AWS Solutions Architect · Lesson

CloudTrail Insights and Log File Integrity

Enable CloudTrail Insights to detect unusual API activity and use digest files to verify log file integrity for forensic purposes.

What Is CloudTrail Insights?

CloudTrail Insights is an optional feature that uses machine learning to automatically detect unusual API activity in your AWS account. It establishes a baseline of normal API call rates and write management event volumes for each API, then alerts you when activity deviates significantly from that baseline. Insights events are delivered to the same S3 bucket as your trail logs and can also trigger EventBridge rules for automated response.

Enabling CloudTrail Insights

CloudTrail Insights is enabled per trail. You can choose to detect API call rate anomalies (unusual number of write management events per second) or API error rate anomalies (unusual number of access-denied or throttling errors). Insights requires an active trail with management events enabled. AWS charges for Insights events in addition to regular trail event charges. Insights takes 24-36 hours to establish an initial baseline before it can start detecting anomalies.

# Enable CloudTrail Insights for API call rate and error rate anomalies
aws cloudtrail put-insight-selectors \
  --trail-name OrgAuditTrail \
  --insight-selectors \
    InsightType=ApiCallRateInsight \
    InsightType=ApiErrorRateInsight

# Verify insights configuration
aws cloudtrail get-insight-selectors \
  --trail-name OrgAuditTrail

All lessons in this course

CloudTrail Trails and Event History
CloudTrail Insights and Log File Integrity
AWS Config Rules and Remediation
Conformance Packs and Organisation Trails

← Back to AWS Solutions Architect