AWScloud~30 mins

CloudTrail for API auditing in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

CloudTrail for API auditing

📖 Scenario: You are a cloud administrator for a company that wants to track all API calls made in their AWS account. This helps them audit who did what and when, improving security and compliance.

🎯 Goal: Create an AWS CloudTrail trail that records all API activity in the account and stores the logs in an S3 bucket for auditing purposes.

📋 What You'll Learn

Create an S3 bucket named exactly audit-logs-bucket-12345 to store CloudTrail logs.

Create a CloudTrail trail named exactly APIAuditTrail that logs all management events.

Enable logging for the trail and configure it to deliver logs to the S3 bucket.

Ensure the trail applies to all regions.

💡 Why This Matters

🌍 Real World

CloudTrail is used by companies to track and audit all API calls in their AWS accounts, helping detect unauthorized access and meet compliance requirements.

💼 Career

Cloud administrators and security engineers use CloudTrail to monitor AWS activity and investigate security incidents.

Progress0 / 4 steps

Create the S3 bucket for CloudTrail logs

Create an S3 bucket named audit-logs-bucket-12345 to store CloudTrail logs.

AWS

# Create an S3 bucket named audit-logs-bucket-12345
# Your code here

Need a hint?

Use the aws_s3_bucket resource with the exact bucket name and set the ACL to private.

Create the CloudTrail trail resource

Create a CloudTrail trail resource named APIAuditTrail with is_multi_region_trail set to true and include_global_service_events set to true.

AWS

resource "aws_s3_bucket" "audit_logs_bucket" {
  bucket = "audit-logs-bucket-12345"
  acl    = "private"
}

# Create a CloudTrail trail named APIAuditTrail
# Your code here

Need a hint?

Use the aws_cloudtrail resource with the exact name and link the S3 bucket from step 1.

Enable logging for the CloudTrail trail

Add the enable_logging argument to the APIAuditTrail resource to start logging.

AWS

resource "aws_s3_bucket" "audit_logs_bucket" {
  bucket = "audit-logs-bucket-12345"
  acl    = "private"
}

resource "aws_cloudtrail" "APIAuditTrail" {
  name                          = "APIAuditTrail"
  s3_bucket_name                = aws_s3_bucket.audit_logs_bucket.bucket
  is_multi_region_trail         = true
  include_global_service_events = true

  # Enable logging here
  # Your code here
}

Need a hint?

Set enable_logging to true inside the CloudTrail resource.

Add event selector to log management events

Add an event_selector block inside the APIAuditTrail resource to log all management events with read_write_type set to All.

AWS

resource "aws_s3_bucket" "audit_logs_bucket" {
  bucket = "audit-logs-bucket-12345"
  acl    = "private"
}

resource "aws_cloudtrail" "APIAuditTrail" {
  name                          = "APIAuditTrail"
  s3_bucket_name                = aws_s3_bucket.audit_logs_bucket.bucket
  is_multi_region_trail         = true
  include_global_service_events = true

  enable_logging = true

  # Add event_selector block here
  # Your code here
}

Need a hint?

Use the event_selector block with read_write_type = "All" and include_management_events = true.