AWS CloudTrail is an AWS service that enables users to monitor and retain events related to their AWS account activity. These events include API calls made through the AWS Management Console, AWS CLI, and SDKs, as well as changes made to AWS resources. This can be useful for compliance, operational troubleshooting, and security purposes.

In this article, we will go over how to set up and configure AWS CloudTrail using Terraform.

Setting up AWS CloudTrail

To get started with AWS CloudTrail, you first need to create a trail. A trail is a configuration that enables AWS CloudTrail to record and log events. To create a trail with Terraform, you can use the aws_cloudtrail resource, which provides a declarative way to define the trail and its settings.

Here is an example of a simple Terraform configuration that creates a trail called my-cloudtrail:

resource "aws_cloudtrail" "my-cloudtrail" {
  name                       = "my-cloudtrail"
  s3_bucket_name             = "my-cloudtrail-bucket"
  enable_log_file_validation = true

In this example, the trail is created with the specified name, and the log files are stored in an S3 bucket called my-cloudtrail-bucket. You can also specify additional settings, for example a KMS key to encrypt the logs, or whether the log files should be signed. For more information about the available settings, see the Terraform documentation for aws_cloudtrail.

Configuring CloudTrail settings

That trail was pretty simple, and probably too wide. We can configure its settings to tailor it to our specific needs. AWS CloudTrail provides a variety of settings that you can use to customize your trail, including event selectors, data events, and management events.

Event selectors allow you to specify which API calls should be recorded by the trail. For example, you can choose to record only read or write API calls, or only API calls made by a specific user or role. To configure event selectors with Terraform, you can use the event_selector block in the aws_cloudtrail resource.

resource "aws_cloudtrail" "my-cloudtrail" {
  name           = "my-cloudtrail"
  s3_bucket_name = "my-cloudtrail-bucket"

  event_selector {
    read_write_type = "WriteOnly"

    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::my-bucket/*"]

In this example, the trail is configured to record all (and only) write API calls made for objects in the specified bucket.

Viewing CloudTrail logs

Once you have set up and configured your trail, its logs are stored in the S3 bucket that we specified. Yu can view the logs generated by the trail in the AWS Management Console. Navigate to the CloudTrail service. From here, you can view the events recorded by your trail, as well as the associated details, such as the source IP address, user identity, and event time.

You can also use the aws cloudtrail command with the lookup-events subcommand to search for the events that were logged by our trail. For example, this command will list all events in our CloudTrail logs with the name “ConsoleLogin”, which indicates a user logging in to the AWS Management Console:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin

We can then use this information to generate a compliance report for our AWS account.


In this post, we have shown you how to set up and configure AWS CloudTrail using Terraform. By using CloudTrail, you can gain valuable insights into your AWS environment and improve your security and compliance posture. For example, you can use the logs to track changes made to your resources, or to investigate potential security incidents.