Articles

Analyze AWS CloudTrail Logs for Security Events (2026)

April 16, 2026 3 min read

AWS CloudTrail logs are the audit trail of your AWS account. They record API calls made to your AWS services, providing a history of who did what, when, and from where.

Let’s see CloudTrail logs in action with a simulated event. Imagine a user, jane.doe@example.com, accidentally deletes an S3 bucket named my-sensitive-data-bucket.

Here’s a snippet of what that event would look like in CloudTrail logs, often viewed via Amazon Athena or by downloading the log files:

{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDAJ35Y4Z4Z7A3Z7A3Z",
    "arn": "arn:aws:iam::123456789012:user/jane.doe",
    "accountId": "123456789012",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "userName": "jane.doe"
  },
  "eventTime": "2023-10-27T10:30:00Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "DeleteBucket",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.25",
  "userAgent": "console.aws.amazon.com",
  "requestParameters": {
    "bucketName": "my-sensitive-data-bucket"
  },
  "responseElements": null,
  "requestID": "EXAMPLE1234567890ABC",
  "readOnly": false,
  "executionId": "EXAMPLE-EXECUTION-ID",
  "retentionType": "நாள்",
  "resources": [
    {
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::my-sensitive-data-bucket"
    }
  ],
  "eventType": "AwsApiCall",
  "apiVersion": "2006-03-01",
  "managementEvent": true,
  "recipientAccountId": "123456789012"
}

This log entry tells us:

  • Who: jane.doe (an IAM User)
  • What: Called DeleteBucket
  • When: 2023-10-27T10:30:00Z
  • Where (from): 203.0.113.25 (an IP address)
  • On what: The S3 bucket my-sensitive-data-bucket in us-east-1.
  • Was it read-only? false (meaning it changed something).

CloudTrail addresses the fundamental problem of accountability and visibility in a dynamic cloud environment. Without it, you’d have no way to reconstruct who made what changes, which is critical for security investigations, compliance audits, and operational troubleshooting. It’s not just about what happened, but who initiated it and how it was done.

The core of CloudTrail’s utility lies in its ability to capture management events (API calls that modify resources) and data events (object-level API activity for S3 buckets and Lambda functions). You configure trails to log these events. A trail can be applied to all regions or a single region. For comprehensive security analysis, you’ll want to enable "All regions" for your trails.

Internally, CloudTrail works by having AWS services publish event data to CloudTrail. These events are then batched and delivered to an Amazon S3 bucket that you specify. You can also integrate CloudTrail with CloudWatch Logs for real-time monitoring and alerting.

The exact levers you control are:

  • Trails: The primary configuration for CloudTrail. You can create multiple trails for different purposes (e.g., one for security events, one for operational logs).
  • Event Types: Management events (default and recommended for security) and Data events (S3 object-level operations, Lambda function execution). Data events can generate a very large volume of logs, so they should be enabled judiciously.
  • Log File Delivery: The S3 bucket where logs are stored. You can encrypt these logs using SSE-S3 or SSE-KMS.
  • Regions: Whether the trail applies to a single region or all regions.
  • CloudWatch Logs Integration: Sending events to CloudWatch Logs for real-time analysis and alarms.
  • Event Selectors: Fine-grained control over which events (read-only, write-only, all) and which resources are logged.

When analyzing CloudTrail logs for security, you’re looking for suspicious API calls. This could include unauthorized access attempts, creation or deletion of critical resources, changes to IAM policies, or unusual network configuration changes. Tools like Amazon Athena, Splunk, or Elasticsearch can query these logs efficiently.

A common mistake is to only enable CloudTrail in a single region. However, AWS resources are global, and malicious actors can operate from any region. If a trail is configured for a single region, you will miss security events occurring in other regions, creating blind spots in your security posture. Always configure your primary security trail to "All regions."

The next step after analyzing these logs is often setting up automated responses to detected security events.

Want structured learning?

Take the full Aws course →