Read as
Last updated: April 29, 2026
Why this module exists. If you can’t read CloudTrail, you can’t do cloud incident response. CloudTrail is to AWS what Windows Event Logs are to AD: every action by every principal is recorded.
Why this module exists. If you can’t read CloudTrail, you can’t do cloud incident response. CloudTrail is to AWS what Windows Event Logs are to AD: every action by every principal is recorded. Most defenders skim the volume; experienced cloud-IR practitioners write surgical Athena queries that crack open incidents in 20 minutes.
What CloudTrail records
Every API call to AWS — console, CLI, SDK, automated. Three types of events:
- Management events — IAM changes, EC2 RunInstances, S3 bucket policy changes. Default: enabled, 90 days.
- Data events — S3 object reads/writes, Lambda invocations. Not enabled by default — you must opt in. Charged per million events.
- Insights events — anomaly detection on management events. Useful but not exhaustive.
For incident response, you need both management and data events. The “we forgot to enable data events” finding is in nearly every cloud-IR retrospective.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants