Amazon AWS Cloud Trail Log Activity

Owned by Steve Challans
Last updated: Feb 14, 2024
2 min read

The Amazon Cloud trail logs come in on UTC time format as many cloud providers use. So any activity needs to factor in the time difference for your timezone. Some parts of the dashboard only show data for the last 4 hours as cloud logs can generate massive volume of events. If longer search times are desired then its best to use the event search feature to search for logs over longer time period.

Selecting a chart component such as the pie segment, graph item will link through to the Text Details tabular output where you can search and perform additional filtering of the selected data and time period.

  • AWS cloud trail log activity

    • Each widget details a specific log type to be reported on, such as

      • Cloud Trail Log Activity -This provides a summary of the event log rates over time for today.

      • Event by name - The event name is if the event name from Cloud Trail relating to the activity in the log type.

      • SRC ADDR - the source address of the activity either FQDN or IP as provided in the event

      • User Name - the user that triggered the event

      • User type - the users role and type

      • User agent - the application that was related to creating the event

      • Lambda Cold Start Events by Username -The request was made by Lambda and by the logged userid.

      • Customer Allocated IP Address Reports - This shows the logs from the allocated IP address on the requests.

      • Events using Stolen Lambda Credentials - This shows the potential stolen Lambda credentials being reused for other session.

    • Some examples of the dashboards for this area is below.

    • image-20240206-072404.png