CloudTrail is enabled on your AWS account when you create it very first time. Any activity occurs in your AWS account, that is recorded in a CloudTrail event. You can easily view and search events in the CloudTrail console by going to Event history.
AWS CloudTrail records user activity and API usage across AWS services as Events. CloudTrail Events help you answer the questions of “who did what, where, and when?”
CloudTrail records two types of events: Management events capturing control plane actions on resources such as creating or deleting Amazon Simple Storage Service (Amazon S3) buckets, and data events capturing data plane actions within a resource, such as reading or writing an Amazon S3 object.
In general cloud trail event history only records management events as we can see in the below screenshots.
An Event history search in general cloudtrail is limited to a single AWS account and single region, also cannot query multiple attributes. By contrast, CloudTrail Lake users can run Standard Query Language (SQL) queries across multiple fields in a CloudTrail event with multi region.
CloudTrail Lake is aws managed data lake that organizations can use to aggregate, store & query events recorded by CloudTrail for auditing & compliance, security and operational troubleshooting.
But before you use SQL to query lake, you need setup as it's not enabled by default and also some pricing incurs as we see in earlier screenshots
Configuration steps are easy as we need to select event type to capture and retention days (minimum days for retention is 7)
After cloudtrail lake configuration is complete,we can use SQL query to any aws events, like we have use query to ec2 events.
We can further filter the event with query only for stopinstances API event.
We can see output for stop instance date & time with user details.
Top comments (0)