Service	What It Answers	Focus
CloudTrail	Who did what, when, from where?	API activity audit trail
CloudWatch	How is the resource performing?	Metrics, logs, alarms, dashboards
AWS Config	What is the resource's configuration (and has it changed)?	Configuration history & compliance rules

Every CloudTrail event (API call record) contains:

Feature	Event History (Default)	Trail (You Create)
Cost	Free	Free for first management trail; data/insights events charged
Retention	90 days	Unlimited (stored in S3)
Event types	Management events only	Management + Data + Insights (configurable)
Regions	Current region only	Single-region or multi-region
Delivery	Console/API only	S3 bucket + optional CloudWatch Logs + SNS
Log integrity	N/A	Digest files for tamper detection
Organisation	Per account	Organisation trail (all accounts)

Global services (IAM, STS, CloudFront, WAF, Route 53) operate outside any specific region. CloudTrail handles them specially:

The LookupEvents API lets you search CloudTrail events programmatically — no S3, Athena, or Lake setup needed.

Feature	Details
Window	Last 90 days (Event History only)
Event types	Management events only (no Data events)
Cost	Free (no additional charges)
Results	Max 50 per page (paginated)
Filters	eventName, eventSource, resourceName, resourceType, username, time range

Use cases: Security automation scripts, CI/CD validation, quick incident investigation, compliance spot-checks. Limitation: Not suitable for high-volume queries or complex aggregation — use Athena or Lake for those.

Destination	Purpose	Latency
S3 Bucket	Primary storage — long-term archival, Athena queries	~5–15 min after API call
CloudWatch Logs	Real-time metric filters → alarms (detect root login, IAM changes)	~5 min
SNS Topic	Notification when new log file delivered to S3	~5–15 min
CloudTrail Lake	Managed SQL query engine (no S3/Athena setup needed)	Near real-time

CloudTrail Lake is a managed, immutable data lake that lets you run SQL queries on CloudTrail events without setting up S3 + Athena. Events are stored in a purpose-built event data store.

Factor	S3 + Athena	CloudTrail Lake
Setup time	15–30 min (create table, partition)	2 minutes (choose retention)
Partition management	Manual or partition projection	Automatic
Query performance	Depends on partitioning strategy	Optimised for time-range queries
Pricing	S3 ($0.023/GB) + Athena ($5/TB scanned)	Ingestion ($2.50/GB) + queries ($0.005/GB)
Cross-account	Requires Lake Formation setup	Built-in event data store sharing
Non-AWS events	Not supported	Yes — custom integrations (SaaS)
Long-term archival	S3 lifecycle → Glacier ($0.004/GB)	Same rate regardless of age ($0.023/GB)

How it works:

1. CloudTrail computes SHA-256 hash for each log file delivered to S3
2. Every hour, a digest file is created containing all log file hashes + the hash of the previous digest (chain)
3. Each digest is signed with an AWS RSA private key
4. Run aws cloudtrail validate-logs to verify the entire chain — detects modifications, deletions, or insertions

Sending CloudTrail events to CloudWatch Logs enables real-time security alerting via metric filters:

Alert On	Metric Filter Pattern	Why
Root account login	{"$.userIdentity.type" = "Root"}	Root should never be used for daily operations
Console login without MFA	{"$.eventName" = "ConsoleLogin" && $.additionalEventData.MFAUsed != "Yes"}	MFA bypass attempt
IAM policy changes	{"$.eventName" = "Put*Policy" || $.eventName = "Attach*Policy"}	Privilege escalation
Security group changes	{"$.eventName" = "AuthorizeSecurityGroup*" || $.eventName = "RevokeSecurityGroup*"}	Network exposure
Trail stopped	{"$.eventName" = "StopLogging" || $.eventName = "DeleteTrail"}	Evidence destruction
Failed sign-in attempts	{"$.eventName" = "ConsoleLogin" && $.errorMessage = "Failed*"}	Brute force detection

✅ CIS AWS Benchmark

The CIS AWS Foundations Benchmark requires CloudTrail metric filters for: root login, IAM changes, CloudTrail config changes, console auth failures, CMK deletion, S3 bucket policy changes, VPC changes, and more. This is a common compliance framework tested in AWS exams.

Compliance Frameworks Supported Introductory

📋

SOC 2

CloudTrail provides audit evidence for access control and change management requirements

🏥

HIPAA

PHI access logging — who accessed health data resources and when

💳

PCI DSS

Requirement 10: track all access to cardholder data environments

🇪🇺

GDPR

Demonstrate who accessed personal data and when for data subject requests

🏛️

FedRAMP / GovCloud

Federal audit requirements — immutable logging with integrity validation

🔒

ISO 27001

Control A.12.4 — logging and monitoring of information processing activities

🎯 Exam Insight

• "Prove logs haven't been tampered with" → Enable log file integrity validation + validate-logs CLI command
• "Prevent anyone from disabling CloudTrail" → SCP denying cloudtrail:StopLogging and cloudtrail:DeleteTrail
• "Alert when root account is used" → CloudTrail → CloudWatch Logs → metric filter on Root identity → alarm
• "Immutable log storage for compliance" → S3 Object Lock in Compliance mode (even root can't delete within retention)
• "CIS Benchmark foundational control" → Multi-region trail + log integrity + CW metric filters for critical events

Chapter 04 — Key Takeaway

CloudTrail integrity validation uses a chain of SHA-256 digests signed by AWS — like a blockchain for audit logs. Protect trails with: separate security account, S3 Object Lock, MFA Delete, KMS encryption, and SCPs preventing StopLogging. Send events to CloudWatch Logs for real-time alerting on security-critical actions (root login, IAM changes, trail modification). This pattern satisfies CIS, SOC 2, HIPAA, PCI DSS, and other compliance frameworks.

05

Chapter Five · Management

Integration Patterns & Cost Optimisation

CloudTrail integrates deeply with the AWS ecosystem — from EventBridge for real-time reactions to Athena for investigation to Organizations for enterprise governance. Understanding integration patterns and cost levers is essential for production deployments.

EventBridge Integration Core

Every management event delivered to CloudTrail is also emitted to Amazon EventBridge (default event bus) in near real-time. This enables instant automated responses:

CloudTrail + EventBridge — Real-Time Automation

Common EventBridge rules triggered by CloudTrail events:

• Auto-remediation: S3 bucket made public → Lambda removes public access immediately
• Compliance enforcement: Security group opened to 0.0.0.0/0 → Lambda revokes the rule
• Notification: IAM user created → SNS alert to security team
• Workflow: EC2 instance launched without tags → Step Functions workflow adds mandatory tags

⚡ EventBridge vs CloudWatch Logs for Alerting

EventBridge is faster (seconds) and pattern-matches JSON natively — ideal for automated responses. CloudWatch Logs metric filters are better for aggregate counting and threshold-based alarms (e.g., "more than 5 failed logins in 10 minutes"). Use both together for defence in depth.

Querying CloudTrail with Athena Core

For ad-hoc investigation of historical events in S3, use Amazon Athena (serverless SQL engine):

🔍

Setup

• CloudTrail console → "Create Athena table" (auto-generates DDL)
• Partition by region/year/month/day for performance
• Use partition projection to avoid MSCK REPAIR TABLE
• Pay only for data scanned ($5/TB)

📝

Common Queries

• "Who deleted S3 bucket X?" → filter on eventName + requestParameters
• "All API calls from IP Y" → filter on sourceIPAddress
• "Failed access attempts in last 7 days" → filter on errorCode
• "All IAM changes this month" → filter on eventSource = iam

CloudTrail + AWS Organizations In-Depth

Feature	Details
Organisation Trail	Created in management account — applies to all member accounts automatically
Delegated Admin	Designate a security account to manage trails (doesn't need management account access)
SCPs for Protection	Deny StopLogging, DeleteTrail, UpdateTrail for all accounts except security team
CloudTrail Lake (Org)	Aggregate events from all accounts into one event data store
Central S3 Bucket	All accounts deliver to one bucket in security account — bucket policy lists all account IDs

CloudTrail Insights — Anomaly Detection In-Depth

CloudTrail Insights analyses management event patterns and alerts when API call volumes deviate significantly from your baseline:

🧠

How Insights Works

• Establishes a baseline of normal API call rates (7-day learning)
• Detects spikes: e.g., 100× normal TerminateInstances calls
• Generates Insights event with: baseline rate, anomaly rate, period
• Delivered to S3 (separate prefix) and optionally EventBridge

🚨

Detection Examples

• Credential compromise — sudden burst of DescribeInstances across regions
• Misconfigured automation — RunInstances looping due to bug
• Denial of wallet — massive resource creation driving up costs
• Data exfiltration attempt — unusual GetObject volume

CloudTrail Pricing Core

Component	Cost	Notes
Event History (90 days)	Free	Management events only, per-region view
First trail (management events)	Free delivery to S3	First copy free; S3 storage costs apply
Additional trail copies	$2.00 per 100K events	Second+ trails delivering same events
Data events	$0.10 per 100K events	S3 object / Lambda invoke events
Insights events	$0.35 per 100K events analysed	Only charged when anomalies found
CloudTrail Lake ingestion	$2.50 per GB	Higher than S3 but zero-ops
CloudTrail Lake queries	$0.005 per GB scanned	Same as Athena pricing

Cost Optimisation In-Depth

💰

Save on Storage

• S3 Lifecycle rules — move logs to Glacier after 90 days, Deep Archive after 1 year
• S3 Intelligent Tiering — auto-tier based on access patterns
• Avoid duplicate trails — one multi-region trail per account (or org trail)
• Compress — logs are gzipped by default (already optimised)

📉

Save on Events

• Filter data events — log only specific S3 buckets, not all
• Exclude read events — if compliance only requires write events
• Use advanced event selectors — fine-grained resource-level filtering
• Evaluate Insights cost — disable if baseline is stable enough

Advanced Event Selectors — Cost-Saving Patterns In-Depth

Advanced event selectors replace the older "basic" selectors and provide fine-grained control over which events a trail records. They support: Equals, NotEquals, StartsWith, EndsWith.

Selector Field	Operators	Example
eventCategory	Equals	Data or Management
resources.type	Equals	AWS::S3::Object, AWS::Lambda::Function
resources.ARN	StartsWith, Equals	arn:aws:s3:::my-sensitive-bucket/
readOnly	Equals	true (reads) or false (writes)
eventName	Equals, NotEquals	PutObject, DeleteObject
eventSource	Equals, NotEquals	s3.amazonaws.com

💰

Pattern 1 — Sensitive Buckets Only

• eventCategory = Data
• resources.type = AWS::S3::Object
• resources.ARN StartsWith arn:aws:s3:::customer-pii/
• readOnly = false (writes only)
• Result: 95% cost reduction vs logging all S3

📉

Pattern 2 — Exclude Noisy Services

• eventCategory = Management
• eventSource NotEquals:
  • monitoring.amazonaws.com
  • trustedadvisor.amazonaws.com
• Result: Cleaner logs, lower noise

💡 Cost Example

An application makes 10M S3 GetObject calls/month. Logging all S3 data events = $10/month. Using advanced selectors to log only PutObject and DeleteObject on 2 sensitive buckets might reduce events by 95% → $0.50/month. Always scope data events to what compliance requires.

EventBridge Pattern Matching — Examples In-Depth

CloudTrail events appear in EventBridge with source = "aws.cloudtrail". The detail field contains the full event. Here are production-ready patterns:

🚨

Root Login Detection

• source: aws.cloudtrail
• detail.userIdentity.type: Root
• detail.eventName: ConsoleLogin
• Action: SNS → page security team

🗑️

S3 Bucket Deletion

• source: aws.cloudtrail
• detail.eventSource: s3.amazonaws.com
• detail.eventName: DeleteBucket
• Action: Lambda → verify if intentional

🔑

IAM Privilege Escalation

• source: aws.cloudtrail
• detail.eventSource: iam.amazonaws.com
• detail.eventName: CreateRole, AttachRolePolicy, PutRolePolicy
• Action: Step Functions → investigation workflow

🛡️

Trail Modification

• source: aws.cloudtrail
• detail.eventSource: cloudtrail.amazonaws.com
• detail.eventName: StopLogging, DeleteTrail, UpdateTrail
• Action: Lambda → re-enable + alert

EventBridge Field Reference Core

Field Path	What It Contains	Pattern Matching
detail.eventSource	Service called (e.g., s3.amazonaws.com)	Equals
detail.eventName	API action (e.g., DeleteBucket)	Equals, anything-but
detail.userIdentity.type	Root, IAMUser, AssumedRole, AWSService	Equals
detail.userIdentity.arn	Full ARN of caller	Prefix
detail.sourceIPAddress	Originating IP or AWS service name	Equals, prefix
detail.errorCode	AccessDenied, null (success)	Exists, equals
detail.readOnly	true (read) / false (write)	Equals
detail.awsRegion	Region of call (us-east-1 for global)	Equals

⚡ Speed Comparison

EventBridge: receives CloudTrail events in seconds (near real-time). CloudWatch Logs metric filters: ~5 minutes delay. For automated security responses (auto-remediation, instant alerts), always prefer EventBridge rules.

Query Method Decision Matrix Core

Use Case	Best Tool	Why
"Did user X do action Y in last 3 days?"	LookupEvents API	Free, simple, programmatic
"Who deleted S3 bucket Z last month?"	Athena on S3	Cost-effective for historical data
"Count failed logins by user per day"	Athena (aggregation)	GROUP BY, stats, complex queries
"Investigate compromised user across accounts"	CloudTrail Lake	Cross-account, JOINs, zero-ops
"Trace attacker path through services"	Amazon Detective	Visualises relationships from CloudTrail
"Real-time alert when bucket deleted"	EventBridge rule	Sub-second automated response
"Search 10 accounts for specific API"	CloudTrail Lake (Org)	Built-in cross-account queries
"Cheapest 7-year audit compliance"	S3 → Glacier Deep Archive	$0.004/GB — 50× cheaper than Lake

CloudTrail vs GuardDuty vs Detective Core

Service	Purpose	How It Relates to CloudTrail
CloudTrail	Record all API calls (the raw data)	—
GuardDuty	ML-powered threat detection	Analyses CloudTrail events + VPC Flow Logs + DNS to find threats
Detective	Investigation and root cause analysis	Visualises CloudTrail data to trace attacker activity
Security Hub	Centralised security findings	Aggregates findings from GuardDuty, Config, etc.

🎯 Exam Insight

• "Automated response to API event" → CloudTrail → EventBridge rule → Lambda/SNS/Step Functions
• "Query who did what last month" → Athena on CloudTrail S3 logs (or CloudTrail Lake SQL)
• "Detect compromised credentials" → CloudTrail Insights (unusual API volume) or GuardDuty
• "Cost of logging all S3 access" → Data events at $0.10/100K events — use advanced selectors to filter
• "Organisation-wide audit" → Organisation trail + delegated admin + SCP protection
• "Real-time response (seconds)" → EventBridge (not CloudWatch Logs which is minutes)
• "Long-term retention cheaply" → S3 + lifecycle to Glacier (not CloudTrail Lake which is $2.50/GB)
• "Non-AWS events in CloudTrail" → CloudTrail Lake custom integrations (SaaS audit logs)
• "Quick programmatic check (90 days)" → LookupEvents API (free, management events only)
• "Log only PutObject to specific bucket" → Advanced selector: eventCategory=Data, resources.type=S3::Object, ARN StartsWith, eventName=PutObject
• "Global services missing from trail" → Trail is single-region not in us-east-1. Fix: multi-region trail

Chapter 05 — Key Takeaway

CloudTrail integrates with EventBridge for real-time automated responses (faster than CloudWatch Logs). Use Athena for SQL investigation on S3 logs; CloudTrail Lake for zero-ops querying. Organisation trails centralise audit across all accounts — protect with SCPs. Insights detects anomalous API patterns. Control costs with advanced event selectors (scope data events to specific buckets/functions) and S3 lifecycle rules (Glacier after 90 days). GuardDuty and Detective consume CloudTrail data for threat detection and investigation.

CloudTrail — Complete Domain Summary

• Purpose — records WHO did WHAT, WHEN, FROM WHERE for every API call. The audit backbone of AWS governance.
• Event Types — Management (free/default), Data (opt-in, high volume), Insights (ML anomaly detection)
• Global Services — IAM, STS, CloudFront only logged to multi-region trails or us-east-1 single-region trails
• Delivery — S3 (primary, ~15 min), CloudWatch Logs (alerting), SNS (notification), CloudTrail Lake (SQL, zero-ops)
• Security — integrity validation (digest chain + RSA signature), S3 Object Lock, KMS encryption, SCPs, separate security account
• Integration — EventBridge (real-time automation, seconds), Athena (SQL queries), LookupEvents API (free, 90 days), GuardDuty, Detective, Organizations
• Cost Control — advanced event selectors (scope by ARN, readOnly, eventName), S3 lifecycle to Glacier for long-term, Lake for zero-ops under 1 TB