This lab is currently in Beta, content may be updated as we refine the material
LABINTERMEDIATE

CloudTrail Investigation: Who Did What

Configure a CloudTrail trail with management and S3 data events, generate diverse API activity, query the events with CloudTrail Lake SQL, and validate digest signatures to prove logs were not tampered with.

45 minutes
aws/devops
CloudTrail Investigation: Who Did What - Platform Engineering Hands-On Lab Icon

Lab Overview

CloudTrail is the audit log of every AWS account. As a DevOps Engineer Professional you must be able to deploy a trail correctly, capture both management and data events, and use that audit trail to investigate incidents and prove integrity to auditors.

You will:

  • Create a CloudTrail trail writing to S3 encrypted with KMS
  • Enable management events plus S3 object-level data events on a target bucket
  • Enable log file integrity validation
  • Generate diverse API activity (IAM user create/delete, policy attach, S3 put/get/delete)
  • Create a CloudTrail Lake event data store and query events with SQL
  • Use `aws cloudtrail validate-logs` to confirm digest signatures match log file hashes

This lab uses only confirmed-tier services (CloudTrail, S3, KMS, IAM, STS) and runs reliably under a hardened TeKanAid AWS lab IAM policy.

What You'll Learn

Create a CloudTrail trail with KMS-encrypted S3 destination

Enable management events and S3 object-level data events on a target bucket

Turn on log file integrity validation and understand digest files

Generate diverse IAM and S3 API activity to populate the trail

Create a CloudTrail Lake event data store and run SQL queries to investigate activity

Validate CloudTrail digest signatures using aws cloudtrail validate-logs

Prerequisites

aws-cli-familiarity

aws-iam-fundamentals

aws-associate-level-knowledge

Technologies Covered

awscloudtrailcloudtrail-lakeauditkmss3iamlog-integritydop-c02monitoring

Part of a Course

This lab is part of the AWS Certified DevOps Engineer - Professional (DOP-C02) course

View All Courses

Choose your plan

Simple, Transparent Pricing

Unlock full access to TeKanAid courses, labs, and bootcamps

MonthlyQuarterly

Pro

Course content without labs

$59/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Full access to all courses
  • Progress tracking
  • Certificate of completion
  • Community access
  • Bootcamp participation
  • New content access
Recommended

Premium

Full access with hands-on labs

$99/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Everything in Pro
  • Unlimited hands-on labs
  • Lab AI Assistant
  • Accelerator bootcamps with live office hours
  • Priority support
Get Access Now

Prefer a single course?

Purchase individual courses for a one-time fee of $79. Full access to course content, quizzes, certificates, and community features, lab access is not included.

Browse Courses

Try it free, no credit card

Three free ways to start. All bridge into the paid Premium catalog when you're ready.

▶ Start with free courses and labs🧩 Solve your first free puzzle📧 Get the free 7-day crash course

Not ready to commit? The crash course is email-only. No academy account required.

Ready to Get Started?

Start this hands-on lab and build real-world Platform Engineering skills

Get Access Now