Moderniser.repo
  • 日本語
  • English✔️
  • 日本語
  • English✔️
[AWS]
What is a Design Guideline?
AWS Organizations AWS Control Tower
AWS IAM / AWS IAM Identity Center
AWS CloudTrail AWS Config Amazon GuardDuty
aws:executeScript action for SSM Automation
How to create custom checks with Prowler How to scrape the reference of Security Hub control and convert it to data CIS AWS Foundations Benchmark v3.0.0 How to use the latest Boto3 with SSM Automation (or Lambda) How to write a CommaDelimitedList in List (array) format in samconfig.yml How to specify a local file using the Script property of AWS::SSM::Document How to get information on multiple AWS resources in Terraforms Data Source
CloudFormation template / SAM template coding rules
Amazon S3
Amazon Athena (Glue Database)
[Visual Studio Code]
How to use the latest AWS icon in Draw.io of Visual Studio Code
Recommended plug-in summary of Visual Studio Code for cloud engineers
[Others]
How to switch accounts for GitHub CLI commands using commands
Privacy Policy
Profile
...

Kanji

・ Cloud engineer / freelance
・ Born in 1993
・ Born in Ehime Prefecture / Lives in Shibuya-ku, Tokyo
・ AWS history 5 years

Profile details

Contact
Twitter(@kanji_aws_fl) Instagram(kanji_aws_freelance) Mail(kanji@cont-aid.com)


【Guidelines】Considerations for Introducing AWS CloudTrail to Corporate Organizations/Systems


Created date: 2025/05/05, Update date: 2025/05/05


AWS CloudTrail is a service that monitors activities in your AWS account.
When implementing security measures in a corporate organization/system, obtaining audit logs by introducing AWS CloudTrail is essential.
This article describes the key points to consider when introducing AWS CloudTrail in your organization.

Table of Contents


  1. What is AWS CloudTrail?
  2. Considerations for Implementation
  3. Design Considerations
    1. ① Which events should be collected?
      1. Management Events
      2. Data Events
      3. Insight Events
    2. ② Which AWS accounts/regions should collect events?
  4. Related Documents

What is AWS CloudTrail?

  • AWS CloudTrail (hereafter referred to as CloudTrail) is a service that records actions taken in your AWS account.

  • It records three types of events: management events, data events, and insight events.

    • Management events record API calls that modify AWS resources using the AWS Management Console, AWS SDK, AWS CLI, AWS API, etc.
    • Data events record events such as access to objects in S3 buckets and execution of Lambda functions.
    • Insight events record insights related to the security and performance of your AWS account.

Considerations for Implementation

  • By default, CloudTrail is enabled when you create an AWS account.
    • Reference: What is AWS CloudTrail? - AWS CloudTrail
  • However, a “trail” is not created by default. You can view up to 90 days of events in the AWS Management Console, but since log files are not output, you cannot analyze them with Athena or CloudWatch Logs. If you want to extend the retention period, you need to configure output to an S3 bucket or CloudWatch Logs.
    • Reference: How CloudTrail Works - AWS CloudTrail
  • You need to create a CloudTrail trail if any of the following requirements apply:
    1. You need to record management events for more than 90 days
    2. You want to analyze events with Athena or CloudWatch Logs Insights
    3. You need to record data events or insight events
  • Since it is common to retain audit logs for more than one year, it is strongly recommended to create a trail to record management events.

Design Considerations

① Which events should be collected?

  • As mentioned above, CloudTrail can record three types of events: management events, data events, and insight events.
  • CloudTrail pricing varies depending on the type of event. If you configure it to collect all events, costs may increase, so you need to carefully consider which events to collect.
    • Reference: AWS CloudTrail pricing
Event Name Price (per 100,000 events)
Management Events *1 2.00 USD
Data Events 0.10 USD
Insight Events *2 0.35 USD

*1: The first management event delivered to an S3 bucket is free. From the second management event delivered to an S3 bucket, delivery charges apply.
*2: For management and data events, charges apply when delivered to an S3 bucket, while for insight events, charges apply based on the number of analyzed events.

Management Events

  • Management events are recommended to be collected as they can record user operation history as audit logs.
  • Although CloudTrail is activated when you create an AWS account, delivery to S3 buckets or log groups is disabled by default, so you need to create a new trail and enable delivery.

Data Events

  • Data events can record access events to various resources, such as access to objects in S3 buckets and execution of Lambda functions.
  • Management events also record APIs that operate on objects, but cannot record access from outside the AWS account. By collecting data events, you can also record access from outside the AWS account.
  • You can select which resources’ data events to record from the following:
    • Reference: Logging Data Events with CloudTrail 
- AWS::CloudTrail::Channel
- AWS::CodeWhisperer::Customization
- AWS::CodeWhisperer::Profile
- AWS::Cognito::IdentityPool
- AWS::DynamoDB::Stream
- AWS::DynamoDB::Table
- AWS::EC2::Snapshot
- AWS::EMRWAL::Workspace
- AWS::FinSpace::Environment
- AWS::Glue::Table
- AWS::GuardDuty::Detector
- AWS::KendraRanking::ExecutionPlan
- AWS::KinesisVideo::Stream
- AWS::Lambda::Function
- AWS::ManagedBlockchain::Network
- AWS::ManagedBlockchain::Node
- AWS::MedicalImaging::Datastore
- AWS::PCAConnectorAD::Connector
- AWS::S3::AccessPoint
- AWS::S3::Object
- AWS::S3ObjectLambda::AccessPoint
- AWS::S3Outposts::Object
- AWS::SageMaker::Endpoint
- AWS::SageMaker::ExperimentTrialComponent
- AWS::SageMaker::FeatureGroup
- AWS::SNS::PlatformEndpoint
- AWS::SNS::Topic
- AWS::SSMMessages::ControlChannel
- AWS::Timestream::Database
- AWS::Timestream::Table
- AWS::VerifiedPermissions::PolicyStore

  • The purpose of recording varies depending on the resource, so it is best to select as needed.
    • For example, by recording data events for S3 buckets, you can obtain a change history of objects in the bucket.
  • Note that while data events guarantee completeness, S3 server access logs do not.
    • Reference: How to deal with missing access logs in S3 server access logs | DevelopersIO
  • On the other hand,server access logs are sometimes used for buckets that output Config or CloudTrail logs created by Control Tower, and AWS Foundational Security Best Practices recommends outputting server access logs.
    • Reference: AWS Foundational Security Best Practices v1.0.0 (FSBP) standard - AWS Security Hub
  • The lack of guaranteed completeness may be a concern, but since data events can be costly, it may be an option to accept the lack of completeness and use server access logs.

Insight Events

  • Insight events use machine learning to analyze management events and detect abnormal activities when behavior deviates from the norm.
    • Write events detect abnormal activity when there are many API calls.
    • Write/Read events detect abnormal activity when the API error rate is high.
  • Main reasons for detecting abnormal activity include:
    • Malicious API access
    • Application bugs
    • Access denied due to permission misconfiguration such as IAM roles or SCPs
  • Since insight events are more expensive than other events, you should carefully consider enabling them.
  • As mentioned above, if you frequently make changes to your system in a production environment, insight events may be generated, so consider enabling them as needed.

② Which AWS accounts/regions should collect events?

  • Since CloudTrail is often required as an audit log, it is generally recommended to create trails for all available AWS accounts.
  • However, you may choose not to create trails for accounts with limited regions due to SCPs or for management accounts where changes are infrequent.

Related Documents

  • What Is AWS CloudTrail? - AWS CloudTrail


©2025 ContAID