AWS CloudTrail#
Version: 1.0.1 · Category: AWS Cloud Security · Plan: Base+
A full CloudTrail integration covering event search, log file analysis, Trail configuration, data event analysis, CloudTrail Insights, and Cross-Account Activity analysis.
Tools#
get_cloudtrail_events — Event search#
Query CloudTrail management events with the following filter combinations:
| Filter | Description |
|---|---|
event_name |
API name (e.g. AssumeRole, DeleteBucket) |
username |
Username (IAM user or role name) |
resource_name |
Resource name (ARN, bucket name, instance ID, etc.) |
event_source |
Service source (e.g. s3.amazonaws.com) |
read_only |
true = read-only events; false = write events |
| Time range | start_time / end_time (ISO 8601 format) |
search_log_file — S3 log file search#
Directly read and parse compressed CloudTrail log files from S3 (.gz format). Useful for deep dives into large-volume historical event data.
get_trail_status — Trail status#
Get the operational status of a CloudTrail Trail:
- Recording status
- Latest delivery time
- S3 log file delivery location
- CloudWatch Logs delivery status
list_trails — Trail list#
List all Trails in the current account, including multi-region Trails and organization Trails.
get_event_selectors — Event selector configuration#
Get the event selector configuration for a Trail (which event types and resources are being logged):
- Management events (read/write)
- S3 data events
- Lambda data events
analyze_user_activity — User activity analysis#
Comprehensive API activity analysis for a specified IAM user or role:
- API call frequency distribution
- Frequently accessed services
- Unusual time patterns
detect_anomalies — Anomaly detection#
Detect anomalous activity in a time range:
| Alert type | Typical triggers |
|---|---|
UNUSUAL_API_CALLS |
Rarely-used API calls from that identity |
ROOT_ACCOUNT_USAGE |
Any root account activity |
FAILED_CONSOLE_LOGINS |
Multiple failed console login attempts |
HIGH_VOLUME_DELETE |
Bulk deletion operations |
CROSS_REGION_ACTIVITY |
API calls in non-standard regions |
PRIVILEGE_ESCALATION |
Role assumption or policy modification |
NEW_IP_ACCESS |
Access from an IP not seen before |
get_cloudtrail_insights — CloudTrail Insights#
Retrieve CloudTrail Insights anomaly events: statistical baselines and anomaly duration for API call rates or error rates.
!!! warning "Requires enabling Insights" CloudTrail Insights must be enabled in the AWS console first. Insights events are stored in a separate S3 bucket.
analyze_cross_account_activity — Cross-account activity analysis#
Analyze AssumeRole activity across accounts:
- Mapping of cross-account trust relationships
- Historical role assumption records
- Anomalous cross-account access detection
Configuration#
| Item | Description |
|---|---|
AWS_ACCESS_KEY_ID |
Access Key ID |
AWS_SECRET_ACCESS_KEY |
Secret Access Key |
AWS_DEFAULT_REGION |
Default region (e.g. us-east-1) |
AWS_SESSION_TOKEN |
Optional: temporary session token |
Investigation workflow#
1. detect_anomalies time_range:"last_24h"
→ Quick scan for anomalies: root access, bulk deletion, privilege escalation
2. get_cloudtrail_events event_name:"AssumeRole" read_only:false
→ View all role assumption events (common for privilege escalation and lateral movement)
3. analyze_user_activity username:"ci-bot"
start_time:"2026-02-01" end_time:"2026-02-28"
→ Check whether a service account's activity is within normal baseline
4. get_cloudtrail_events event_name:"DeleteBucket"
start_time:"2026-02-15T00:00:00Z" end_time:"2026-02-15T23:59:59Z"
→ Investigate a specific deletion event
5. analyze_cross_account_activity
→ Map which accounts have assumed roles in this account — confirm trust scope