What is CloudTrail?

AWS CloudTrail is an auditing tool in AWS. It records actions taken by users, roles or AWS services as events. CloudTrail provides three ways to record events: Event History, CloudTrail Lake and Trails. This guide focuses on Trails.

Why use CloudTrail with Scanner?

Because of its nature as an auditing tool, CloudTrail Trails logs are known to be voluminous. Querying them with default AWS tools tends to be slow and costly. Using Scanner to index your CloudTrail logs allows you to:

• Index terabytes of data per day at an affordable cost with unlimited data retention.

• Run lightning-fast queries over the large data set for quick investigations.

• Set up real-time detection to monitor potential vulnerabilities or security breaches as they happen.

How to export CloudTrail Trails to S3?

CloudTrail Trails are always stored in S3 buckets. It requires no additional steps to export them.

How to set up CloudTrail Trails?

1. AWS Console -> CloudTrail -> Trails -> Create trail.

2. If your organization has multiple AWS accounts, you may track events from all accounts in a single Trail by selecting "Enable for all accounts in my organization" (recommended). More information here.

3. Select the destination S3 bucket (or create a new one).

4. Select the types of events (management, data or insights events) you wish to audit. More information here.

How to start indexing the CloudTrail logs in S3?

Once you have your CloudTrail logs in S3, you can set up Scanner to start indexing those files following the guide here.