Domain 4 of 4 · Chapter 4 of 5

Audit Logging

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Data Engineer - Associate premium course — no separate purchase.

Included in this chapter:

  • The CloudTrail event model: management, data, and network events
  • Event history versus a trail, and trustworthy delivery
  • CloudTrail Lake and querying audit logs at scale
  • Exam-pattern recognition: reading the audit-logging question

Choosing where audit logs live and how you query them

Audit storeWhat it holdsHow you query itRetentionBest for
Event historyManagement events, last 90 days, one RegionConsole lookup / LookupEvents90 days, fixedQuick recent review, no setup
Trail to S3Management + chosen data events as JSONAthena over a partitioned tableIndefinite (your S3 lifecycle)Durable archive, large history
Trail to CloudWatch LogsTrail events plus application/audit logsLogs Insights, metric filtersPer log group (default never expire)Alerting and in-place queries
CloudTrail LakeImmutable event data store (ORC)SQL (Trino) directly on eventsUp to ~10 years (pricing option)Long compliance hold, SQL audit

Decision tree

Just a quick look at recent activity, one account/Region? yes Event history free, 90 days no, need a trail Retain for years AND query with SQL? yes CloudTrail Lake up to ~10 years no Durable archive in your own S3 bucket? yes Trail to S3 Athena queries need alerts Trail to CloudWatch Logs Logs Insights + metric alarms Always: enable log file integrity validation signed hourly digest chain makes tampering detectable

Cheat sheet

  • CloudTrail records who did what, not whether a job is healthy
  • A trail logs management events by default, but you must enable data events
  • Event history is free but fixed at 90 days, one Region, management events only
  • A trail delivers to S3, optionally to CloudWatch Logs and EventBridge
  • Use a multi-Region trail to capture every enabled Region in one bucket
  • Centralize an organization with one org trail from the management account
  • Enable log file integrity validation to make the trail tamper-evident
  • CloudTrail signs the integrity digest hourly with a chained signature
  • CloudTrail Lake is an immutable audit lake you query with SQL
  • CloudTrail Lake retains events up to about 10 years for compliance
  • Query CloudTrail logs already in S3 with Athena over a partitioned table
  • Query logs in CloudWatch Logs in place with Logs Insights
  • Choose the audit-query tool by where the logs live and how long you keep them
  • Use OpenSearch or EMR when audit log volume is genuinely large
  • Enable S3 data events to build an object-level access trail for the lake
  • Audit logging records access, it does not enforce or monitor it
  • Enable database audit logging through a parameter or option group, then export to CloudWatch
  • Glue continuous logging streams logs as the job runs and needs logs:AssociateKmsKey when encrypted

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. CloudTrail concepts
  2. Logging data events
  3. Working with CloudTrail event history
  4. Validating CloudTrail log file integrity
  5. Working with AWS CloudTrail Lake
  6. Query CloudTrail logs with Amazon Athena
  7. Analyzing log data with CloudWatch Logs Insights