Skip to main content
In this lesson, you’ll learn how to track and audit S3 access using AWS CloudTrail. When an IAM user performs actions—like deleting an object in an S3 bucket—you need to know who did it, when it happened, and exactly which operation was called. AWS CloudTrail records all API calls to your AWS resources, making this audit process straightforward.
Make sure CloudTrail is enabled across all regions before you begin so that no API activity goes unrecorded.

Why Audit S3 Access?

By analyzing CloudTrail logs, you can:
FeatureDescription
API call loggingCapture every AWS API request, whether from users, services, or resources.
Action auditingReview who performed which operations on your resources.
API call trackingFilter logs by IAM users, resources, or specific event names.
Security event detectionIdentify both successful and failed login attempts.
The image is an infographic about "CloudTrail and User Access Audit," highlighting four key functions: logging API calls, auditing actions, tracking API calls, and detecting login attempts and security threats.

Demo: Use CloudTrail to Audit User Access

Follow these steps to search the event history in the CloudTrail console:
  1. Sign in to the AWS Management Console and open CloudTrail.
  2. In the sidebar, select Event history.
  3. Use the filter bar to narrow down by Event name, Username, or Resource name.
  4. Click an individual event to view details such as the request time, source IP, and whether the request succeeded or failed.
The image is a slide titled "Use CloudTrail to Audit User Access," featuring a simple illustration of a person with a "Demo" sign and a list of steps for using CloudTrail on AWS.

References

Watch Video