aws-cloudtrail
Configure AWS CloudTrail for audit logging. Set up organization trails and event analysis. Use when auditing AWS activity.
Install
npx skillscat add bagelhole/devops-security-agent-skills/aws-cloudtrail Install via the SkillsCat registry.
SKILL.md
AWS CloudTrail
Audit AWS account activity with CloudTrail.
Create Trail
# Create organization trail
aws cloudtrail create-trail \
--name org-audit-trail \
--s3-bucket-name audit-logs-bucket \
--is-organization-trail \
--is-multi-region-trail \
--enable-log-file-validation \
--kms-key-id arn:aws:kms:...
# Start logging
aws cloudtrail start-logging --name org-audit-trailEvent Selectors
# Log all management and data events
aws cloudtrail put-event-selectors \
--trail-name org-audit-trail \
--event-selectors '[{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [{
"Type": "AWS::S3::Object",
"Values": ["arn:aws:s3:::sensitive-bucket/"]
}]
}]'CloudTrail Lake
-- Query events
SELECT eventTime, userIdentity.userName, eventName, sourceIPAddress
FROM cloudtrail_logs
WHERE eventTime > '2024-01-01'
AND eventName LIKE '%Delete%'
ORDER BY eventTime DESC
LIMIT 100Best Practices
- Organization-wide trails
- Enable log file validation
- Encrypt with KMS
- CloudWatch Logs integration
- Event alerting
Categories
Install
npx skillscat add bagelhole/devops-security-agent-skills/aws-cloudtrail Install via the SkillsCat registry.