1. How can you detect unauthorized console login attempts using CloudTrail?
You can create a CloudTrail trail and monitor for the event name ConsoleLogin. Filter for "responseElements":"Failure" to identify failed login attempts.
2. How can CloudTrail help investigate who deleted an EC2 instance?
Search CloudTrail logs for TerminateInstances events. The userIdentity field tells you who performed the action.
3. A resource was created but no one claims to have done it. How do you trace it?
Look for RunInstances, CreateBucket, etc., in CloudTrail logs. Filter by resource name or time window, then examine userIdentity and sourceIPAddress.
4. How can you secure CloudTrail logs from being deleted or tampered with?
Enable log file validation, use an S3 bucket with versioning, and apply an IAM policy denying s3:DeleteObject for everyone, including the root user.
5. Can CloudTrail track changes to Security Groups?
Yes. Look for AuthorizeSecurityGroupIngress and RevokeSecurityGroupIngress events in CloudTrail to track inbound/outbound rule changes.
6. You suspect someone disabled CloudTrail. How would you confirm this?
Search for the StopLogging or DeleteTrail events in the CloudTrail console.
7. How do you differentiate between actions done by users vs. automation (like Lambda)?
Check the userIdentity.type field — it will be IAMUser for humans and AssumedRole or AWSService for automation.
8. How can you be alerted when a sensitive action, like deleting a KMS key, is performed?
Create a CloudWatch Event Rule with CloudTrail as a source, filter for ScheduleKeyDeletion, and send alerts to SNS or trigger a Lambda function.
9. Is it possible to track cross-account activity with CloudTrail?
Yes. The userIdentity.accountId field shows the source account. Cross-account access appears with AssumeRole entries.
10. How to find when a user assumed an IAM role via CloudTrail?
Look for the AssumeRole event. This shows the source user or service and the role they assumed.
11. Can CloudTrail tell if an S3 bucket policy was modified?
Yes. Look for PutBucketPolicy events. These include full details of the new or modified policy in the requestParameters.
12. You received a bill spike alert. How can CloudTrail help identify the cause?
Look for unexpected resource creation events (e.g., RunInstances, CreateBucket, CreateDBInstance). CloudTrail shows who launched what and when.
13. Can CloudTrail track access to RDS or DynamoDB?
CloudTrail logs management actions (CreateDBInstance, DeleteTable, etc.) but not direct data access. Use RDS/DynamoDB logging features for query-level logging.
14. How do you ensure all AWS accounts in an org log to a central trail?
Use AWS Organizations and enable Organization Trail in the management account. This enforces logging across all member accounts.
15. How can you know if someone tried to create a new IAM user or policy?
Check for CreateUser, CreatePolicy, or PutUserPolicy events in CloudTrail logs.
16. What steps do you take if you find DeleteBucket in your logs unexpectedly?
Identify userIdentity, review sourceIPAddress, and check if MFA or GuardDuty was enabled. Set up alerts to prevent future deletions.
17. How would you detect if a Lambda function was updated without approval?
Look for UpdateFunctionCode or UpdateFunctionConfiguration in the logs. Set up alerts via CloudWatch Events if this happens.
18. Can CloudTrail detect CLI/API activity?
Yes. Any call made via the AWS CLI or SDK is logged in CloudTrail, with details like parameters, user agent, and IP address.
19. How do you track changes to Route 53 DNS records?
Look for ChangeResourceRecordSets in the CloudTrail event history. This includes old and new values.
20. What if you want to log CloudTrail events in multiple regions?
Create a multi-region trail in CloudTrail. It will capture events across all AWS regions and store them in a single S3 bucket.