AWS CloudTrail

Question 1

What types of logs am I capturing in CloudTrail?

Answer 1

You’re captioning Activity and Management lags, like API calls that are performed by the user from the CLI or the web interface.

Question 2

What are the some benefits of using CloudTrail to capture logs across my organization?

Answer 2

Governance
compliance
Audit for your AWS account.

Question 3

I need to collect AWS resource API event information for S3 and lambs; what options do I have?

Answer 3

You can enable data collection when creating a cloud trail, you can select individual objects or turn option on for every object.

Question 4

Is the use of AWS CloudTrail free?

Answer 4

Generally, AWS CloudTrail is free for data that is there for 90 days;

after the 90 days,

you would have to implement sending the logs to another storage and visualization search function, and for these, you’d have to pay.

Question 5

Where can I store cloud trails logs to?

Answer 5

• You can push logs s3 Bucket
  -CloudTrail Data Lake

Question 6

If I have issues understanding who would delete certain resources, what service could I use to understand this?

Answer 6

CloudTrail is ideal for this as it captures all of the e-management API calls across accounts

Question 7

for compliance reasons, I have to have my management data encrypted at rest. Is this something that AWS CloudTrail does out of the box

Answer 7

CloudTrail data is encrypted out list

Question 8

As part of regulatory, I need to capture all changes in AWS and also ensure the data can not be seen if the log data file was taken by hackers, I also need to ensure the log data files not tampered with, what are my best options?

Answer 8

• Use CloudTrail to capture all changes in AWS
• Use the advanced option of a CloudTrail to encrypt the files with a KMS SSK
• Use the advanced option to also sign the files

Question 9

I have created a CloudTrail and I need to be able to know when files are delivered to the S3 bucket, what options do I have?

Answer 9

You can use the CloudTrail advance option of notification and select an SNS topic.

Question 10

How long will cloud trail retain logs?

Answer 10

You can search back 90 days of hoistory, but if you have a CloudTrail pushing logs to s3, data is retained indefently, you can use life cycle policies to delete the logs files form s3 as needed.

Question 11

In AWS, what is the limit of the number of trails I can create in any single account?

Answer 11

5: In AWS CloudTrail, you can create up to five trails per AWS Region within a single account. This limit applies to both single-region and multi-region trails. Multi-region region trail counts as one trail in each Region it applies to. citeturn0search0

Question 12

When CloudTrail pushes logs to the S3 bucket, are they encrypted by default?

Answer 12

• By default CloudTrail encrypts the log files before placing in a S3 buckket.

Question 13

How do I get charged for CloudTrail?

Answer 13

AWS CloudTrail allows you to view and download the last 90 days of your account activity for create, modify, and delete operations of supported services free of charge. There is no charge from AWS CloudTrail for creating a CloudTrail trail and the first copy of management events within each region is delivered to the S3 bucket specified in your trail free of charge.

Question 14

If I have only one trail with management Events, and apply it to all regions, will I incur charges?

Answer 14

No. The first copy of management events is delivered free of charge in each region.

Question 15

I need to process CloudTrail logs using a Java application I am creating; what are my options?

Answer 15

AWS CloudTrail Processing Library is a Java librar

Question 16

What is CloudTrail log file integrity validation?

Answer 16

CloudTrail log file integrity validation feature allows you to determine whether a CloudTrail log file was unchanged, deleted, or modified since CloudTrail delivered it to the specified Amazon S3 bucket.

Question 17

What is the benefit of CloudTrail log file integrity validation?

Answer 17

ensure the logs delivered to S3 are not tampered after delivery.

Question 18

I shose to use KMS SSE with cloudtrail will I be charged?

Answer 18

Yes you will pay for KMS

Question 19

How often will CloudTrail deliver log files to my Amazon S3 bucket?

Answer 19

CloudTrail delivers log files to your S3 bucket approximately every 5 minutes.

Question 20

How long does it take CloudTrail to deliver an event for an API call?

Answer 20

Typically, CloudTrail delivers an event within 15 minutes of the API call.

Question 21

What will CloudTrail log for you?

Answer 21

All api calls to your accounts. but not calls inside each sevice or resource, you can enable this capture for S3 and Lambds.

Question 22

I need to keep my audit logs from AWS for two years, how cna |I do this?

Answer 22

You need to set up a CloudTrail-trail export and have cloud trail logs send to s3.

Question 23

I need to have my cloud trail logs send to lambda, is this possible and if so how?

Answer 23

You can set up a CloudTrail-trail and have the log stream call a lambda function.

Question 24

If I have CloudTrail apply to all regions and AWS adds a new region, what will happen by default?

Answer 24

CloudWatch will be added to the new region.

Question 25

I wnat to collect all CloudTrail logs into a single bucket, how cna I do this?

Answer 25

ClouTrail has an option to collect all logs into a single bucket.

Question 26

I am setting up an account structure in AWS with AWS Organizations, I wnat to have CloudTrail automatically added to any new account added to my organization, how can I do this?

Answer 26

There is an option in CloudTrail to have CloudTrail added to any new accounts added to an organization.

Question 27

What are management events in CloudTrail?

Answer 27

They are a set of control plain events like someone logged in to your account, you can opt to have these added to your CloudTrail stream.

Question 28

My org has the policy to encrypt all data at rest, how can I deal with this in CloudTrail or do I need to implement a third-party tool or service?

Answer 28

In CloudTrail you have the option when creating a trail to select to encrypt the sat in the s3 bucket. You cna select to encrypt using SSE-KMS

Question 29

I am implementing a government sAWS solution and one of the requirements is to ensure that the logs have not been tampered with form CloudTrail, what is my best method to architect for this?

Answer 29

CloudTrail has an option when creating a TRAIL to have log validation, this is where AWS also delivers a hash.

Question 30

I am setting up a CloudTrail trail and I wnat to be notified with log is delivered into S3, is this possible?

Answer 30

Yes, when creating a trail, it is an option to have an SNS invoked.

Question 31

Is CloudTrail free?

Answer 31

Yes for the first TRAIL.

Question 32

I wnat t could the number of CloudTrail logs arriving, how can I architect this?

Answer 32

You can have CloudTrail logs delivered to CloudWatch, this is an option when setting up a CloudTrail-trail.

Question 33

What is the function of AWS CloudTrail?

Answer 33

AWS Cloudtrail records all of the AWS API calls to a region or all regions or when using orgnization you can have it record all regions in all accounts belong to the orgnization?

Question 34

At 1 PM today we saw an s3 bucket get deleted, we want to know who delete the s3 bucket, how can we find this out?

Answer 34

Using AWS Cloudtrail we can search for this event/API call as Cloudtrail records all events/API calls.

Question 35

What are the two endpoints thet Cloudtrail can deliver events to?

Answer 35

- S3 | - Lambda

Question 36

Describe the Cloudtrail event you need to look for when a user logs in to AWS account?

Answer 36

The 'eventName = ConsoleLogin' event and in this event is the username= 'Roger'

Question 37

I need to capture management logs for all AWS accounts across all regions and in all my AWS accounts. What is the best way to do this?

Answer 37

Recommended Approach: Use AWS CloudTrail Organization Trail 1. Set up AWS Organizations (if not already) Ensure all your AWS accounts are part of an AWS Organization. Use AWS Organizations to centrally manage accounts and apply policies. 2. Create a CloudTrail Organization Trail Sign in to the management account (root of the organization). Go to the CloudTrail console and create a new trail. Choose the option to apply to all accounts in the organization. Enable: Management events (control plane operations like CreateUser, DeleteBucket, etc.) All regions (this ensures you capture logs from every AWS region automatically) Log file validation for integrity Choose an S3 bucket in a secure central logging account to store logs. Optionally, configure: CloudWatch Logs for real-time alerting/monitoring SNS for notifications 3. Verify and Enforce Logging Across Accounts CloudTrail will automatically create organization trails in each member account. All events are stored in the centralized S3 bucket. Use Service Control Policies (SCPs) to prevent member accounts from disabling or modifying the trail. 4. Monitor and Audit Use Amazon Athena to query logs stored in S3. Use AWS Config or Security Hub for compliance checks. Set up CloudWatch Alarms to monitor unusual activity. 🔐 Security Best Practices Enable encryption (SSE-KMS) on the S3 bucket. Use bucket policies to restrict access only to CloudTrail and security personnel. Enable MFA delete to prevent tampering. ✅ Summary of Benefits: Feature Benefit Organization Trail Centralized logging across all accounts All Regions Automatically includes new AWS regions Central S3 Bucket Single location for all logs SCPs Prevent accidental tampering Real-time Monitoring Enables alerts with CloudWatch or Security Hub

Question 38

list the destinations where you can send clever trail logs?

Answer 38

-Amazon S3 -Amazon CloudWatch Logs -Amazon EventBridge (formerly CloudWatch Events) - AWS Lake Formation / Amazon Athena (via S3 - Amazon OpenSearch Service (via Lambda/Firehose) -AWS Glue -Third-party SIEMs and Monitoring Tools -Splunk - Datadog -Sumo Logic -SentinelOne -QRadar

Question 39

Does AWS CloudTrail capture data events?

Answer 39

No, they are high-volume and not captured.

Question 40

I want to detect anomalies within my AWS accounts. How can I capture these types of anomalies?

Answer 40

You can use AWS CloudTrail Insights to set your baseline; from that baseline, it will detect alerts on anomalies. These anomalies could be inaccurate resource provisioning, hitting service limits, bursts in AWS IAM actions, or gaps in periodic maintenance activities.

Question 41

When using AWS CloudTrail Insights, where are the events sent?

Answer 41

They are sent to the CloudTrail console, S3 bucket, or EventBridge.

Question 42

When using AWS CloudTrail, I want to keep the data after 90 days and have it so that I can query it. How can I do this? Can I do it in CloudTrail itself?

Answer 42

No, you must do it by migrating the data to something like S3 and using the 18 at the query or something like that, as the data is only kept in CloudTrail for 90 days.

Question 43

If I set up an AWS organizational trail, what am I doing?

Answer 43

You are setting up an organizational-wide capture of all of the events from all of the accounts belonging to that organization. these events will be delivered to the management account, organizational cloud trail.