AWS CloudTrail Cheatsheet
Top commands.
Overview
The CloudTrail CLI cheatsheet captures the patterns operators actually use during AWS API audit investigation. lookup-events covers recent investigation; Athena over S3 logs covers large windows; both belong in the muscle memory.
- Top commands.
lookup-events,describe-trails,get-trail-status; the three investigation paths. - Lookup-events filter. By user, event name, resource; narrows scope before reading; the alternative is parsing every event.
- Time-bounded queries.
--start-timeand--end-time; matches investigation window; supports targeted forensics. - Athena plus EventBridge. SQL-style query for large investigations; real-time event-driven response for detection.
The approach
The practical approach: lookup-events for recent investigation, Athena for large windows, EventBridge for real-time detection, documented queries per incident. The team’s discipline produces fast audit investigation.
- aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteBucket. Recent event by name; first call when investigating a known event type.
- aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=alice. Per-user audit; supports investigation of "what did this user do?"
- --start-time / --end-time. Bounded query; matches scope; faster results, fewer false matches.
- Athena over S3 logs. SQL queries for large windows; the right tool when the investigation spans days.
- Document the investigation. Per-incident queries committed to the runbook; supports the next incident’s investigation.
Why this compounds
CloudTrail fluency compounds across investigations. Each audit grows the team’s investigation expertise; cost-per-incident falls as the playbook matures.
- Faster audit investigation. Fluent CloudTrail produces fast root cause; "who did this when?" answered in minutes.
- Better security posture. Audit fluency catches anomalies; unexpected event patterns surface during routine review.
- Better compliance. Audit evidence supports certifications; SOC 2 evidence collection drops from weeks to hours.
- Institutional knowledge. Each query teaches AWS APIs; the team’s audit muscle grows.
CloudTrail fluency is an operational discipline that pays off across years. Nova AI Ops integrates with audit telemetry, surfaces patterns, and supports the team’s investigation discipline.