{"id":37,"date":"2021-10-24T12:48:37","date_gmt":"2021-10-24T12:48:37","guid":{"rendered":"http:\/\/18.141.20.153\/?p=37"},"modified":"2025-08-22T08:14:45","modified_gmt":"2025-08-22T08:14:45","slug":"how-to-track-aws-account-activities-using-aws-cloudtrail","status":"publish","type":"post","link":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/","title":{"rendered":"How to track AWS account activities using AWS CloudTrail?"},"content":{"rendered":"<span class=\"rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\">10<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p><img src=\"https:\/\/lh3.googleusercontent.com\/r4OPpGOYuGafoY5op30c7wgkpmuHirUSIIvT9Y3sgHUdhfgkAzS-hPGU6pxBEfndwmxXCT9ynceRYh0jHdc60OsKfYSgv8xz-jrY285JZZPRsydR0a5DbWPpY1zjKwlDPAzV2F-LuoM87d-awebuTQ\" style=\"width: 1600px;\"><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p class=\"has-text-align-justify\">There are chances where the employees\/users either intentionally or unintentionally make changes or delete the AWS resources. These scenarios cannot be traced or brought to our notice unless we have a proper monitoring and alerting mechanism to take action immediately to avoid any business interruptions. Proactive monitoring is one of the key items in maintaining a Secure infrastructure. To catch such activities, we can make use of the AWS services such as CloudTrail, CloudWatch, and <a href=\"https:\/\/www.workfall.com\/learning\/blog\/how-to-trigger-lambda-function-using-amazon-cloudwatch-events-and-configure-cloudwatch-alarm-to-get-email-notifications-using-amazon-sns-part-1\/\">SNS<\/a> topic with subscribers to actively monitor the activities happening in the AWS account, log them and notify the subscribers when such an anomaly occurs.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/hdzjR2aZxJqOhFLGLu3NtR-Qculf4SIYOYmsbw2NqW6QeuLdEXCwGQ2rTkQSqjFsiusK0JAJSxBkdLfF4LV_OQMtniZbsAcSKst06sc90QA6DxLXtAAUej4QNhj_-3b6XPnxOPNo=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p class=\"has-text-align-justify\">In this blog, we will demonstrate how to track AWS account activities using AWS CloudTrail with step-by-step instructions.<\/p>\n\n\n\n<h2>Hands-on<\/h2>\n\n\n\n<p class=\"has-text-align-justify\">As part of this implementation, we will do followings:<\/p>\n\n\n\n<ul><li>Create CloudTrail using AWS Console<\/li><li>Creating CloudWatch Log group<\/li><li>Set Up an IAM Role<\/li><li>Configure CloudTrail Logging to CloudWatch Log group<\/li><li>Disable CloudTrail event logging to CloudWatch Log group<\/li><li>Create SNS Topic<\/li><li>Add Subscribers to SNS Topic<\/li><li>Publishing Messages to Subscribers<\/li><li>Finding CloudTrail event Patterns<\/li><li>Creating CloudWatch Metric Filters<\/li><li>Creating CloudWatch alarm<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/sn1o-Ce9Zi4aGRk0ssiMF5dgj9fxExZaX8z_EQkXzapuZjUDjJ_NEmt2eO8Zd7YpsQ6endL_pThid4R1haul1XudGfQ2jvYjL2jTX_PH0NJ4qgtCW6hfGPAb4LorZIPihLlpixXP=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p><strong>Lists of AWS Services used in this implementation<\/strong><\/p>\n\n\n\n<ul><li>CloudTrail<\/li><li>CloudWatch<\/li><li>SNS<\/li><li>S3<\/li><li>IAM&nbsp;<\/li><\/ul>\n\n\n\n<h2><strong>Create CloudTrail using AWS Console<\/strong><\/h2>\n\n\n\n<p>Let&#8217;s go ahead and create a trail for the AWS account.<\/p>\n\n\n\n<p>Login to CloudTrail console, you can see the events recorded by CloudTrail by default.<\/p>\n\n\n\n<p>Here are some of the events such as ConsoleLogin, CreateRole, Change Password etc recorded by CloudTrail.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/cMoMHG1-xpIa2DggDhJriSijneIUgss3UTLZzI0Xm4qoOJYm709krXy7340oEVWqR5dxy5bVgyjffKDM069fHteVle5SyEuWOeR_bXxUT83LGFXc-PvdFOtsVxUqDx4ZH29FnyE9=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>Check the event and then choose view event record for more details about the event.<\/p>\n\n\n\n<p>In the left navigation pane, choose trails and you can see that the account doesn&#8217;t have any trails created yet.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/aCFXytrDUH58EAtT8VmmPgS2AAJoyAEGyTFdfRJyHFmrwaGAy3mbHCqFItKBoB59Jo7Mr_Ja6mESeSNtCpZgOW8d9-vXUX9mlAnXB4Eo5hmLTwTfd3r3K115orM_iZ6fWYuBOFZN=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>To create a trail, click create trail, provide a name for the trail.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/dd67gDVOJ33PohH-Zz4en05bLx8tfK6pM2T9khAMDq2zBqiBcGM8aiUsQ_iRlx0CRu1jhPCEqqs_q-I2hOH91EJgGfLUhtaGRvptlSyGx5Q_KRpQkwJmg695EMHCeFH9pfAIh13M=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>For storage location, we are going to send all the CloudTrail events to S3 bucket.<\/p>\n\n\n\n<p>We can either create a new S3 bucket for this log delivery to S3 bucket or we can use the existing bucket.<\/p>\n\n\n\n<p>Choose to create a new S3 bucket, CloudTrail will automatically set up a unique name for the S3 bucket.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/fcuccxy7fLlf5kkGQ2QIAA3o-H0YcLD7atlGeQSVfjWQrf-jpP3Ra3kMgIrA2PWu9lJPN0vWg6VDfs6d__zcaNz_lEhJpg_VZglRaJ06my-UFdKptOqxm2D9T2AKt1JbPNu243Cq=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>Encrypt log files with SSE-KMS \u2013 you can encrypt files using SSE-KMS instead of SSE-S3.<\/p>\n\n\n\n<p>For which we need to either create a new KMS key or use the existing Customer Managed AWS KMS key.<\/p>\n\n\n\n<p>Optionally, send out a notification for every log file delivery to S3 bucket.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/02WUO8MWyjDmj6y72V356PaFYaRq3sU_U5KfHMrbchKHFw8YvoPZuN38TzE9SGbnCMJscQMaR292iPCUmiam8IphPym6MYEMeizhS3IYv5GvjSHLFPhNk9rluUHPgMoUTpMylYxS=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>Add a tag for the CloudTrail, which is again optional.<\/p>\n\n\n\n<p>And then click Next.<\/p>\n\n\n\n<p>Under events, choose the event type such as<\/p>\n\n\n\n<p>Management events &#8211; records management operations performed on aws resources.<\/p>\n\n\n\n<p>Data events &#8211; record operations that are performed within a resource.<\/p>\n\n\n\n<p>Insights events &#8211; identifies unusual activities, errors and user activities in AWS accounts.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/3BE3nKnS9-l5YO-pHxlmwMJjrIUI1i5zcJ0R7mk_Cw24SMf5Lw-JbjfirRVBRM77NPS7iGZEPHC8Xlej3S5H9qX0wr-SjfS0whHgqTQSwRCM1KfWFe8nJZRY_wNL18L8wzb7lSzv=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>For Management events,&nbsp;<\/p>\n\n\n\n<p>Choose the type of activities you want the CloudTrail to record and log it.<\/p>\n\n\n\n<p>Read &#8211; read API operations such as Describe.<\/p>\n\n\n\n<p>Write &#8211; create, update, delete API operations.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/IbI3kD17nIKI01Q0e7PzM7FZ_1ECWQrDFnQ0Zwcbu3nLHTsPCMdZW8L9sK2AvQzav1-19V0Bl0MEutm0pg9inax6oKeXbN1fi-lRPqQ2zMW7S6m1Eglos0TK5UflKXmt2qaxtCMf=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>Click Next, review the settings and then click create trail.<\/p>\n\n\n\n<p>CloudTrail is successfully created.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/pT4w1edfidyPnR16Fkz2_vn1FMqXMzgxWFf41nTDi7rCOf1HxkRDQlEbwUrpiPwR13UDlLdD2kpBD_oOjyi6f8s8rS2xB9FzBeennyJQZOfhQ6PBSW0V1R8DYRECZZUy-wb-vx-v=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>To enable or disable the CloudTrail logging, click the trail name.<\/p>\n\n\n\n<p>Click Stop logging.<\/p>\n\n\n\n<p>We can also delete the CloudTrail itself using the delete option.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/Do28ECFoJ5WQmAEFxEJaONqGsQKcLqMRuVFGXuH3HtxHq2H6-sqj42LmBh7PzoeApe4zO2RHSvr8vxvA0gZ2pjn52D2Jfsk3rcZtgbwHWXFRX1UxSpIWzi7V76ifBPDY2kJCWyqC=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>To check the logs stored in the S3 bucket, go to the S3 bucket console.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/Jza66zJwTdsrrBFQj4kTZ5MXadueMf0-PIU_YMxr30I2emUyfqemxHDxc8_D1FjiF1dD4EOEuo9SRLW_LJ1mmB8Wo-bf3fCNdcS9KcbjO0exn7WkwxrB9PRdJrHTlU4vYicwhe6O=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>It has a directory structure that follows AWSLogs, Account, CloudTrail, Region, Year, Month and Day.<\/p>\n\n\n\n<p>There you can find a file of type gz.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/NGpxK4nLlVsp2QOtWWLaqhqpWJzSNbUWd2687gDkUnLj-VMXaiP3P8PLGjKFOYSVcisWL-9-6_GyJJTDSMIZPizVaBzvCoSNMjOmmKopPYc31JlhKGoD1sWi9AQMrPNKf0Lr3IAe=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<h3>&nbsp;<\/h3>\n\n\n\n<h3><strong>Create a <\/strong>CloudWatch Log Group<\/h3>\n\n\n\n<p>For the CloudTrail to store all the events in the CloudWatch log group.<\/p>\n\n\n\n<p>First we need to create a CloudWatch log group.<\/p>\n\n\n\n<p>To create a CloudWatch log group, log in to the CloudWatch console.<\/p>\n\n\n\n<p>In the Navigation pane, under Logs, choose Log Groups.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/co_wUwCkfVytnp6q_GzTUJk9-_GCMNPx9qh9PBNXOFFWOyigXCNViM6C0_tKxCXnvY29_B7gKQof-XLk2Ap285bx4DhV8xvS6reEFNh5OomkeTyqv70aXTFFcajmRw2t8REIU8oh=s1600\" alt=\"cloudtrail logs to cloudwatch\" title=\"cloudtrail logs to cloudwatch\"\/><\/figure>\n\n\n\n<p>Click Create Log group, enter a name for the Log group, and click Create.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/2zBSI1-s_GOPC1v17jm3gImVdrMBXW4mBCaJJRgZ2aRLutF0ieuzWUFiMcZ9JQSkHui-pV0yyQ9ow4N_8X5ASQ4WT-TxDuZNQ3r6wJ_rjB9QRQd_gPAzCBZnEuR_-LZ-sgjPS0lH=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>The Log group will be used to store all the events captured by CloudTrail.<\/p>\n\n\n\n<h3><strong>Set up an IAM Role<\/strong><\/h3>\n\n\n\n<p class=\"has-text-align-justify\">For CloudTrail to send events to the CloudWatch log group, the trail needs permission to put log events to the CloudWatch log group.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">So we need to create an IAM Role, and the role will be used for CloudTrail to be able to send the events to the CloudWatch log group.<\/p>\n\n\n\n<p>Basically, the Role will have permission to create LogStream and PutLogEvents.<\/p>\n\n\n\n<p>We are not going to manually configure the IAM policy and IAM Role.<\/p>\n\n\n\n<p>Instead, we will be using the CloudTrail console to configure it while enabling the CloudWatch logging.<\/p>\n\n\n\n<h3><strong>Configure CloudTrail event Logging to CloudWatch Log Group<\/strong><\/h3>\n\n\n\n<p>Go to the CloudTrail console, and choose trails in the navigation pane.<\/p>\n\n\n\n<p>Select the trail for which you want to set up CloudWatch logging.<\/p>\n\n\n\n<p>Under CloudWatch Logs, click Edit.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/PROZsUyu4RKKap-raWQMIepImgk8SAXL0Z8f-FZZ_S58VgWcoYk78cRLF-VBZxKLLV7ZJ79_zDWflIZ7S3xB4fo7yG0CSZRScx_la9PePVdk_syLLAPSUb0_VY6iHlaF9dr91Oo0=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>Make sure CloudWatch Logs is <strong>Enabled<\/strong>.<\/p>\n\n\n\n<p>For the log group, choose existing and then provide the name of the CloudWatch log group.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/nZ4YaLF1PyW1ynnUEnTjZw8njNqMP_oiy3cQ3cx9FEadZuzoG_ENuHWOwenpwfhF0eIzkuqXum__IJytBLJfvxBz0PKDz4GsaJaEuzhxVFNNI8e18-2f-NgUReNfdo30dhmMTWA3=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>For IAM Role, choose new and provide a name for the Role and click Save changes.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/RF-ZfTE6pVg_7WLCmQ5x636J0mQ0tJRZ1akaFOB9czBb_5_d7ziRPW405NNfkP7M6qx8f1Fa0yGhU4XsKHvMYo3-B9027VvFUUGxdXRKhmTUx-8xrOPSPBNEVAbUrIYSbR-gxcz-=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>CloudTrail event logging to cloudwatch log group is implemented.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/ZT4nxWp9r1ecLL2lzUsljLzFclbVYPVybCLFh_C-XHnn-fMSqK1N9V_GojAMXhEbJZhL9iOiAu0NcPRkRyLCY8UOATM6eSYSBfc1qtmzvyKhagaLWrPdR1fKOV9kbnBQ5MPiionj=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p class=\"has-text-align-justify\">To check the CloudTrail logs, go to CloudWatch console, click the Log group and you can find the lists of log streams holding the events captured by the CloudTrail.<\/p>\n\n\n\n<p>Select it.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/B9sZ14tqOeDNWS2qiFvZvdvwX3n_vh4t9hy-OAxreN5g9-wVyiNc03QLWUP_iTbTrji6oBL7LznI6bGIQQ5lCz8OHU9IanNZLNLOKnL2d715dBnllu-34Rw9KaAFL3W_ni2JzqWk=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/Dbx_3Wm7l-gwPZzXFjH6DAdWiKOeGsX3k2Xcafx7VSkSk90ZiDOiMmnPz9mqUxSeWCqAME7OoOMmwuwZQ6kmWCfeCH9KMtTDylGhmZSlasPLvj012G8HYuNXhV6MelyNaebT2Dqq=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<h3><strong>Disable Sending of CloudTrail events to CloudWatch Log group<\/strong><\/h3>\n\n\n\n<p>To disable event logging to CloudWatch log group.<\/p>\n\n\n\n<p>Go to the CloudTrail console.<\/p>\n\n\n\n<p>Click the trail for which CloudWatch logging should be disabled.<\/p>\n\n\n\n<p>Under CloudWatch Logs, click edit.<\/p>\n\n\n\n<p>And then Uncheck, <strong>Enabled, <\/strong>click Save changes.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/GOdG4MUtzgHUy7qZH3nMSlRS3YSLtMINGR8WxG4Ou0X5Ih243gnslnTkthO37nq-s15uzOKB9dpvoVN46xcOk9a5jH3T43wz5JnNHX41I7hGECL7tnXhYpx-lKzXQt37pZ-vKSFm=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<h2>&nbsp;<\/h2>\n\n\n\n<h2><strong>Create a SNS Topic<\/strong><\/h2>\n\n\n\n<p>Go to <a href=\"https:\/\/console.aws.amazon.com\/sns\/v3\/home\"><em>SNS Console<\/em><\/a><\/p>\n\n\n\n<p>In the navigation pane, choose topics and then click click create topic.<\/p>\n\n\n\n<p>Choose the topic type to be Standard and enter a name for the topic.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/Cb65SlB_BDvdrv4GiaqhAqK8BPb3hLvjko0m4lWGeKJ6rLOxclgAdLCBQF93Z4MecjzQKElogYAva0ohnWABL4bBr6kXOLvBbxfw54HDbIzMuAdJVbIodQyr0noQshML_aaj0xoL=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>Other optional elements such as,<\/p>\n\n\n\n<h4><strong>ENCRYPTION:<\/strong><\/h4>\n\n\n\n<p>By default, delivery of messages by SNS is performed in an encrypted way.<\/p>\n\n\n\n<p>To enable server side encryption, i.e Encryption at rest.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/Gm1IeDbI7YTQNnWmLRjJYCWCMjdbs7qftbRYkZy9JVypFcCvFijtZinsD_vGTZBqrEM78hnonu6PvwRcpSndGVFQSyvdvXuhYEuBWNNb9pG1vpupPF2GzdI-wkSyBvw6YY4KbxyJ=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\" title=\"SNS Topic\"\/><\/figure>\n\n\n\n<h4><strong>ACCESS POLICY<\/strong><\/h4>\n\n\n\n<p>Restricts access to the Topic.<\/p>\n\n\n\n<p>By default, the owner \/ Topic creator is allowed.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/8D6zSCSDksaSVBS5_xWgtQEPZvyzn0Ila26BUkYu_fhnwaq29ArdH0HSPhqhCyEqDd7qKLJoTrK_DvW4mVUBC798o1Uiwl6hZrA-s3ArxKtJn9qFHYjFf9E18Vnu39JqiLIP5alP=s1600\" alt=\"SNS Topic\" title=\"SNS Topic\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/NLHwRRWcMkGFN-Z7eNiKKE2Lqer2lMI0Y8KovBu0IpHc_u7DRuTgt96UFUicLoQPNOUbr0Eegt4k5KBBAt6-nh9f59WV9KWrNLXC_nIHEDpRX6EHycG-XxM66tKLmccufgPkbuIZ=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\" title=\"SNS Topic\"\/><\/figure>\n\n\n\n<p>Custom policy can be applied to allow Publish and Subscribe for other IAM users.<\/p>\n\n\n\n<h4>&nbsp;<\/h4>\n\n\n\n<h4><strong>DELIVERY RETRY POLICY<\/strong><\/h4>\n\n\n\n<p>Retry sending messages to the configured endpoints.<\/p>\n\n\n\n<p>By default, SNS tries 3 times to send the message to the subscribers.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/pDCnUhsKHxbsXNCZMl2DsOzC1hRdfTksU3sq319e5K6o_2RuCkqTkO3KCXTZT1cHB9wbp98pbYDuIhiWxjXNNCaOvB-nDH4Nntq0_XXFEGVQhH25YMQotrlqUJUAssj5U9wxY7M1=s1600\" alt=\"SNS Topic\" title=\"SNS Topic\"\/><\/figure>\n\n\n\n<h4>&nbsp;<\/h4>\n\n\n\n<h4><strong>DELIVERY STATUS LOGGING<\/strong><\/h4>\n\n\n\n<p class=\"has-text-align-justify\">Logging the delivery status of the SNS topic will help us to analyse and resolve if the SNS topic is not able to deliver the message successfully.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/mOkqfHvfyxeqxstX_4LI-jVKOChjmwVpZSlDKbiypUfRERaDyIDDYMztnEVsNqbJwXyJJ9HcaXfI80Us0vyz_UBB_FHi_mqDUW1oTiWD-bffhDVALm_sQdYwTjOd_Um1JcXNwyFy=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\" title=\"SNS Topic\"\/><\/figure>\n\n\n\n<h4>&nbsp;<\/h4>\n\n\n\n<h4><strong>TAGS<\/strong><\/h4>\n\n\n\n<p>You can add a tag to the SNS topic and then,<\/p>\n\n\n\n<p>Click create topic. SNS topic is created.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/Yv70O1zWfgcnY0FSCJcT4s-KUU2Ezh5p0krTIQCeky2tBe9aLybg911Z76YolDIYsYIYf6rBiunKjexUEcNHOXIQaFCDRg7zS71mokw9T8pm2dB4rGWF9gXMyt-4efwHiVB_A5c2=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\" title=\"SNS Topic\"\/><\/figure>\n\n\n\n<p>Lets go ahead and add subscribers for this topic.<\/p>\n\n\n\n<h2><strong>Adding Subscribers to SNS Topic<\/strong><\/h2>\n\n\n\n<p>Subscribers are the one who receives a notification.<\/p>\n\n\n\n<p>To add subscribers, click Create subscription.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/KWfwi2y2qjh53x25pJbWyDm5USyC1GYVXdJCQw1-QXfpqlHL_fIqkUaJgvwqdQXHl7tyGD6ElLnxYca_r4jd3LCkyJ_weCsJLjLzxQgQuhauQ4zf5WQ4HcLg7DyvHvGW3ms6RayF=s1600\" alt=\"SNS Topic\" title=\"SNS Topic\"\/><\/figure>\n\n\n\n<p>Choose the protocols such as lambda, SMS, Email, Email JSON, SQS, HTTP, HTTPS endpoints.<\/p>\n\n\n\n<p>Let me choose Email.<\/p>\n\n\n\n<p>Enter the email address and click create subscription.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/h29Ebhb86b2Y-RLVfl5E1nckC-Nfgnmjh8wE-CMiL3QA_njwU0SDQPFzVFF1GDwgRZjAIO8GZX4q5qJ0yCdaEc7zrxNxsjzTKAoWyTFicJ2vYehkjvlHWCUfjjlQQFWz8zMIxp9e=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>When a subscriber is added to the topic, it should be validated \/ confirmed.<\/p>\n\n\n\n<p>Subscribers failed to confirm the subscription will fail to receive notifications from the SNS.<\/p>\n\n\n\n<p>Go to Inbox, Amazon SNS must send a message as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/PtNmRaZkX3FJ5uHub48SkCVieJCADg1wibsbeQ4-saZ8ZS_Th9VwalUHq14KOmVYj_AnfGaW2Kbz8s87ykd9RvvTgeDD55mHXGSvYfcZwvgB3OS0-CS6tPzP4QFloXeuPrT1J4mo=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>Click Confirm subscription.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/74GHTGDjzEH5PAyC78GxrIsCdtB5iX-oKvVncwWkI6ZDWsAO3a1xFFl0FSZjxGIGn78f8CDQuWkBsIMXXxEh42Wb9a2ys6c1tgNQaCWx6auhULkpRFpDmwqJQSjholX1dRERxViU=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>Now go back to the SNS console and choose the topic and Under Subscriptions, you should see the subscription is confirmed.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/YFQFXkaDtiTV56zlFNVNbauZDnkRT8K30PoVCffYNeA_-iY46PBLvuGP_6jzr0zfG2S8QSn2JTOLzlIb64IOnV-gfAWN5z1nrpEdEJZ0YIa1wplS3S1_ywES2Kfe0S99KvoZjIXU=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>Now let&#8217;s test the pub\/sub messaging system, by publishing a message to the SNS topic and the subscriber (email) should receive the message.<\/p>\n\n\n\n<h2><strong>Publishing Message to Subscribers<\/strong><\/h2>\n\n\n\n<p>To do this, select the topic and click Publish message,<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/DKVi5_sCLRqAYNphp3kBou_U8jg5ex3cEclvMOcekhpgRF0CP9bTPIckgoZTlin5EHphgSLi99o3bXuLVj0XBE4gsYYIww8iBBBvBCFGvWQXjVwqkOswJY2wSRxzdMTUSeQqKkXK=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>Enter a Subject for the message,<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/O21HRjRqq2buZ5iWy_-GkSKCKFvrzbSC5pSa8KxqUmWr-v2lUQApmG52uTNYhUAlo9i2VYvnDSQJ6coPGgqLW8xu09PeDf608f2u6lK179uFI4HTmcuu6jy_7zXg4JZxCC0q_h5C=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>For the Message body, enter the message to publish to the subscribers.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/c5V9jXzqUh44BeW1dXja506eEA4M-PjaEckue8QJ_BtguvfC4C0OZyMysUoO7o6sAy7eLDmrjn0yCvyPFU3iRIgtasm3n-MyBdHr4tvEpADRH7F25fSC5-HDBPGuUD3W7QPcbYW4=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>Then click the Publish message.<\/p>\n\n\n\n<p>As I have checked my Mailbox, I have received a message from an SNS topic.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/pQjPUa6abgBQiuZWxjdBqyS7ZimFpbX1mqQy7ii3OTh3mX_ZMkILwJ7fu5LWR9FemkiQE5AoIrpPJo7be0fcWcZYwRAV-Mhc-ocpgo5uucU1eOPbiQ-VNTv_0KosEf28PAA_njNx=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>We should identify the type of activities to be monitored and notified.<\/p>\n\n\n\n<p>The following are the filter patterns which can be used to monitor IAM authentication and authorization activities.&nbsp;<\/p>\n\n\n\n<p>1: Monitoring Changes to IAM<\/p>\n\n\n\n<p>Monitor changes to an IAM account.<\/p>\n\n\n\n<p>{<code> ( ($.eventSource = \"iam.amazonaws.com\") &amp;&amp; (($.eventName = \"Add<em>\") || ($.eventName = \"Attach<\/em>\") || ($.eventName = \"Change<em>\") || ($.eventName = \"Create<\/em>\") || ($.eventName = \"Deactivate<em>\") || ($.eventName = \"Delete<\/em>\") || ($.eventName = \"Detach<em>\") || ($.eventName = \"Enable<\/em>\") || ($.eventName = \"Put<em>\") || ($.eventName = \"Remove<\/em>\") || ($.eventName = \"Set<em>\") || ($.eventName = \"Update<\/em>\") || ($.eventName = \"Upload*\")) ) }<\/code><\/p>\n\n\n\n<p>It will track events that begin with Add, Create, Deactivate, Change, Delete, Enable, Remove, Put, Upload and Update.<\/p>\n\n\n\n<p>2: Monitoring All Calls to IAM<\/p>\n\n\n\n<p>Monitor all the IAM related activity<\/p>\n\n\n\n<p><code>{ ($.eventSource = \"iam.amazonaws.com\") }<\/code><\/p>\n\n\n\n<p>If you\u2019re using IAM for a lot of services, you will get a lot of alerts.<\/p>\n\n\n\n<p>3: Monitoring Changes to Authentication &amp; Authorization Configurations<\/p>\n\n\n\n<p>Using the below filter pattern, you can monitor changes to security credentials and policy configuration changes.<\/p>\n\n\n\n<p>{<code> ( ($.eventSource = \"iam.amazonaws.com\") &amp;&amp; (($.eventName = \"Put<em>Policy\") || ($.eventName = \"Attach<\/em>\") || ($.eventName = \"Detach<em>\") || ($.eventName = \"Create<\/em>\") || ($.eventName = \"Update<em>\") || ($.eventName = \"Upload<\/em>\") || ($.eventName = \"Delete<em>\") || ($.eventName = \"Remove<\/em>\") || ($.eventName = \"Set*\")) ) }<\/code><\/p>\n\n\n\n<h2><strong>Creating CloudWatch Metric Filter Pattern<\/strong><\/h2>\n\n\n\n<p>Create the CloudWatch metric for the IAM changes, then a CloudWatch alarm will be created for the metric pattern.<\/p>\n\n\n\n<p>Go to the CloudWatch console, under Logs, choose Log groups.<\/p>\n\n\n\n<p>Click the log group name which you have created before, and then under Actions, choose create metric filter.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/T-ek-ZhU-FeiiG_TqloGA2Q_LEVe-Kz6UibGxvz76uNmNeefjq_2V_x9EX-btXcGKPi61vak5gCHAspZ4baCNfcEgoX7LbdRsmHODHCXyCIWbZNkXBguZRyIHTDIjd3ux2JJOvgN=s1600\" alt=\"track iam changes\" title=\"track iam changes\"\/><\/figure>\n\n\n\n<p>On the Define pattern page,<\/p>\n\n\n\n<p>For Create filter pattern, enter the filter pattern.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/4ACYJQY0Dwy57O-GDkuf6av0LtAZKrgU4GNj6KHkvS0eY7TE4TdJ3p_sb02HcFK3P24XlTR6f2os3vZr8rXtoyd7SygDzGG1Kzu_Q1gPhwhbI4snxUGfDWN01sLUfRsxhCKROqKQ=s1600\" alt=\"track iam changes\" title=\"track iam changes\"\/><\/figure>\n\n\n\n<p>For Test pattern, choose the log stream and then click Next.<\/p>\n\n\n\n<p>We need to assign a metric, and provide a Filter name.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/PL_l12ZDPJiK4MNPQdaPwfoj1s4cSAOUvI5JJIsxFXaImD4iDyF1S_SBTsuD9ewUPp13peOA9inZM1ax7tcdAl-XzOBUz4sLOgZ6GcqG7ok4nEr7xG9sMFh4NygrUyM9LAtG_QnM=s1600\" alt=\"track iam changes\" title=\"track iam changes\"\/><\/figure>\n\n\n\n<p>Enter a Metric namespace.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/YTs_WrdXm3a0gZaRfLIvOOSYWBo8XTeO1l_yahlthKLT9lWZf8uCORSi8JUeZOWlmTQBfbQJo1dTkpj_ybKpn5jzBR3HQyS9qpbu_qKGfN2gbH4ZroO9vCHyKIUXUEHPHVa6AjuP=s1600\" alt=\"track iam changes\" title=\"track iam changes\"\/><\/figure>\n\n\n\n<p>For the <em>Metric nam<\/em>e,&nbsp;<\/p>\n\n\n\n<p>Enter IAMAuthnAuthzActivity and enter the metric Value as 1.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/OovF07hxegrlZSIRyfcK38jyqvznKU4nqi0wZ8W35yWbf71ddYx9VARfAq-ZEKiXXMi8I0RRZ_hUP31bbOmB2YKO_k6rgBlalmSutUaiQCQgmQueT15Hz2xiaJ91izYi5NW5WTsW=s1600\" alt=\"track iam changes\" title=\"track iam changes\"\/><\/figure>\n\n\n\n<p>Click Next, review the settings and then click Create metric filter.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/fhJqmKFuWah4wLXQ8Yns2LT0kBc6PuSM1ONapEWDQJaqq47QxV74CIFHPXpl5sdjSD-AjwSzaOLqfv2SMY9SXTOjVo9WKHnH3bwg11A2zat20dgnvlE5Ktj8DRYGZMANa5A6Cd-P=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>Next we need to create a CloudWatch alarm.<\/p>\n\n\n\n<h2><strong>Creating an CloudWatch Alarm<\/strong><\/h2>\n\n\n\n<p>Under the CloudWatch Log group, you can find the metric filter created.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/fH1y1Bu2Yirk4LdZtFns6QREYQGY8Seh9GS-B2S23dsB5fYrYLrBYadzw61FA_S7HuZa1dXepKPkuVQ4MZ3ZHLKKlm56YYwFXuDH3VWBGM1rzBpvQqCqhnlV_qQX7rLqvORJEyK_=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<p>Choose it and click create alarm.<\/p>\n\n\n\n<p>For Statistics, choose Sum and the Period 5 mins.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/N4WqfDXPI6E4JltoFNuHuoQb7iLX_Bsqyn75RQNuqmnGc5RoEx2ujERuO_0rOShPKKJCW3SW3dx9kGi3I_jPfSxURFOn2WgReUAyhEKRRnLIbxRdL_AWKti561iwYOuNdHG7y6mq=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>Under Conditions, choose static threshold,<\/p>\n\n\n\n<p>&nbsp;The alarm condition is Greater\/Equal and value to be 1.<\/p>\n\n\n\n<p>The alarm will be triggered when the metric value is &gt;=1 for 1 consecutive period.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/nhyrg-lsgK6UXZqJfoP6cBTNtrDT5aC0Lx2J6ffe8CDzmAo-apEtDm8QFT9AKO9UfZyXa9kEnLL9WIVzaZo06ZdJoCIm8TJpBRVpLnAYZslDwdpfzHyNwkNFiX5bi9SEpHyzHKBg=s1600\" alt=\"track iam changes\" title=\"track iam changes\"\/><\/figure>\n\n\n\n<p>and click Next,<\/p>\n\n\n\n<p>For Notification, SNS topic will be used.<\/p>\n\n\n\n<p>Choose In alarm<\/p>\n\n\n\n<p>For Select an SNS topic, choose Select an existing SNS topic.<\/p>\n\n\n\n<p>Choose the SNS topic which was created before and then click Next.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/2RX4XUkVI1djk1z-l01QjXvFA_b6paBI_uUbVXsYo_MLivYAFWVn9I3uUIo0JIUJidk4ReAw5847WAcnCJP-8pj15btjWnNveKblD9gEzL8GvzCN1bAH1WCGcvF9uNvmaSkkcY7D=s1600\" alt=\"\"\/><\/figure>\n\n\n\n<p>Enter a name for the CloudWatch alarm and then click Next .<\/p>\n\n\n\n<p>Review the settings and click Create alarm.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/2dAhcIDWqHVBuy70MhIJWe7esVH3lUPFL2SpAfrWHsDGTIRO3_tfBwpU9GF6Csl6y06dtNakO9QDAb6DDg31TAYONHjbX3QwwwrUcKN6pXqt3AS4MxC71YLnh_D_bTo11kzkjXew=s1600\" alt=\"track iam changes\" title=\"track iam changes\"\/><\/figure>\n\n\n\n<p>Whenever the metric pattern matches,<\/p>\n\n\n\n<p>CloudWatch Alarm will be triggered and we will be notified by SNS to all the Subscribers as shown below.<\/p>\n\n\n\n<p>The below image shows that there is a change in the IAM service, hence the subscribers are notified by the SNS.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/8N2uyW3nDhqA4Mq41lw9cqo6rKIq10KzUdxvdGMWbZ9L3Ia4C_YUINe979lMtsA89qaIdpAtw6GlfCXLHgJx5cCNPrWqJk2mg0a6FHcSHZKV8qh60-APnXEb5CdtsWWZ1Nw96voE=s1600\" alt=\"How to track AWS account activities using AWS CloudTrail?\"\/><\/figure>\n\n\n\n<h2>Conclusion<\/h2>\n\n\n\n<p class=\"has-text-align-justify\">In this blog, with this implementation using AWS services such as CloudTrail, CloudWatch, and SNS we will be able to monitor IAM changes such as Authentication and Authorization, and also any other activities that occur in the AWS account can be tracked, Monitored, and Notified. Stay tuned to keep getting all updates about our upcoming new blogs on AWS and relevant technologies.<\/p>\n\n\n\n<p>Meanwhile \u2026<\/p>\n\n\n\n<p><strong>Keep Exploring -&gt; Keep Learning -&gt; Keep Mastering<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-justify\">This blog is part of our effort towards building a knowledgeable and kick-ass tech community. At <a href=\"https:\/\/www.workfall.com\/\">Workfall<\/a>, we strive to provide the best tech and pay opportunities to AWS-certified talents. If you\u2019re looking to work with global clients, build kick-ass products while making big bucks doing so, give it a shot at<a href=\"https:\/\/www.workfall.com\/partner\/\"> workfall.com\/partner<\/a> today.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\">10<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span> There are chances where the employees\/users either intentionally or unintentionally make changes or delete the AWS resources. These scenarios cannot be traced or brought to our notice unless we have a proper monitoring and alerting mechanism to take action immediately to avoid any business interruptions. Proactive monitoring is one of the key items in maintaining [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":275,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":""},"categories":[2],"tags":[3,17,19,20,18,6],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to track AWS account activities using AWS CloudTrail? - The Workfall Blog<\/title>\n<meta name=\"description\" content=\"In this blog, we will demonstrate how to track AWS account activities using AWS CloudTrail with step-by-step instructions.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to track AWS account activities using AWS CloudTrail? - The Workfall Blog\" \/>\n<meta property=\"og:description\" content=\"In this blog, we will demonstrate how to track AWS account activities using AWS CloudTrail with step-by-step instructions.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/\" \/>\n<meta property=\"og:site_name\" content=\"The Workfall Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/workfall\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-24T12:48:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-22T08:14:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/35.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@workfall\" \/>\n<meta name=\"twitter:site\" content=\"@workfall\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Workfall\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#organization\",\"name\":\"Workfall - Hire #Kickass Coders On Demand\",\"url\":\"https:\/\/18.141.20.153\/learning\/blog\/\",\"sameAs\":[\"https:\/\/www.instagram.com\/workfall\/\",\"https:\/\/www.linkedin.com\/company\/workfall\/\",\"https:\/\/facebook.com\/workfall\",\"https:\/\/twitter.com\/workfall\"],\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i1.wp.com\/18.141.20.153\/learning\/blog\/wp-content\/uploads\/2021\/10\/cropped-WF_logo.png?fit=400%2C400\",\"contentUrl\":\"https:\/\/i1.wp.com\/18.141.20.153\/learning\/blog\/wp-content\/uploads\/2021\/10\/cropped-WF_logo.png?fit=400%2C400\",\"width\":400,\"height\":400,\"caption\":\"Workfall - Hire #Kickass Coders On Demand\"},\"image\":{\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#website\",\"url\":\"https:\/\/18.141.20.153\/learning\/blog\/\",\"name\":\"The Workfall Blog\",\"description\":\"#Tech #Remote #Jobs\",\"publisher\":{\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/18.141.20.153\/learning\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#primaryimage\",\"url\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/35.png\",\"contentUrl\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/35.png\",\"width\":1200,\"height\":628,\"caption\":\"Track AWS account activities using AWS CloudTrail\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#webpage\",\"url\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/\",\"name\":\"How to track AWS account activities using AWS CloudTrail? - The Workfall Blog\",\"isPartOf\":{\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#primaryimage\"},\"datePublished\":\"2021-10-24T12:48:37+00:00\",\"dateModified\":\"2025-08-22T08:14:45+00:00\",\"description\":\"In this blog, we will demonstrate how to track AWS account activities using AWS CloudTrail with step-by-step instructions.\",\"breadcrumb\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/18.141.20.153\/learning\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to track AWS account activities using AWS CloudTrail?\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#webpage\"},\"author\":{\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/person\/cab8236044692bc5b27606b13167794a\"},\"headline\":\"How to track AWS account activities using AWS CloudTrail?\",\"datePublished\":\"2021-10-24T12:48:37+00:00\",\"dateModified\":\"2025-08-22T08:14:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#webpage\"},\"wordCount\":1770,\"publisher\":{\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/35.png\",\"keywords\":[\"AWS\",\"cloudtrail\",\"data analysis\",\"logging\",\"monitoring\",\"workfall\"],\"articleSection\":[\"AWS Cloud Computing\"],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/person\/cab8236044692bc5b27606b13167794a\",\"name\":\"Workfall\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2023\/09\/avatar_user_1_1693914404-96x96.png\",\"contentUrl\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2023\/09\/avatar_user_1_1693914404-96x96.png\",\"caption\":\"Workfall\"},\"sameAs\":[\"https:\/\/www.workfall.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to track AWS account activities using AWS CloudTrail? - The Workfall Blog","description":"In this blog, we will demonstrate how to track AWS account activities using AWS CloudTrail with step-by-step instructions.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/","og_locale":"en_US","og_type":"article","og_title":"How to track AWS account activities using AWS CloudTrail? - The Workfall Blog","og_description":"In this blog, we will demonstrate how to track AWS account activities using AWS CloudTrail with step-by-step instructions.","og_url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/","og_site_name":"The Workfall Blog","article_publisher":"https:\/\/facebook.com\/workfall","article_published_time":"2021-10-24T12:48:37+00:00","article_modified_time":"2025-08-22T08:14:45+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/35.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_creator":"@workfall","twitter_site":"@workfall","twitter_misc":{"Written by":"Workfall","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/18.141.20.153\/learning\/blog\/#organization","name":"Workfall - Hire #Kickass Coders On Demand","url":"https:\/\/18.141.20.153\/learning\/blog\/","sameAs":["https:\/\/www.instagram.com\/workfall\/","https:\/\/www.linkedin.com\/company\/workfall\/","https:\/\/facebook.com\/workfall","https:\/\/twitter.com\/workfall"],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/i1.wp.com\/18.141.20.153\/learning\/blog\/wp-content\/uploads\/2021\/10\/cropped-WF_logo.png?fit=400%2C400","contentUrl":"https:\/\/i1.wp.com\/18.141.20.153\/learning\/blog\/wp-content\/uploads\/2021\/10\/cropped-WF_logo.png?fit=400%2C400","width":400,"height":400,"caption":"Workfall - Hire #Kickass Coders On Demand"},"image":{"@id":"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/logo\/image\/"}},{"@type":"WebSite","@id":"https:\/\/18.141.20.153\/learning\/blog\/#website","url":"https:\/\/18.141.20.153\/learning\/blog\/","name":"The Workfall Blog","description":"#Tech #Remote #Jobs","publisher":{"@id":"https:\/\/18.141.20.153\/learning\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/18.141.20.153\/learning\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#primaryimage","url":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/35.png","contentUrl":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/35.png","width":1200,"height":628,"caption":"Track AWS account activities using AWS CloudTrail"},{"@type":"WebPage","@id":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#webpage","url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/","name":"How to track AWS account activities using AWS CloudTrail? - The Workfall Blog","isPartOf":{"@id":"https:\/\/18.141.20.153\/learning\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#primaryimage"},"datePublished":"2021-10-24T12:48:37+00:00","dateModified":"2025-08-22T08:14:45+00:00","description":"In this blog, we will demonstrate how to track AWS account activities using AWS CloudTrail with step-by-step instructions.","breadcrumb":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/18.141.20.153\/learning\/blog\/"},{"@type":"ListItem","position":2,"name":"How to track AWS account activities using AWS CloudTrail?"}]},{"@type":"Article","@id":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#article","isPartOf":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#webpage"},"author":{"@id":"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/person\/cab8236044692bc5b27606b13167794a"},"headline":"How to track AWS account activities using AWS CloudTrail?","datePublished":"2021-10-24T12:48:37+00:00","dateModified":"2025-08-22T08:14:45+00:00","mainEntityOfPage":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#webpage"},"wordCount":1770,"publisher":{"@id":"https:\/\/18.141.20.153\/learning\/blog\/#organization"},"image":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-track-aws-account-activities-using-aws-cloudtrail\/#primaryimage"},"thumbnailUrl":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/35.png","keywords":["AWS","cloudtrail","data analysis","logging","monitoring","workfall"],"articleSection":["AWS Cloud Computing"],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/person\/cab8236044692bc5b27606b13167794a","name":"Workfall","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/18.141.20.153\/learning\/blog\/#\/schema\/person\/image\/","url":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2023\/09\/avatar_user_1_1693914404-96x96.png","contentUrl":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2023\/09\/avatar_user_1_1693914404-96x96.png","caption":"Workfall"},"sameAs":["https:\/\/www.workfall.com"]}]}},"jetpack_featured_media_url":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/35.png","jetpack-related-posts":[{"id":640,"url":"https:\/\/learning.workfall.com\/learning\/blog\/aws-account-activities-using-aws-cloudtrailpart-1\/","url_meta":{"origin":37,"position":0},"title":"How to track AWS account activities using AWS CloudTrail (Part 1)?","date":"November 11, 2021","format":false,"excerpt":"Someone logged into your AWS Console and forced the shutdown of an EC2 instance, and you need to discover who did it as it was a critical instance for production, but you have no records. Here AWS CloudTrail comes to your rescue! In your AWS infrastructure, you can use AWS\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/11\/Cover-Images_Part2-1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":236,"url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-build-a-serverless-event-driven-workflow-with-aws-glue-and-amazon-eventbridge\/","url_meta":{"origin":37,"position":1},"title":"How to build a serverless event-driven workflow with AWS Glue and Amazon EventBridge?","date":"October 28, 2021","format":false,"excerpt":"AWS Glue is basically a data processing pipeline that is composed of a crawler, jobs, and triggers. This workflow converts uploaded data files into Apache Parquet format. In this blog, we will see how we can make use of the AWS Glue event-driven workflows to demonstrate the execution of the\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"Build a Serverless Workflow with AWS Glue and Amazon EventBridge","src":"https:\/\/i2.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/Serverless-EventDriven-Workflow-1200-x-628-px.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":626,"url":"https:\/\/learning.workfall.com\/learning\/blog\/orchestrate-queue-based-microservices-with-aws-step-functions-and-amazon-sqspart1\/","url_meta":{"origin":37,"position":2},"title":"How to orchestrate Queue-based Microservices with AWS Step Functions and Amazon SQS (Part 1)?","date":"November 11, 2021","format":false,"excerpt":"Assume that you are developing a distributed application and looking for a solution to transmit a large volume of data, at any level of throughput, without losing messages or requiring other services to be available, you can think about Amazon SQS! Using Amazon SQS you can decouple application components so\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"Orchestrate Queue based Microservices - Amazon SQS","src":"https:\/\/i2.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/11\/CoverImages_1200x628px-3.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":675,"url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-set-up-a-continuous-deployment-pipeline-to-deploy-versions-of-an-application-on-aws-elastic-beanstalk-using-aws-codepipeline-part-1\/","url_meta":{"origin":37,"position":3},"title":"How to set up a continuous deployment pipeline to deploy versions of an application on AWS Elastic Beanstalk using AWS CodePipeline (Part 1)?","date":"November 24, 2021","format":false,"excerpt":"Do you have concerns about managing and deploying web applications? With AWS Elastic Beanstalk, you can launch your full web application in just a few minutes by simply uploading the code. Starting with capacity provisioning, load balancing, auto-scaling, and application health monitoring, this service will take care of the whole\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"AWS Elastic Beanstalk - Workfall","src":"https:\/\/i2.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/11\/CoverImages_1200x628px-6.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":549,"url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-connect-smart-devices-to-the-amazon-iot-core-service-and-watch-it-send-mqtt-messages-part-1\/","url_meta":{"origin":37,"position":4},"title":"How to connect smart devices to the AWS IoT Core service and watch it send MQTT messages (Part 1)?","date":"November 10, 2021","format":false,"excerpt":"The Internet of Things, also known as IoT, in recent years, successfully disrupted our daily lives. If you are using smartphones, smart watches, smart fire alarms, smart door locks, smart bicycles, medical sensors, fitness trackers, smart security systems, smart refrigerators, or smart cars, you are using IoT devices! IoT devices\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"AWS IoT Core - Workfall","src":"https:\/\/i1.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/11\/IoT-1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":541,"url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-build-a-serverless-event-driven-workflow-with-aws-glue-and-amazon-eventbridgepart-1\/","url_meta":{"origin":37,"position":5},"title":"How to build a serverless event-driven workflow with AWS Glue and Amazon EventBridge(Part 1)?","date":"November 10, 2021","format":false,"excerpt":"Have you ever wondered how huge IT companies construct their ETL pipelines for production? Are you curious about how TBs and ZBs of data are effortlessly captured and rapidly processed to a database or other storage for data scientists and analysts to use? The answer is the serverless data integration\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"AWS Glue","src":"https:\/\/i1.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/11\/Glue.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/posts\/37"}],"collection":[{"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/comments?post=37"}],"version-history":[{"count":17,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/posts\/37\/revisions"}],"predecessor-version":[{"id":2261,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/posts\/37\/revisions\/2261"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/media\/275"}],"wp:attachment":[{"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/media?parent=37"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/categories?post=37"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/tags?post=37"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}