This chapter covers AWS CloudTrail and Azure Audit Log analysis, two critical services for security monitoring, incident response, and compliance in cloud environments. For the CS0-003 exam, understanding how to configure, query, and interpret these logs is essential because they form the foundation of forensic investigations and threat detection in the cloud. Approximately 10-15% of Security Operations questions will involve log analysis from these platforms, often requiring you to identify suspicious activity or validate compliance controls. You will learn the mechanics of each service, their key differences, and how to effectively use them in real-world scenarios.
Jump to a section
AWS CloudTrail is like a bank vault's surveillance system with multiple high-definition cameras and a detailed access log. Every time someone enters the vault room (an API call), the system records: who they are (IAM user or role), what door they used (source IP and service endpoint), what they did inside (the action, like opening a safe deposit box or checking the balance), and the exact timestamp. The footage is stored in a secure, immutable tape drive (S3 bucket) that cannot be tampered with, and a duplicate copy is sent to a central monitoring station (CloudWatch Logs) for real-time alerts. Just as bank security reviews the tapes after a theft to trace exactly who accessed which box and when, security analysts query CloudTrail logs to investigate unauthorized API calls, track changes to resources, and ensure compliance. The 'management events' camera captures all vault door openings and closings (control plane operations), while the 'data events' camera records every time someone handles a specific deposit box (data plane operations like S3 object access). A 'trail' is like a specific camera configuration: you decide which cameras (regions, services) to record, how long to keep the footage (log retention), and whether to encrypt it at rest (SSE-S3 or SSE-KMS). If you want to detect someone trying to pick the vault lock, you enable CloudTrail Insights to analyze baseline behavior and flag unusual access patterns, like a guard entering the vault at 3 AM when they never do.
What is AWS CloudTrail and Why Does It Exist?
AWS CloudTrail is a governance, compliance, operational auditing, and risk auditing service that logs every API call made to the AWS environment. It records who made the call, from where, when, and what the response was. CloudTrail exists to provide visibility into user and resource activity, enabling security teams to detect unauthorized access, investigate incidents, and meet regulatory requirements like PCI DSS, HIPAA, and SOC 2. Without CloudTrail, AWS would be a black box—you would not know who created a new S3 bucket, modified a security group, or launched an EC2 instance.
How CloudTrail Works Internally
When an AWS API call is made (by a user, application, or AWS service), the request first hits the AWS service endpoint. Before the service processes the request, it sends a copy of the request metadata to CloudTrail. CloudTrail then formats this data into a log record (a JSON object) and delivers it to an S3 bucket (the destination you configure). Optionally, you can also send logs to CloudWatch Logs for real-time monitoring and to Amazon EventBridge for event-driven automation.
The log record includes:
- eventVersion: The version of the CloudTrail log format (currently 1.08).
- userIdentity: Details about the user or role that made the call, including type (Root, IAMUser, AssumedRole, FederatedUser, AWSAccount, AWSService), arn, accountId, accessKeyId, userName, and sessionContext.
- eventTime: The timestamp in UTC (ISO 8601 format).
- eventSource: The service that received the request (e.g., ec2.amazonaws.com).
- eventName: The action performed (e.g., RunInstances, CreateBucket).
- awsRegion: The region where the request was made.
- sourceIPAddress: The IP address from which the request originated.
- userAgent: The client used (e.g., console, SDK, CLI).
- requestParameters: The parameters sent with the request (e.g., instance type, bucket name).
- responseElements: The response from the service (e.g., instance ID, bucket ARN).
- errorCode and errorMessage: If the request failed, the error details.
CloudTrail can log two categories of events: - Management Events: Control plane operations that manage AWS resources (e.g., creating an IAM user, modifying a VPC). These are logged by default. - Data Events: Data plane operations on resources like S3 objects, Lambda functions, and DynamoDB tables. These are not logged by default; you must explicitly enable them because they can generate high volume.
Key Components, Values, Defaults, and Timers
Trail: A configuration that specifies where logs are delivered. A trail can be applied to all regions (default) or a single region. You can have up to 5 trails per region (soft limit).
S3 Bucket: The destination for log files. You must create the bucket and apply a bucket policy that grants CloudTrail write access. Logs are delivered every 5 minutes (best effort).
CloudWatch Logs: Optional integration for real-time monitoring. You specify a log group and CloudTrail sends logs within minutes (typically 5-15 minutes).
Log File Integrity Validation: When enabled, CloudTrail creates a SHA-256 hash of each log file and stores it in a digest file. This allows you to verify that logs have not been tampered with after delivery.
Retention: Logs are stored in S3 indefinitely by default, but you can configure lifecycle policies to archive or delete them.
Insights Events: CloudTrail Insights continuously analyzes management events to detect unusual activity (e.g., a spike in failed API calls). It creates an Insights event when it detects a deviation from baseline. You can enable Insights on a per-trail basis.
Configuration and Verification Commands
To create a trail using the AWS CLI:
aws cloudtrail create-trail --name my-trail --s3-bucket-name my-cloudtrail-logs --is-multi-region-trail --enable-log-file-validationTo start logging:
aws cloudtrail start-logging --name my-trailTo view recent events from the CLI:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances --start-time 2024-01-01T00:00:00Z --end-time 2024-01-02T00:00:00ZTo query logs in Athena (after setting up a table):
SELECT eventTime, eventName, userIdentity.arn, sourceIPAddress
FROM cloudtrail_logs
WHERE eventName = 'CreateUser' AND errorCode IS NULL;How CloudTrail Interacts with Related Technologies
AWS Config: Config records resource configuration changes, while CloudTrail records the API calls that made those changes. Together, they provide a complete picture: who did what, when, and what the state was before and after.
Amazon GuardDuty: GuardDuty uses CloudTrail logs as one of its data sources to detect malicious activity (e.g., unusual API calls from a known bad IP).
AWS Lambda: You can trigger a Lambda function from CloudTrail logs via EventBridge to automate responses (e.g., revoke a compromised key).
Amazon Athena: You can query CloudTrail logs directly in S3 using Athena with a predefined table schema.
What is Azure Audit Log (Azure Monitor Activity Log) and Why Does It Exist?
Azure Monitor Activity Log (formerly Azure Audit Log) is a platform log in Azure that provides insight into subscription-level events. It records all control plane operations (management events) such as creating a virtual machine, modifying a network security group, or deleting a resource. It is automatically enabled for every Azure subscription and retains logs for 90 days by default. It is essential for answering "who, what, when, and where" for Azure resource changes.
How Azure Activity Log Works Internally
When a user, service principal, or managed identity makes a management API call to Azure Resource Manager (ARM), Azure automatically generates an activity log event. The event is stored in the Azure Monitor platform for 90 days. You can then route these events to a Log Analytics workspace, an Event Hub, or an Azure Storage account for longer retention and advanced querying.
The log record includes:
- caller: The user or service principal that initiated the operation (UPN or object ID).
- operationName: The operation performed (e.g., Microsoft.Compute/virtualMachines/write).
- status: The result (Succeeded, Failed, Started).
- eventTimestamp: Time of the event.
- resourceId: The full ARM ID of the resource affected.
- properties: Additional details (e.g., request body, response).
Key Components and Defaults
Activity Log: Automatically enabled, no configuration needed. Retained for 90 days.
Diagnostic Settings: To send logs to Log Analytics, Event Hub, or Storage, you must create a diagnostic setting. You can also send resource-level logs (e.g., NSG flow logs) via diagnostic settings.
Log Analytics Workspace: A central repository for logs. You can use Kusto Query Language (KQL) to query activity logs.
Retention: 90 days in the platform; longer retention requires export to Storage or Log Analytics (where you can set retention up to 730 days or indefinitely).
Configuration and Verification Commands (Azure CLI)
To view activity log events:
az monitor activity-log list --start-time 2024-01-01 --end-time 2024-01-02 --max-events 50To create a diagnostic setting to send activity logs to Log Analytics:
az monitor diagnostic-settings create --name myDiagnosticSetting --resource /subscriptions/12345-... --workspace /subscriptions/.../workspaces/myWorkspace --logs '[{"category":"Administrative","enabled":true}]'To query activity logs in Log Analytics:
AzureActivity
| where OperationNameValue == "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE"
| where ActivityStatusValue == "Succeeded"
| project TimeGenerated, Caller, ResourceIdHow Azure Activity Log Interacts with Related Technologies
Azure Policy: Activity logs can show when a policy is evaluated or modified.
Azure Security Center: Uses activity logs to detect suspicious management operations.
Azure Sentinel: Ingests activity logs for SIEM analysis.
Azure Event Hub: Enables streaming to third-party SIEMs like Splunk.
Comparing CloudTrail and Azure Activity Log
Both services log management events automatically. Key differences:
CloudTrail can log data events (e.g., S3 object access); Azure Activity Log does not log data plane events. For data plane events in Azure, you need resource-specific diagnostic settings (e.g., for Blob Storage, you enable storage analytics logs).
CloudTrail logs are delivered to S3 in 5-minute intervals; Azure Activity Log is streamed near real-time to Log Analytics (within minutes).
CloudTrail has log file integrity validation; Azure does not have a built-in equivalent (you rely on RBAC and immutable storage).
Both support integration with SIEM and automation tools.
Common Exam Scenarios
Forensic Investigation: Given a CloudTrail log entry, identify the user, action, and source IP. For example, a log shows userIdentity.type: Root and eventName: DeleteTrail — this is a critical alert because the root user should not be used for daily operations.
Compliance: You need to enable CloudTrail for all regions and validate log integrity. The exam may ask which settings to enable (multi-region trail, log file validation).
Troubleshooting: A user reports that an EC2 instance was terminated unexpectedly. You query CloudTrail for TerminateInstances events and find the source IP and user ARN.
Integration: You set up CloudTrail to send logs to CloudWatch Logs and create a metric filter for unauthorized API calls (e.g., errorCode = AccessDenied). Then you set an alarm to notify the security team.
Trap Patterns on the Exam
Confusing CloudTrail with AWS Config: CloudTrail logs API calls; Config records configuration changes. A question asking "which service logs changes to security group rules?" — both could be partially correct, but CloudTrail logs the API call that made the change, while Config logs the state change. The exam often expects CloudTrail for the "who" and Config for the "what changed".
Assuming Data Events are Logged by Default: They are not. You must enable them explicitly. A question might describe a scenario where an S3 object was accessed but no log exists — the answer is that data events were not enabled.
Forgetting CloudTrail Logs are Delayed: Logs are delivered in 5-minute intervals, not real-time. If a question asks about immediate detection, you need CloudWatch Events (now EventBridge) or GuardDuty.
Azure Activity Log Retention: The default retention is 90 days, not indefinite. To keep logs longer, you must export to Storage or Log Analytics.
Mixing up Azure Activity Log with Azure AD Audit Logs: Activity Log is for Azure resource management; Azure AD Audit Logs are for user sign-ins and directory changes. The exam may test both, so read the question carefully.
Enable CloudTrail in All Regions
Create a trail that applies to all regions to ensure you capture API calls from every region. Without a multi-region trail, you would only log events from the region where the trail is created. In the AWS Management Console, navigate to CloudTrail, click 'Create trail', and check 'Apply trail to all regions'. The CLI equivalent uses `--is-multi-region-trail`. This ensures that if an attacker operates in a region you don't monitor, you still have logs. The default is single-region, so the exam often tests this distinction.
Configure S3 Bucket with Appropriate Policies
CloudTrail delivers logs to an S3 bucket. You must create a bucket with a policy that grants CloudTrail write access. The policy must specify the CloudTrail service principal and the correct source ARN. Additionally, enable server-side encryption (SSE-S3 or SSE-KMS) and, for compliance, enable log file validation. Also, apply a bucket policy that denies insecure transport (HTTP). The bucket must not have public access. A common mistake is forgetting the bucket policy, which causes logs to fail delivery.
Enable CloudTrail Insights for Anomaly Detection
CloudTrail Insights continuously analyzes management events to establish a baseline of normal API call volume and patterns. When it detects anomalies—such as a sudden spike in failed API calls or unusual API usage—it generates an Insights event. To enable, edit the trail and check 'CloudTrail Insights'. Insights events are charged separately. On the exam, you might be asked how to detect a brute force attack on the AWS API; Insights would flag the spike in AccessDenied errors.
Set Up CloudWatch Logs Integration for Real-Time Alerts
To receive near-real-time notifications, send CloudTrail logs to CloudWatch Logs. Create a new or use an existing log group. Then create a metric filter that matches specific patterns (e.g., `{ ($.errorCode = "AccessDenied") }`). Set a CloudWatch alarm on that metric to trigger an SNS notification. This allows immediate response to suspicious API calls. Note that logs in CloudWatch may have a delay of up to 15 minutes, but it is faster than S3 delivery (5 minutes).
Query Logs Using Athena for Forensic Analysis
For long-term analysis, you can query CloudTrail logs stored in S3 using Amazon Athena. First, create a table in Athena with the CloudTrail serde and location pointing to your S3 bucket. Then run SQL queries. For example, to find all actions by a specific IAM user: `SELECT eventTime, eventName, sourceIPAddress FROM cloudtrail_logs WHERE useridentity.arn = 'arn:aws:iam::123456789012:user/johndoe'`. Athena queries are charged per TB scanned, so use partitioning (by region, date) to reduce costs.
Scenario 1: Enterprise Compliance Monitoring (AWS)
A financial services company must comply with PCI DSS, which requires logging all access to cardholder data environments. They enable CloudTrail with a multi-region trail, log file integrity validation, and send logs to a centralized S3 bucket with SSE-KMS encryption. They also enable CloudTrail Insights to detect anomalous API behavior. Logs are retained for 7 years using S3 lifecycle policies (transition to Glacier after 90 days). The security team uses Athena to run quarterly compliance reports, querying for any Root user activity or unauthorized API calls. A common issue: if the S3 bucket policy is misconfigured, logs fail to deliver, creating a compliance gap. They use CloudWatch alarms to alert if no logs are received for 1 hour.
Scenario 2: Incident Response in Azure
A large e-commerce company uses Azure for its infrastructure. When a production VM is deleted, the incident response team queries the Azure Activity Log. They find the event Microsoft.Compute/virtualMachines/delete with a caller of a service principal that was compromised. They then trace the source IP and time. To enable this, they have diagnostic settings sending Activity Log to a Log Analytics workspace with 1-year retention. They also stream logs to Azure Sentinel for SIEM correlation. A performance consideration: sending all Activity Log to Log Analytics can be costly due to ingestion charges. They filter to only send 'Administrative' and 'Security' categories. A common misconfiguration: forgetting to enable diagnostic settings for the subscription, so only 90 days of logs are available.
Scenario 3: Multi-Cloud Log Correlation
A company uses both AWS and Azure. They need a unified view of API activity. They send CloudTrail logs to a central S3 bucket and Azure Activity Log to an Event Hub. A third-party SIEM (Splunk) ingests both streams. They create correlation rules, e.g., if an IAM user creates a resource in AWS and the same user performs an action in Azure within 5 minutes, flag it for review. Challenges include time zone normalization and different log formats. They use AWS Lambda to transform CloudTrail logs to a common schema before sending to Splunk. The key lesson: without proper log aggregation, cross-cloud attacks go undetected.
CS0-003 Objective Alignment
This topic falls under Domain 1: Security Operations, Objective 1.2: Given a scenario, analyze data from cloud and virtual platforms. The exam expects you to interpret logs from AWS CloudTrail and Azure Activity Log to identify security incidents, policy violations, and configuration issues. You must know the default settings, key fields, and how to enable additional logging.
Common Wrong Answers and Why Candidates Choose Them
Choosing AWS Config over CloudTrail: When a question asks "which service logs API calls?", candidates often pick AWS Config because it sounds like it logs changes. But Config logs configuration state, not the API call. CloudTrail logs the actual API request. The exam will have a scenario where you need to know who made a change—that's CloudTrail.
Assuming Data Events are Enabled by Default: Many candidates think CloudTrail logs everything. The exam will present a scenario where an S3 object was accessed but no log exists. The correct answer is that data events must be enabled. The wrong answer is to check if the trail is multi-region.
Azure Activity Log Retention: Candidates often think Azure Activity Log is retained indefinitely. The correct answer is 90 days. To keep longer, you need diagnostic settings to export to Storage or Log Analytics.
Mixing up Azure Activity Log with Azure AD Audit Logs: A question might ask about user sign-in logs. Candidates mistakenly choose Activity Log, but sign-ins are in Azure AD Audit Logs. Activity Log is only for Azure resource management.
Specific Numbers and Terms on the Exam
CloudTrail log delivery interval: 5 minutes (best effort).
Default retention for Azure Activity Log: 90 days.
CloudTrail Insights: enabled per trail, charges apply.
Log file integrity validation: creates SHA-256 hashes.
Azure Activity Log categories: Administrative, Security, ServiceHealth, Alert, Autoscale, Recommendation, Policy.
Edge Cases and Exceptions
Global services: CloudTrail logs for global services (IAM, STS, CloudFront) are logged in the US East (N. Virginia) region by default, even if you have a single-region trail. You must enable multi-region trail to capture them.
AWS Organizations: If you use AWS Organizations, you can create a trail for the entire organization, and all member accounts' logs are delivered to the management account's S3 bucket.
Azure Activity Log for deleted resources: The log remains even after the resource is deleted, but you cannot navigate to the resource from the log entry.
CloudTrail log file naming convention: AWSLogs/<account-id>/CloudTrail/<region>/<year>/<month>/<day>/<filename>.json.gz.
How to Eliminate Wrong Answers
If a question asks about real-time detection, eliminate CloudTrail alone (5-min delay) and look for CloudWatch Events/EventBridge.
If a question asks about tracking S3 object access, eliminate Azure Activity Log (it doesn't log data events).
If a question asks about long-term retention, check if they mention diagnostic settings for Azure or S3 lifecycle for AWS.
If a question asks about the user who made a call, look for userIdentity in CloudTrail or caller in Azure Activity Log.
CloudTrail logs API calls (management events by default; data events optional) with a 5-minute delivery interval to S3.
Azure Activity Log automatically logs management events with 90-day retention; export to Log Analytics for longer retention.
Enable multi-region trails in CloudTrail to capture events from all AWS regions, including global services.
Use CloudTrail Insights to detect anomalous API call patterns (e.g., spike in AccessDenied errors).
Azure Activity Log categories include Administrative, Security, ServiceHealth, Alert, Autoscale, Recommendation, and Policy.
For forensic analysis, query CloudTrail logs with Athena (SQL) or Azure Activity Log with KQL in Log Analytics.
Data events in CloudTrail (e.g., S3 object access) must be explicitly enabled; they generate high volume and cost.
Azure Activity Log does not log data plane operations; use resource diagnostic settings for those.
These come up on the exam all the time. Here's how to tell them apart.
AWS CloudTrail
Logs both management and data events (if enabled).
Delivered to S3 in 5-minute intervals.
Supports log file integrity validation with SHA-256.
Can be integrated with CloudWatch Logs for real-time monitoring.
Uses trails to define configuration; up to 5 trails per region.
Azure Activity Log
Logs only management events; data events require separate diagnostic settings.
Streamed to Log Analytics within minutes (near real-time).
No built-in integrity validation; relies on RBAC and immutable storage.
Can be sent to Log Analytics, Event Hub, or Storage via diagnostic settings.
Automatically enabled for all subscriptions; no setup required for basic logging.
Mistake
CloudTrail logs all AWS API calls by default, including S3 object access.
Correct
By default, CloudTrail only logs management events. Data events (e.g., S3 object-level access) must be explicitly enabled. The exam often tests this distinction.
Mistake
Azure Activity Log retains logs indefinitely.
Correct
Azure Activity Log is retained for 90 days by default. To retain logs longer, you must create a diagnostic setting to export to a Storage account or Log Analytics workspace.
Mistake
CloudTrail delivers logs in real-time.
Correct
CloudTrail delivers logs to S3 in 5-minute intervals (best effort). For near-real-time, use CloudWatch Logs integration, but there is still a delay of up to 15 minutes.
Mistake
Azure Activity Log logs all operations, including data plane operations like reading a blob.
Correct
Azure Activity Log only logs management (control plane) operations. Data plane operations (e.g., reading a blob, executing a query) require separate diagnostic settings for the resource.
Mistake
You cannot delete CloudTrail logs from S3 if log file validation is enabled.
Correct
Log file validation helps detect tampering but does not prevent deletion. You must use S3 bucket policies and MFA delete to protect logs from deletion.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
To log S3 object-level operations (e.g., GetObject, PutObject), you must enable data events on your CloudTrail trail. In the console, when creating or editing a trail, under 'Data events', select 'S3' and specify the bucket or prefix. Alternatively, use the CLI: `aws cloudtrail put-event-selectors --trail-name my-trail --event-selectors '[{"ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{"Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::my-bucket/"]}]}]'`. Note that data events are not logged by default and incur additional costs.
CloudTrail logs API calls (who did what, when, and from where). AWS Config records the configuration state of resources (what the resource looks like at a point in time). For example, if someone changes a security group rule, CloudTrail logs the `AuthorizeSecurityGroupIngress` API call, while Config records the new state of the security group. Both are complementary: CloudTrail provides the 'who' and 'how', Config provides the 'what changed'.
Create a diagnostic setting for the subscription. In the Azure portal, go to 'Monitor' > 'Activity Log' > 'Export Activity Logs'. Configure the diagnostic setting to send logs to a Log Analytics workspace (retention up to 730 days or set to indefinite) or to an Azure Storage account (retention controlled by lifecycle policies). You can also stream to an Event Hub for ingestion into a SIEM.
CloudTrail Insights continuously analyzes management events to establish a baseline of normal API activity. When it detects anomalies—such as a sudden increase in failed API calls, unusual API usage, or calls from new geographies—it generates an Insights event. This helps security teams identify potential threats like brute force attacks or compromised credentials. Insights must be enabled per trail and incurs additional charges.
Yes. Look for API calls from unusual IP addresses, calls to services the user doesn't normally use, or a high volume of failed authentication attempts (AccessDenied errors). You can set up CloudWatch metric filters and alarms on these patterns. Additionally, CloudTrail Insights can automatically flag unusual patterns. For example, if a key that normally only reads from S3 suddenly starts creating EC2 instances, that's suspicious.
In the Azure portal, navigate to the resource (e.g., a virtual machine). In the left menu, under 'Monitoring', select 'Activity log'. This shows events related to that specific resource. You can filter by time range, operation, and status. Alternatively, you can query the Activity Log at the subscription level and filter by `resourceId`. For advanced analysis, use Log Analytics with KQL: `AzureActivity | where ResourceId == '/subscriptions/.../resourceGroups/.../providers/...'`.
CloudTrail delivers log files to the S3 bucket approximately every 5 minutes (best effort). This is not real-time. For near-real-time needs, integrate CloudTrail with CloudWatch Logs, which typically delivers within 5-15 minutes. For immediate alerting, use Amazon EventBridge to capture specific API calls via CloudTrail and trigger actions.
You've just covered AWS CloudTrail and Azure Audit Log Analysis — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?