Skip to content

SYSTEM Cited by 2 sources

AWS CloudTrail

Definition

AWS CloudTrail is the AWS service that records API activity across the AWS account — every control-plane call (creating an EC2 instance, modifying an IAM policy, deleting an S3 bucket) is logged with caller identity, timestamp, source IP, and request/response details. CloudTrail is the canonical audit-log substrate for AWS.

In cyber-resilience designs, CloudTrail plays two roles:

  1. Investigation timeline source — the primary substrate for reconstructing what happened during a cyber event.
  2. MPA approval audit trail — Multi-party approval actions are recorded as CloudTrail management events.

Role 1: Investigation timeline source

The canonicalising source's recovery workflow Stage 1:

"Query AWS CloudTrail, Amazon VPC Flow Logs, Amazon GuardDuty findings, AWS Security Hub, and workload logs to identify the earliest indicator of the event. That timestamp becomes the event boundary, and only recovery points created before it are candidates for restore."

CloudTrail is the first source listed because it captures control-plane activity — the most useful signal for understanding adversary actions:

  • Identity changes — IAM policy modifications, role creations, trust policy changes.
  • Resource creations / deletions — what the adversary stood up or tore down.
  • Configuration changes — security group modifications, VPC changes, S3 bucket policy changes.
  • Data exfiltration patterns — repeated S3 GetObject calls, Athena queries, RDS snapshot exports.

Composes with compromise-boundary RP selection — CloudTrail is what pushes the event boundary back as far as evidence supports.

Role 2: MPA approval audit trail

Verbatim from the canonicalising source:

"If the vault is configured with Multi-party approval, the predefined approvers authorize the restore, and the approval action is automatically recorded as an AWS CloudTrail management event."

The MPA approval is captured as a CloudTrail management event with:

  • Approver identity (Identity Center user).
  • Action authorised (specific restore).
  • Timestamp.
  • Source IP / user agent.

This provides:

  • Tamper-evident audit trail — CloudTrail logs cannot be modified by the principal whose actions are recorded.
  • Compliance evidence — for regulators / auditors.
  • Post-incident review — reconstruct who approved what and when.

Event types

CloudTrail records several event types relevant to cyber-resilience:

Event type What it covers Example
Management events Control-plane API calls IAM:CreateRole, S3:PutBucketPolicy
Data events Data-plane API calls (opt-in for cost reasons) S3:GetObject, Lambda:Invoke
Insights events Anomalous management-event patterns Sudden spike in IAM role creations

For cyber-event investigation:

  • Management events are essential — every cyber-resilience design should have all-region multi-account management-event logging enabled.
  • Data events for sensitive resources (e.g. S3 buckets with customer data) help reconstruct exfiltration patterns; cost consideration applies.
  • Insights events are valuable for detection (anomaly signal) but less critical for the recovery workflow.

Storage and retention

CloudTrail logs flow to S3 (typically). For cyber-resilience:

  • Multi-account, organization-wide trail — captures activity across the whole AWS Organization in one trail.
  • Log file integrity validation — CloudTrail can sign log files for tamper-evidence.
  • Long retention — retention should extend beyond plausible detection latency (consistent with vault retention sizing).
  • Object Lock on the CloudTrail S3 bucket — to protect the audit trail itself from deletion (recursive cyber-resilience: the audit trail of the audit trail).

Composition with other investigation sources

Source What it adds
CloudTrail Control-plane API activity (identity changes, resource modifications)
VPC Flow Logs Data-plane network activity (lateral movement, unusual egress)
GuardDuty findings Threat-detection signals (the detected indicators)
Security Hub Aggregated finding view across services
Workload logs Application-altitude indicators

CloudTrail is the broadest of these — every other source layers on top of CloudTrail's foundation by either correlating against API activity or providing a different altitude (network / threat- detection / application).

Operational considerations

Trail configuration

For cyber-resilience designs:

  • Multi-region trail — captures all regions.
  • Multi-account trail at the AWS Organization level.
  • Management events: read + write (default is just write; reads matter for exfiltration analysis).
  • Log file integrity validation enabled.
  • Encryption with KMS customer-managed key.

Querying

For investigation, queries against CloudTrail typically use:

  • CloudTrail Lake — managed query interface with SQL.
  • Amazon Athena — query CloudTrail S3 logs directly with SQL.
  • Splunk / Datadog / SIEM — log aggregation with their own query layer.

The canonicalising source notes that AWS Security Incident Response (SIR) "can provide coordinated triage and response support for this stage" — SIR provides expert assistance for CloudTrail analysis during incidents.

Generalisation beyond AWS

Equivalent audit-log services:

  • GCP Cloud Audit Logs — Admin Activity, Data Access, System Event, Policy Denied logs.
  • Azure Activity Log + Azure AD Sign-in Logs — control-plane + identity activity.
  • On-prem — SIEM ingest of OS audit logs / network device logs / application logs.

The structural property: immutable record of every administrative action with caller identity and timestamp as the foundation for post-incident investigation.

Seen in

Last updated · 542 distilled / 1,571 read