0
0
AWScloud~10 mins

CloudTrail for API auditing in AWS - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - CloudTrail for API auditing
User/API Call Made
CloudTrail Records Event
Event Stored in S3 Bucket
Optional: Event Sent to CloudWatch Logs
User Queries Logs for Auditing
CloudTrail watches API calls, records them, stores logs, and lets users audit actions.
Execution Sample
AWS
aws cloudtrail create-trail --name MyTrail --s3-bucket my-trail-bucket
aws cloudtrail start-logging --name MyTrail
aws s3 ls s3://my-trail-bucket/AWSLogs/
Creates a trail, starts logging API calls, and lists stored logs in S3.
Process Table
StepActionCloudTrail BehaviorResult
1User makes API call (e.g., CreateBucket)CloudTrail detects API callEvent recorded with details (user, time, action)
2CloudTrail writes event to S3 bucketEvent stored as JSON log fileLog file available in S3 under AWSLogs/
3User queries logs in S3 or CloudWatchLogs retrieved for auditingUser sees who did what and when
4No API calls madeNo new events recordedNo new logs generated
💡 Execution stops when no new API calls occur, so no new events are recorded.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3Final
API CallNoneCreateBucketCreateBucketCreateBucketCreateBucket
CloudTrail EventNoneRecordedStored in S3Available for queryAvailable for query
S3 Log FilesEmptyContains event logContains event logContains event logContains event log
Key Moments - 2 Insights
Why does CloudTrail store logs in S3 instead of just showing events directly?
CloudTrail stores logs in S3 to keep a durable, searchable history of all API calls. This is shown in execution_table step 2 where events are saved as files for later auditing.
What happens if no API calls are made after enabling CloudTrail?
No new events are recorded, so no new logs appear. This is shown in execution_table step 4 where the process stops due to no activity.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what does CloudTrail do at step 1?
ADeletes old log files
BSends notification to user
CDetects and records the API call event
DStarts the S3 bucket
💡 Hint
Refer to execution_table row 1 under 'CloudTrail Behavior'
At which step are the API call events stored in S3?
AStep 1
BStep 2
CStep 3
DStep 4
💡 Hint
Check execution_table row 2 under 'Result'
If no API calls happen, what is the state of S3 log files according to variable_tracker?
AEmpty
BContains event log
CCorrupted
DDeleted
💡 Hint
Look at variable_tracker row for 'S3 Log Files' at 'Start'
Concept Snapshot
CloudTrail watches and records all API calls.
It saves logs as JSON files in an S3 bucket.
Logs can be queried for auditing user actions.
No API calls means no new logs.
Enabling CloudTrail helps track who did what and when.
Full Transcript
CloudTrail is a service that records all API calls made in your AWS account. When a user or service makes an API call, CloudTrail detects it and records details like who made the call, when, and what action was taken. These events are saved as log files in an S3 bucket you specify. You can then review these logs to audit activity and ensure security. If no API calls happen, CloudTrail simply does not create new logs. This process helps keep a clear history of all actions in your cloud environment.