AWS CloudTrail

What is AWS CloudTrail?

AWS CloudTrail is the native audit logging service for Amazon Web Services environments. It captures every API call made within an AWS account, whether triggered by a user, a role, or an automated service, and stores those events as structured logs. This creates a complete, tamper-evident record of who did what, when, and from where across the entire AWS infrastructure. CloudTrail is foundational for cloud security operations: it feeds detection rules in SIEM platforms, supports forensic reconstruction of security incidents, and provides the evidentiary trail needed for compliance frameworks like SOC 2, PCI-DSS, and ISO 27001. For SOC teams, it is often the first data source consulted when investigating unusual cloud activity, privilege escalation, or unauthorized resource creation.

How does AWS CloudTrail work with Qevlar?

Qevlar ingests CloudTrail logs to investigate cloud-related alerts automatically. When a detection fires on unusual API behavior, a new IAM role creation, or a suspicious cross-account access pattern, Qevlar can trace the full sequence of events through CloudTrail data without requiring an analyst to manually query the AWS console.