Completed · Advanced
CloudTrail Security Monitoring
Capture AWS account activity and alert on sensitive IAM and root account events.
Problem
Security teams need visibility when privileged actions happen in an AWS account.
Solution
Centralize CloudTrail logs, create metric filters, and notify on high-risk events.
Architecture Overview
CloudTrail writes events to S3 and CloudWatch Logs, metric filters match risky actions, and SNS sends alerts.
AWS Services Used
CloudTrailCloudWatchSNSIAMS3
Steps Taken
- - Enable an organization or account-level trail.
- - Store logs in a protected S3 bucket.
- - Create CloudWatch metric filters for IAM changes.
- - Wire alarms to an SNS topic.
Screenshots
Screenshot placeholder
Screenshot placeholder
Lessons Learned
- - Logging is only useful when alerts are specific enough to act on.
- - Protecting the log bucket is part of the security control.