AWS CloudTrail records API calls and account activities and publishes the log files to Amazon S3. Account activity is tracked as an event in the CloudTrail log file. Each event carries information such as who performed the action, when the action was done, which resources were impacted, and many more details. Multiple events are stitched together and structured in a JSON format within the CloudTrail log files.

CloudTrail logs can reveal deep insights into critical points of operation within your AWS environment. Below is a sampling of popular use-cases that come natively with this Block:

  • General Operations - a holistic view of event activity over time, across users, resources, and regions. Use this dashboard to elicit high-level trends, then drill down into individual resources to identify opportunities for improvement and cost savings.

  • Error Overview - identifying errors is a crucial component of maintaining an operational AWS environment. This dashboard offers an overview of the most common errors for users and AWS resources, as well as additional detail to help users rectify issues.

  • Console Login Overview - provides high-level overview of console login activity, including location, top users, and IP Address analysis. This dashboard can be utilized for several popular use-cases, including identifying suspicious IP logins, finding over-burdensome users, and troubleshooting login issues.

  • EC2 Security Group Modifications - when reviewing an operational issue or security incident for an EC2 instance, the ability to see any associated security group change is a vital part of the analysis.

  • Operational Account Activity - a key component of running workloads in AWS is understanding recurring errors, how administrators and employees are interacting with your workloads, and who or what is using root privileges in your account.

Spin up an Amazon Athena instance to be able to access and query your CloudTrail data from S3 in seconds , or use Amazon Redshift’s Spectrum feature to easily query files stored in S3 from your Amazon Redshift database.