AWS CloudTrail: Log Analysis and Security Monitoring

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

CloudTrail is the audit log for your entire AWS environment. Every API call, every console login, every assumed role — it all goes through CloudTrail. If you are doing incident response or threat detection in AWS, CloudTrail is where you start.

Getting the Configuration Right

A single-region trail is not enough. Create an organization trail that covers all regions and all accounts. Attackers will spin up resources in regions you are not watching if you only monitor your primary region.

Enable management events for both read and write. Yes, read events generate more volume, but GetSecretValue, GetObject, and DescribeInstances calls are exactly the signals you need to detect reconnaissance.

Enable data events for S3 and Lambda selectively. Turning on data events for every bucket will cost a lot, but you should cover buckets that store sensitive data, CloudFormation templates, and Terraform state.

Send logs to a centralized S3 bucket in a dedicated security account. Enable S3 Object Lock with a retention policy so no one — including a compromised root account — can delete or modify logs. Enable log file validation to detect tampering.

Log Analysis Techniques

CloudTrail events follow a consistent JSON structure. The fields you will use most in investigations: eventName, eventSource, sourceIPAddress, userIdentity, requestParameters, and errorCode.

Filter for errorCode: "AccessDenied" to find privilege escalation attempts. An IAM principal repeatedly hitting access denied errors across different services is either misconfigured or probing for permissions.

Watch for ConsoleLogin events with MFAUsed: "No" from new IP addresses. Track CreateAccessKey, AttachUserPolicy, and PutRolePolicy as indicators of persistence.

Use CloudTrail Lake or Athena for querying historical data. CloudTrail Lake lets you run SQL queries directly against your events without managing an Athena table. For ad-hoc investigations, the query speed is worth the cost.

SIEM Integration

Forward CloudTrail logs to your SIEM through S3 event notifications to SQS, then have your SIEM consume from the queue. Avoid direct CloudWatch Logs subscriptions for high-volume trails — the costs scale faster than the S3 path.

Build detection rules for these high-value events:

• StopLogging or DeleteTrail — someone is trying to blind you
• CreateUser or CreateAccessKey outside of your provisioning pipeline
• AssumeRole from external accounts not in your organization
• AuthorizeSecurityGroupIngress opening 0.0.0.0/0

What to Focus On

CloudTrail analysis is a core skill for anyone working in cloud security or a SOC that handles AWS environments. The difference between a junior and senior analyst is often the ability to trace an incident through CloudTrail events from initial access to impact.

Next Steps

• Check your skills against the Cloud Security Engineer path to see where CloudTrail fits in
• Take a skills assessment to identify gaps in your AWS security knowledge
• Explore related AWS services in our skills library
• Use the salary calculator to see how cloud security skills affect compensation

Related Guides in This Series

• Active Directory Security: Attack Paths and Hardening — HADESS | 2026
• AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
• AWS CloudWatch for Security: Metrics, Alarms, and Log Analysis

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.