9 best practices for AWS CloudTrail compliance: Avoid the common mistakes

CloudTrail is non-negotiable for regulated environments. Financial services, healthcare, government. Auditors demand it. Build it properly or audit fails.

Enable multi-region trails

One trail, all regions. Not per-region trails. One costs less, covers everything.

Trail should log management events (API calls), data events (S3 object access), and insights (anomalies).

Protect the S3 bucket

CloudTrail writes to S3. Bucket must not be public. Enable versioning. Enable MFA delete.

Only CloudTrail can write. Only authorized users can read. Block public access.

Use S3 Object Lock for immutability. Once written, logs cannot be deleted or modified. Compliance gold standard.

Enable log file validation

CloudTrail can sign logs with digest files. Verifies integrity. Prevents tampering.

Enable this. Non-negotiable for compliance.

Monitor organization wide

If multi-account, use Organizations trail. One trail in central logging account sees all activity in all accounts.

Solves visibility problem. Prevents account-specific activity from being hidden.

Set retention appropriately

Compliance requirement, not operational choice. Financial (7 years), GDPR (as long as necessary), HIPAA (6 years).

Move to Glacier after 90 days. Keep S3 queryable for recent logs. Archive old logs.

Query CloudTrail logs

CloudWatch Log Insights for real-time queries. Athena for historical queries.

"Show me all IAM policy changes." "Show me all root account usage." "Show me API calls from outside the UK."

Make queries actionable. Not just "what happened" but "do we care?"

Alert on critical events

Unauthorized API calls. Root account use. Privilege escalation. Data deletion.

These should trigger immediately. SNS notification, Slack, PagerDuty.

Don't alert on everything. Noise kills alerting.

Encrypt logs at rest

CloudTrail can encrypt logs with KMS. Default is S3-SSE (fine). Customer KMS (better for compliance).

Use customer KMS if required by regulation.

Document and audit

Compliance auditors will ask: "How do you monitor CloudTrail?" Document your answer.

Show log retention policy. Show alerting rules. Show query examples. Show response procedures.

Where Critical Cloud comes in

CloudTrail works. But millions of events per month is unmanageable. Most teams struggle with signal-to-noise.

We're Powered by Datadog accredited. We normalize CloudTrail, filter noise, surface security and compliance events.

If CloudTrail feels overwhelming, see how Critical Support works.