Configure CloudTrail in AWS

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.

With CloudTrail, you can get a history of AWS API calls for your account—no matter if you made those calls using the AWS Management Console, AWS Software Development Kits (SDKs), Command Line Interface (CLI) tools, or other AWS services such as AWS CloudFormation.

CloudCheckr can consume CloudTrail logs, which you can leverage for your alerts and reports. However, AWS does not write CloudTrail logs to storage by default; you need to configure it so that CloudCheckr can access and consume it.


This procedure will show you how to configure CloudTrail in AWS:

  1. Log in to the AWS Management Console.

    The AWS services page opens.

  2. Scroll down to the Management & Compliance section and select CloudTrail.
  3. From the CloudTrail dashboard, click the View trails button.
  4. Click Create trail.
  5. On the Create Trail page, provide a name for your cloud trail.
  6. Scroll down to the Storage location section.

    Although CloudCheckr does not require any specific settings for your CloudTrail log, you must record the name of an S3 bucket where you want AWS to write the CloudTrail log.

    CloudCheckr needs the name of this S3 bucket so that you can successfully set up your cross-account role in CloudFormation or

    create a cross-account role manually.
  7. For the purposes of this procedure, let's configure an existing S3 bucket:
    1. Next to Create a new S3 bucket, select the No radio button.
    2. From the S3 bucket drop-down menu, select the name of an existing S3 bucket.
  8. Click Create.

    AWS displays your new CloudTrail in the list:

How did we do?