function.
If I have CloudTrail apply to all regions and AWS adds a new region, what will happen by default?
CloudWatch will be added to the new region.
I wnat to collect all CloudTrail logs into a single bucket, how cna I do this?
ClouTrail has an option to collect all logs into a single bucket.
I am setting up an account structure in AWS with AWS Organizations, I wnat to have CloudTrail automatically added to any new account added to my organization, how can I do this?
There is an option in CloudTrail to have CloudTrail added to any new accounts added to an organization.
What are management events in CloudTrail?
They are a set of control plain events like someone logged in to your account, you can opt to have these added to your CloudTrail stream.
My org has the policy to encrypt all data at rest, how can I deal with this in CloudTrail or do I need to implement a third-party tool or service?
In CloudTrail you have the option when creating a trail to select to encrypt the sat in the s3 bucket. You cna select to encrypt using SSE-KMS
I am implementing a government sAWS solution and one of the requirements is to ensure that the logs have not been tampered with form CloudTrail, what is my best method to architect for this?
CloudTrail has an option when creating a TRAIL to have log validation, this is where AWS also delivers a hash.
I am setting up a CloudTrail trail and I wnat to be notified with log is delivered into S3, is this possible?
Yes, when creating a trail, it is an option to have an SNS invoked.
Is CloudTrail free?
Yes for the first TRAIL.
I wnat t could the number of CloudTrail logs arriving, how can I architect this?
You can have CloudTrail logs delivered to CloudWatch, this is an option when setting up a CloudTrail-trail.
What is the function of AWS CloudTrail?
AWS Cloudtrail records all of the AWS API calls to a region or all regions or when using orgnization you can have it record all regions in all accounts belong to the orgnization?
At 1 PM today we saw an s3 bucket get deleted, we want to know who delete the s3 bucket, how can we find this out?
Using AWS Cloudtrail we can search for this event/API call as Cloudtrail records all events/API calls.
What are the two endpoints thet Cloudtrail can deliver events to?
- S3
- Lambda
Describe the Cloudtrail event you need to look for when a user logs in to AWS account?
The ‘eventName = ConsoleLogin’ event and in this event is the username= ‘Roger’
I need to capture management logs for all AWS accounts across all regions and in all my AWS accounts. What is the best way to do this?
Recommended Approach: Use AWS CloudTrail Organization Trail
1. Set up AWS Organizations (if not already)
Ensure all your AWS accounts are part of an AWS Organization. Use AWS Organizations to centrally manage accounts and apply policies.
- Create a CloudTrail Organization TrailSign in to the management account (root of the organization).Go to the CloudTrail console and create a new trail.Choose the option to apply to all accounts in the organization.Enable:
Management events (control plane operations like CreateUser, DeleteBucket, etc.) All regions (this ensures you capture logs from every AWS region automatically) Log file validation for integrity
Choose an S3 bucket in a secure central logging account to store logs.Optionally, configure:CloudWatch Logs for real-time alerting/monitoring SNS for notifications
- Verify and Enforce Logging Across AccountsCloudTrail will automatically create organization trails in each member account.All events are stored in the centralized S3 bucket.Use Service Control Policies (SCPs) to prevent member accounts from disabling or modifying the trail.
- Monitor and AuditUse Amazon Athena to query logs stored in S3.Use AWS Config or Security Hub for compliance checks.Set up CloudWatch Alarms to monitor unusual activity.
🔐 Security Best Practices
Enable encryption (SSE-KMS) on the S3 bucket. Use bucket policies to restrict access only to CloudTrail and security personnel. Enable MFA delete to prevent tampering.
✅ Summary of Benefits:
Feature Benefit
Organization Trail Centralized logging across all accounts
All Regions Automatically includes new AWS regions
Central S3 Bucket Single location for all logs
SCPs Prevent accidental tampering
Real-time Monitoring Enables alerts with CloudWatch or Security Hub
list the destinations where you can send clever trail logs?
-Amazon S3
-Amazon CloudWatch Logs
-Amazon EventBridge (formerly CloudWatch Events)
- AWS Lake Formation / Amazon Athena (via S3
- Amazon OpenSearch Service (via Lambda/Firehose)
-AWS Glue
-Third-party SIEMs and Monitoring Tools
-Splunk
- Datadog
-Sumo Logic
-SentinelOne
-QRadar
Does AWS CloudTrail capture data events?
No, they are high-volume and not captured.
I want to detect anomalies within my AWS accounts. How can I capture these types of anomalies?
You can use AWS CloudTrail Insights to set your baseline; from that baseline, it will detect alerts on anomalies. These anomalies could be inaccurate resource provisioning, hitting service limits, bursts in AWS IAM actions, or gaps in periodic maintenance activities.
When using AWS CloudTrail Insights, where are the events sent?
They are sent to the CloudTrail console, S3 bucket, or EventBridge.
When using AWS CloudTrail, I want to keep the data after 90 days and have it so that I can query it. How can I do this? Can I do it in CloudTrail itself?
No, you must do it by migrating the data to something like S3 and using the 18 at the query or something like that, as the data is only kept in CloudTrail for 90 days.
If I set up an AWS organizational trail, what am I doing?
You are setting up an organizational-wide capture of all of the events from all of the accounts belonging to that organization. these events will be delivered to the management account, organizational cloud trail.
