AWS CloudTrail records API calls made across an AWS account, creating an immutable audit trail of every action taken by users, roles, and services. CloudTrail analysis is the methodology of querying, correlating, and investigating these logs to detect security incidents, verify compliance, and perform forensic investigations.
CloudTrail captures management events by default and can be configured to log data events for S3 objects and Lambda invocations. Logs are delivered to S3 buckets and can be queried using Athena with predefined tables. Analysis workflows focus on key patterns: failed authentication attempts indicating credential stuffing, AssumeRole chains revealing lateral movement, policy changes suggesting privilege escalation, and resource creation in unusual regions indicating resource hijacking. CloudTrail Lake provides a managed query engine with seven-year retention. Organizations centralize trails across all accounts into a dedicated security account with immutable storage using S3 Object Lock and cross-region replication.
Without CloudTrail analysis, organizations are blind to what is happening in their cloud environment. Incident response teams depend on these logs to reconstruct attack timelines, determine blast radius, and identify root cause. Compliance frameworks universally require audit logging, and CloudTrail is the primary evidence source for AWS environments during audits and breach investigations.
CDA integrates CloudTrail analysis into the RGA (Risk Governance and Assurance) domain and TID operations. Our missions include deploying organization-wide trails with tamper-proof storage, building Athena query libraries for common threat patterns, and establishing alert pipelines that surface critical events in near real-time.