AWS CloudTrail

  • Updated on Jan 20, 2025
  • Published on May 11, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

Table name: aws_cloudtrail

AWS CloudTrail is a service that provides visibility into user activity and resource changes across an AWS account. It records AWS API calls and related events made by or on behalf of an AWS account and delivers that information to a designated S3 bucket, CloudWatch Logs group, or a custom third-party application.

By capturing API activity across your AWS infrastructure, CloudTrail helps provide governance, compliance, operational auditing, and risk auditing of your AWS account. It also enables you to simplify operational analysis by helping you identify which users and accounts are making API calls, the source IP addresses from which these calls are made, and the timestamps for these calls.

Send data to Hunters

To connect AWS CloudTrail logs:

  1. Follow this guide to learn how to route CloudTrail logs into an S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

CloudTrail has a special default format which is expected by our ingestion mechanism:

{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-24T21:11:59Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-2", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.3.2 Python/2.7.5 Windows/7", "requestParameters": {"userName": "Bob"}, "responseElements": {"user": { "createDate": "Mar 24, 2014 9:11:59 PM", "userName": "Bob", "arn": "arn:aws:iam::123456789012:user/Bob", "path": "/", "userId": "EXAMPLEUSERID" }} }]}
{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accessKeyId": "EXAMPLE_KEY_ID", "accountId": "123456789012", "userName": "Alice" }, "eventTime": "2014-03-06T21:22:54Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-east-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": {"instancesSet": {"items": [{"instanceId": "i-ebeaf9e2"}]}}, "responseElements": {"instancesSet": {"items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } }]}} }]}