CloudTrail is not just an audit log. For an AWS-first company, it is the record you rely on when something goes wrong.
Most Israeli tech companies enable AWS CloudTrail early. It is one of the first controls auditors ask about, and AWS makes the setup look simple.
The problem is that “CloudTrail is enabled” does not mean CloudTrail is secure, complete, or useful during an incident.
For startups and mid-market companies running production on AWS, CloudTrail has to answer uncomfortable questions quickly:
- Who changed this IAM policy?
- Was the root account used?
- Did someone disable logging before touching S3?
- Which access key created that new user?
- Can we prove these logs were not modified after the fact?
This article is a practical guide for securing CloudTrail itself. It is written for Israeli engineering, IT, DevOps, and security teams that need strong cloud audit logging without building a large internal Security Operations Center (SOC).
The short version
If you only have time to fix a few things, start here:
| Control | Why it matters |
|---|---|
| Use an organization trail | Covers every AWS account, including new accounts created later |
| Protect the S3 log bucket | Prevents attackers or admins from deleting the audit record |
| Enable log file validation and encryption | Helps prove integrity and protect sensitive log contents |
| Alert on CloudTrail tampering | Detects StopLogging, DeleteTrail, and risky event selector changes |
| Define retention by purpose | Supports investigations, SOC 2, ISO 27001, and Israeli privacy expectations |
CloudTrail is a security control only if it is complete, protected, monitored, and retained for a clear reason.
Why CloudTrail security matters in Israel
Israeli companies are often AWS-heavy, fast-moving, and globally exposed earlier than their headcount suggests. A 40-person SaaS company in Tel Aviv may be handling US enterprise customers, European personal data, and Israeli employees at the same time.
That creates three CloudTrail pressures.
First, customer security reviews expect evidence. If a customer asks how you detect AWS account takeover, IAM privilege escalation, or public S3 changes, CloudTrail is usually part of the answer.
Second, compliance programs depend on reliable logs. SOC 2, ISO 27001, HIPAA for HealthTech, and privacy reviews all need auditability. You need to show who changed access, when the change happened, and how long you keep that record.
Third, Israeli privacy and cyber expectations are getting stricter. Logs can include personal data such as IP addresses, usernames, email addresses, session context, and resource names that identify customers or employees. That does not mean “do not log.” It means log deliberately, encrypt properly, restrict access, and avoid keeping data forever without a reason.
CloudTrail sits at the intersection of security, compliance, and incident response. Treat it like infrastructure, not like a checkbox.
Start with the right trail architecture
The most common CloudTrail mistake is account-by-account drift.
One team enables a trail in production. Another account uses a different S3 bucket. A sandbox account has no trail. A newly created workload account is missed entirely. Six months later, nobody can say with confidence whether all management events are captured.
For most companies using AWS Organizations, the better default is an organization trail created from the management account or delegated administrator account.
| Trail model | Best for | Main downside |
|---|---|---|
| Single-account trail | Very small AWS environments | Easy to miss future accounts |
| Per-account trails | Teams with strong account-level ownership | Inconsistent settings and more operational work |
| Organization trail | Startups and SMBs with multiple AWS accounts | Requires careful central bucket and IAM design |
An organization trail gives you one control plane for AWS audit logging across accounts. New accounts inherit coverage. Security teams can review one consistent setup.
A practical baseline looks like this:
AWS Organizations
-> Organization CloudTrail
-> Central S3 log bucket in a security/logging account
-> KMS encryption
-> SIEM ingestion
-> Alerting and retention controls
Keep the log archive separate from day-to-day workload accounts. If an application account is compromised, the attacker should not automatically have access to delete or rewrite the audit trail.
Capture the right event types
CloudTrail records different types of events. Do not assume the default trail captures everything you will need.
Management events
Management events are the core audit trail for AWS control plane activity. They include actions such as:
CreateUserAttachRolePolicyAssumeRolePutBucketPolicyAuthorizeSecurityGroupIngressStopLogging
For almost every company, management events should be enabled for both read and write activity across all regions.
Write events are usually higher signal for alerting. Read events are still useful during investigations, especially for IAM, STS, KMS, Secrets Manager, and discovery activity.
Data events
Data events capture resource-level access, such as S3 object reads and writes or Lambda invocation activity. These are higher volume and can increase cost, so enable them deliberately.
For Israeli SaaS, FinTech, HealthTech, and B2B companies, S3 data events are often worth enabling on high-risk buckets:
- Buckets containing customer exports
- Buckets containing backups
- Buckets containing audit logs
- Buckets used for sensitive document upload
- Buckets with regulated or personal data
You do not need data events on every bucket on day one. Start with crown-jewel buckets and expand based on risk.
Insights events
CloudTrail Insights can detect unusual API activity volume, such as a sudden spike in AccessDenied errors or management API calls. It is useful, but it is not a replacement for explicit alert rules.
Use Insights as an additional signal. Keep your own rules for high-risk events that should never wait for statistical anomaly detection.
Protect the S3 log bucket
CloudTrail usually writes logs to S3. That bucket becomes one of your most sensitive security assets.
If an attacker gets enough permission to delete CloudTrail logs, your investigation becomes slower and less reliable. If an internal admin can casually browse or download all logs, you also have a privacy and access-control problem.
Minimum controls for the CloudTrail bucket:
| Control | Recommended setting |
|---|---|
| Public access | Block all public access |
| Encryption | SSE-KMS with a customer managed KMS key |
| Versioning | Enabled |
| Deletion protection | Use MFA Delete or S3 Object Lock where operationally feasible |
| Access | Limited to CloudTrail delivery, SIEM ingestion, and a small security admin group |
| Bucket policy | Deny non-TLS access and deny unencrypted object writes |
| Lifecycle | Move older logs to cheaper storage and expire based on policy |
For stronger integrity, enable CloudTrail log file validation. This creates digest files that help verify whether logs were modified, deleted, or tampered with after delivery.
You can validate logs with the AWS CLI:
aws cloudtrail validate-logs \
--trail-arn arn:aws:cloudtrail:us-east-1:123456789012:trail/org-trail \
--start-time 2026-05-01T00:00:00Z \
--end-time 2026-05-02T00:00:00Z
You may not run this command every day, but you want the option during an investigation or audit.
Encrypt logs with KMS, but design the key policy carefully
CloudTrail logs often contain sensitive data:
- IAM principal names
- Source IP addresses
- User agent strings
- Request parameters
- Resource names
- Account IDs
- Error messages
Use AWS Key Management Service (KMS) encryption with a customer managed key. The important part is not only turning encryption on. The important part is controlling who can decrypt.
A reasonable key policy separates three groups:
- CloudTrail can encrypt new log objects.
- The SIEM or log pipeline can decrypt what it needs to ingest.
- A small security admin group can decrypt logs for investigations.
Do not give broad decrypt permission to every admin role by default. In many companies, “admin” grows to include DevOps, platform engineers, temporary consultants, and CI roles. CloudTrail logs may include enough context to expose customer activity patterns or internal security posture.
For Israeli companies handling personal data, this access model also supports privacy expectations: people should only access logs when they have a real operational need.
Monitor CloudTrail tampering first
Before writing dozens of niche detections, monitor attempts to weaken logging.
These events should be treated as high priority:
| Priority | Event | Why it matters |
|---|---|---|
P1 | StopLogging | Direct attempt to stop trail delivery |
P1 | DeleteTrail | Removes the trail configuration |
P1 | UpdateTrail | May redirect logs or weaken trail settings |
P1 | PutEventSelectors | Can reduce which events are collected |
P1 | PutInsightSelectors | Can disable Insights coverage |
P2 | S3 bucket policy changes on the log bucket | May allow deletion, exposure, or denial of delivery |
P2 | KMS key policy changes on the CloudTrail key | May block logging or allow unauthorized decrypt |
A simple rule should ask: did someone change the logging control plane, the log destination, or the encryption key?
Example SQL-style detection logic:
SELECT
event_time,
event_name,
user_identity_arn,
source_ip_address,
aws_region
FROM cloudtrail_events
WHERE event_name IN (
'StopLogging',
'DeleteTrail',
'UpdateTrail',
'PutEventSelectors',
'PutInsightSelectors'
)
AND event_time >= now() - INTERVAL 1 HOUR;
In a small environment, any result is worth reviewing. In a larger environment, tune around known infrastructure-as-code roles and approved change windows, but do not suppress the signal completely.
Build a practical alert set
CloudTrail produces a huge amount of data. Good monitoring starts with high-signal actions, not a rule for every API call.
Start with the actions closest to account takeover, privilege escalation, exposure, and logging evasion.
| Priority | Alert family | Example events |
|---|---|---|
P1 | Root account usage | ConsoleLogin, root API calls |
P1 | IAM privilege escalation | AttachUserPolicy, PutRolePolicy, CreatePolicyVersion |
P1 | CloudTrail tampering | StopLogging, DeleteTrail, PutEventSelectors |
P2 | S3 public exposure | PutBucketPolicy, PutBucketAcl, DeletePublicAccessBlock |
P2 | Network exposure | AuthorizeSecurityGroupIngress to 0.0.0.0/0 |
P2 | Persistence | CreateAccessKey, CreateLoginProfile, trust policy changes |
P3 | Unusual regions | Management events outside expected AWS regions |
The alert should include enough context for fast triage:
- AWS account name and ID
- Event name
- Principal ARN
- Source IP and geolocation
- User agent
- Target resource
- Whether MFA was present
- Whether the principal is known automation
Without context, CloudTrail alerts become Slack noise. With context, they become a useful operational signal.
Keep retention boring and defensible
CloudTrail retention should not be “forever because storage is cheap.” It should be tied to security, compliance, and business needs.
For many Israeli tech companies, a practical retention model looks like this:
| Log tier | Typical retention | Purpose |
|---|---|---|
| Hot SIEM data | 30-90 days | Fast investigation and alert triage |
| Searchable archive | 6-12 months | Customer reviews, audits, incident review |
| Cold archive | 1-7 years where justified | Contractual, regulated, or legal requirements |
The exact answer depends on your customers, industry, data sensitivity, and legal advice. A HealthTech company and a developer tool startup may not need the same retention policy.
What matters is that you document the decision:
- Which CloudTrail events you collect
- Where they are stored
- Who can access them
- How long each tier is retained
- When and how logs are deleted
- Which compliance or security requirement justifies the retention period
This is especially important because CloudTrail can contain personal data. Retention should be long enough to support investigations and audits, but not indefinite by accident.
Do not rely on CloudTrail alone
CloudTrail is necessary, but it is not the whole cloud security program.
It tells you about AWS API activity. It does not fully explain workload behavior, network traffic, endpoint activity, or application-layer abuse.
Use CloudTrail with:
- GuardDuty for threat findings and AWS-managed anomaly detection
- Security Hub for control findings and aggregation
- AWS Config for resource state and configuration history
- VPC Flow Logs for network metadata
- Identity provider logs from Okta, Microsoft Entra ID, or Google Workspace
- Application logs for business-layer activity
CloudTrail is the backbone of AWS control plane visibility. A managed Security Information and Event Management (SIEM) system becomes valuable when it correlates CloudTrail with identity, network, endpoint, and application context.
Common mistakes to fix before an audit
The same CloudTrail gaps show up repeatedly in startup and SMB environments.
| Mistake | Why it hurts |
|---|---|
| Trail only exists in production | Sandbox and staging accounts can still expose data or become attacker footholds |
| No all-region trail | Activity in unused regions may be missed |
| Log bucket is in a workload account | Compromise of that account may expose or delete logs |
No alert on StopLogging | You may miss the first sign of attacker evasion |
| Everyone with admin can read logs | Creates privacy and insider-risk problems |
| No documented retention | Makes audits and customer reviews harder |
| No SIEM ingestion | Logs exist, but nobody sees high-risk activity in time |
These are not exotic cloud security failures. They are normal drift. Fixing them early is cheaper than explaining them after a customer review or incident.
A baseline CloudTrail checklist
Use this as a quick working checklist for your AWS environment:
| Area | Baseline |
|---|---|
| Scope | Organization trail enabled across all AWS accounts |
| Regions | Multi-region logging enabled |
| Management events | Read and write events enabled |
| Data events | Enabled for sensitive S3 buckets and other high-value resources |
| Storage | Central S3 bucket in a logging or security account |
| Encryption | SSE-KMS with restricted decrypt permissions |
| Integrity | Log file validation enabled |
| Protection | Versioning enabled, public access blocked, deletion controls considered |
| Monitoring | Alerts for CloudTrail, S3 log bucket, and KMS key tampering |
| Retention | Documented lifecycle by security and compliance purpose |
| Response | Clear owner for investigating CloudTrail alerts |
If you cannot check most of these boxes, CloudTrail is probably enabled but not yet operationally secure.
Where Xpernix fits
Xpernix helps Israeli startups and SMBs turn CloudTrail from raw audit data into managed security monitoring.
In practice, that means:
- Ingesting CloudTrail events from S3
- Normalizing AWS event fields into a queryable SIEM schema
- Enriching events with source IP, geography, and tenant context
- Running alert rules for root usage, IAM escalation, S3 exposure, logging tampering, and unusual activity
- Reviewing high-priority alerts through a managed SOC workflow
- Helping teams keep retention and evidence aligned with customer and compliance needs
For teams without a dedicated cloud security engineer, this closes the gap between “we have logs” and “we can detect and respond.”
If you are setting up ingestion yourself, start with our guide on setting up AWS CloudTrail S3 ingestion. For alert design, read AWS CloudTrail Monitoring: A Practical Guide.
Final thought
Securing CloudTrail is one of the highest-return AWS security projects for an Israeli tech company. It improves incident response, supports audits, strengthens customer security reviews, and gives your team a reliable source of truth when AWS access changes.
The goal is not to collect every possible event forever. The goal is to collect the right events, protect them from tampering, alert on the changes that matter, and retain the evidence for as long as you can justify.
If you want help reviewing your CloudTrail setup or turning CloudTrail into managed alerts, contact us.