Skip to content

CloudTrail Hands On

We can open up CloudTrail and use filters to see when an instance was terminated.

Here we can see that 2 instances were terminated by root, one by Cloud9 and one by AutoScaling.

We can also check for Read-only events etc.

Trails

You can create a trail to capture more events.

Event source options are S3 and Lambda.

We can see that the CloudTrail is also created in CloudWatch now.

You can also view the events in S3 bucket or create an Athena table from the s3 bucket and query them.