AWS CloudTrail

Amazon Web Services

AWS audit log of every API call — the primary forensic source on AWS.

Identity, Cloud & Access Commercial Platform / Suite Learning saas

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

AWS CloudTrail is the audit log of the AWS control plane. Every API call — console click, SDK call, AWS CLI command, or service-to-service action — produces an event with the identity, source IP, request parameters, and response.

CySA+ candidates should know:

Management events (default; control-plane).
Data events (S3 object-level, Lambda invocations — charged separately).
Insight events (anomalous activity detection).
Storage targets: S3 for long-term, CloudWatch Logs for querying, and EventBridge for real-time response.
Organisation trails for multi-account environments.

Use cases

Incident timeline after an AWS account compromise
Detecting unauthorised IAM role creation or iam:PassRole abuse
Audit evidence for compliance (PCI, SOC 2)

Example

# Query CloudTrail via Athena — console logins from outside known IPs
SELECT eventTime, userIdentity.arn, sourceIPAddress, awsRegion
FROM cloudtrail_logs
WHERE eventName = 'ConsoleLogin'
  AND sourceIPAddress NOT IN ('203.0.113.10', '203.0.113.11')
ORDER BY eventTime DESC
LIMIT 100;