Get the FREE Ultimate OpenClaw Setup Guide →

aws-cloudtrail

Scanned
npx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/aws-cloudtrail --openclaw
Files (1)
SKILL.md
1.3 KB

AWS CloudTrail

Audit AWS account activity with CloudTrail.

Create Trail

# Create organization trail
aws cloudtrail create-trail \
  --name org-audit-trail \
  --s3-bucket-name audit-logs-bucket \
  --is-organization-trail \
  --is-multi-region-trail \
  --enable-log-file-validation \
  --kms-key-id arn:aws:kms:...

# Start logging
aws cloudtrail start-logging --name org-audit-trail

Event Selectors

# Log all management and data events
aws cloudtrail put-event-selectors \
  --trail-name org-audit-trail \
  --event-selectors '[{
    "ReadWriteType": "All",
    "IncludeManagementEvents": true,
    "DataResources": [{
      "Type": "AWS::S3::Object",
      "Values": ["arn:aws:s3:::sensitive-bucket/"]
    }]
  }]'

CloudTrail Lake

-- Query events
SELECT eventTime, userIdentity.userName, eventName, sourceIPAddress
FROM cloudtrail_logs
WHERE eventTime > '2024-01-01'
  AND eventName LIKE '%Delete%'
ORDER BY eventTime DESC
LIMIT 100

Best Practices

  • Organization-wide trails
  • Enable log file validation
  • Encrypt with KMS
  • CloudWatch Logs integration
  • Event alerting

Source

git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/auditing/aws-cloudtrail/SKILL.mdView on GitHub

Overview

CloudTrail logs AWS account activity to help you audit and investigate events. This skill covers creating organization-wide trails, enabling multi-region logging, log file validation, and KMS encryption, plus reporting via CloudTrail Lake and CloudWatch.

How This Skill Works

Configure CloudTrail via CLI to create an organization-wide trail, enable multi-region logging, and enforce log file validation and KMS encryption. Then define event selectors to capture both management and data events (e.g., S3 object access). Logs can be analyzed with CloudTrail Lake using SQL-like queries or integrated with CloudWatch for alerts.

When to Use It

  • Audit cross-account activity in an AWS Organization
  • Monitor data events for sensitive resources like S3 buckets
  • Ensure log integrity with validation and encryption
  • Centralize logging across multiple regions and accounts
  • Query historical events with CloudTrail Lake for investigations

Quick Start

  1. Step 1: Create organization trail: aws cloudtrail create-trail --name org-audit-trail --s3-bucket-name audit-logs-bucket --is-organization-trail --is-multi-region-trail --enable-log-file-validation --kms-key-id arn:aws:kms:...
  2. Step 2: Start logging: aws cloudtrail start-logging --name org-audit-trail
  3. Step 3: Define event selectors to log all management and data events (e.g., S3 object access) with aws cloudtrail put-event-selectors --trail-name org-audit-trail --event-selectors '[{"ReadWriteType":"All","IncludeManagementEvents":true,"DataResources":[{"Type":"AWS::S3::Object","Values":["arn:aws:s3:::sensitive-bucket/"]}]}]'

Best Practices

  • Organization-wide trails for centralized auditing
  • Enable log file validation to ensure integrity
  • Encrypt logs with a KMS key
  • Integrate CloudTrail with CloudWatch Logs for alerts
  • Set up event alerting for suspicious activity

Example Use Cases

  • Set up an organization-wide audit trail named org-audit-trail with multi-region logging and log file validation
  • Enable KMS encryption on the audit log bucket using a customer-managed key
  • Add event selectors to capture all management events and data events for a sensitive S3 bucket
  • Use CloudTrail Lake to query Delete events and user activity within a date range
  • Trigger CloudWatch Alerts when critical IAM or S3 events occur

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers