- In the AWS Console search bar, enter Cloudtrail and open the Cloudtrail service
2. The next step is to click Create a trail
3. By default the quick trail create option is selected which limits the option you choose from. The only option is to specify the Trail name and click Create trail.
Once created the trail is created, it can be modified by clicking the Name
4. Click edit in the general details to start modifying the options
The SNS notification delivery triggers a notification once a log is received which can be a bit chatty so not recommended to enable it
6. For the Log file SSE-KMS-encryption click Enable and choose whether to use a new key or not. Enter a new KMS key alias. In our case will use cloudtrail
7. Click Enabled in the log file validation and then click save changes
9. Click enabled
10. Once enabled choose the CloudWatch log group (Either use existing or create a new one) and repeat the same for the IAM role and click save changes
11. If needed, enter Tags by clicking Manage Tags and entering the required tags
12. The next step is to modify the management events by clicking Edit
Ensure that Read and Write API activities are selected and no excluded options are ticked and click save changes
13. By default, Cloudtrail doesn’t log data events and if needed can be enabled by clicking Edit in the data events section
and select add data event type
In this case, S3 is selected
For the S3 the option available are as follows:
Once ready from the options needed click Save Changes
14. By default, trails do not log Insights events. CloudTrail Insights helps you identify and respond to unusual activity associated with write API calls. If this option is needed click edit in the insight section
15. Click Insight events and choose the insight types required and then click save changes