What is AWS CloudTrail?

AWS CloudTrail is a service that enables governance, compliance, and operational/risk auditing of your AWS account by logging all API activity.

How do I analyze CloudTrail logs for security?

You can analyze CloudTrail logs by forwarding them to CloudWatch, querying them with Amazon Athena, or passing the JSON events through an AI log scanner to detect anomalies.

What does AccessDenied mean in CloudTrail logs?

An AccessDenied error code in CloudTrail indicates that an IAM user or role attempted to perform an API action without the proper permissions attached to their IAM policy.

What format are AWS CloudTrail logs in?

CloudTrail logs are delivered to an Amazon S3 bucket as heavily structured JSON files containing arrays of 'Records'.

How do you detect AWS data exfiltration in logs?

Look for unusual spikes in 'GetObject' API calls on sensitive S3 buckets from unfamiliar IP addresses or unauthorized IAM roles.

Cloud Security Guide

AWS CloudTrail Log Monitoring & Threat Detection

Monitoring AWS Identity and Access Management (IAM) activity is critical for detecting unauthorized access and IAM abuse. This guide focuses on securing AWS by analyzing CloudTrail JSON event logs to identify privilege escalation attempts, unauthorized data exfiltration from S3, and automated API abuse.

Understanding the CloudTrail JSON Structure

Unlike traditional web server logs, AWS CloudTrail delivers highly structured JSON records representing individual API calls across your infrastructure.

{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "userName": "developer-temp"
  },
  "eventTime": "2026-03-30T10:00:00Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "GetObject",
  "sourceIPAddress": "203.0.113.50",
  "errorCode": "AccessDenied"
}

CloudTrail vs VPC Flow Logs

CloudTrail answers "Who made this API call, when, and from where?" (e.g., Who deleted that database?). VPC Flow Logs capture raw IP network traffic traversing your network interfaces, which is crucial for identifying port scanning or network-layer DDoS, but lacks IAM context.

CloudTrail vs CloudWatch Logs

CloudTrail specifically records AWS API activity and account management events (e.g., creating an EC2 instance). CloudWatch Logs captures the actual application and operating system logs generated *inside* those resources (e.g., the Nginx access logs from inside that EC2 instance). You need both for comprehensive security.

Common Attack Signatures in AWS

Cloud attackers often execute automated scripts to discover what permissions they have. Look for rapid spikes in Access Denied errors indicating an attacker probing your IAM boundaries, or unusual spikes in read activity pointing to data exfiltration.

AWS Access Denied

Identify IAM abuse and credential harvesting by analyzing Client.UnauthorizedOperation errors.

Data Exfiltration

Detect compromised credentials dumping sensitive S3 buckets or RDS snapshots to external IPs.

Explore the full threat detection library for more attack patterns.

Compare Log Analysis Across Platforms

Nginx Security Monitoring Apache Log Analysis

Stop manually parsing JSON.

Paste your raw CloudTrail JSON event into the Helix Vanguard neural engine. We automatically extract the IAM entity, evaluate the action, and classify the security risk in milliseconds.

Analyze CloudTrail Logs Free