What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS CloudTrail Best Practices: Audit Logging Configuration That Actually Covers Your Environment

CloudTrail records every API call made in your AWS account. This sounds comprehensive until you discover the defaults: management events only (not data events), single-region logging (not all regions), S3 bucket without MFA delete (vulnerable to tampering), and no CloudWatch Logs integration (so logs sit in S3 with no real-time alerting capability). A CloudTrail trail that satisfies the AWS default configuration requirements satisfies almost nothing that security and compliance actually require.

This guide covers every CloudTrail configuration decision that matters: trail type, event types, delivery settings, bucket security, log integrity, and the integration with CloudWatch Logs and EventBridge that transforms CloudTrail from an audit archive into a real-time detection platform.

Organization Trail vs. Per-Account Trails

For any organization using AWS Organizations, an organization trail is the correct foundation. Created in the management account, an organization trail automatically captures management events from every account in the organization and delivers them to a centralized S3 bucket. New accounts added to the organization are automatically covered without any manual configuration.

Per-account trails remain necessary for two purposes: enabling CloudWatch Logs integration for real-time alerting in specific accounts (organization trails can only deliver to S3 and CloudWatch Logs in the management account's region), and capturing data events (S3 GetObject/PutObject, Lambda invocations, DynamoDB operations) at the account level where the activity occurs. Use an organization trail as your base audit layer and supplement with per-account trails for data events and real-time alerting.

Management Events vs. Data Events

Management events record control plane API calls: creating and deleting resources, modifying IAM policies, changing security group rules. These events are what most security monitoring relies on and are included in the base CloudTrail price. Enable management events in all regions via your organization trail — this is non-negotiable.

Data events record data plane API calls: reading and writing S3 objects (GetObject, PutObject), invoking Lambda functions, reading and writing DynamoDB tables. These events are not enabled by default and carry significant cost at scale — for a high-traffic S3 bucket, data event logging can cost more than the underlying storage. Enable data events selectively: any S3 bucket containing sensitive data, any Lambda function executing privileged operations, any DynamoDB table containing regulated data.

CloudTrail Insights is a separate feature that analyzes management event patterns and alerts on unusual API call volumes. It is particularly valuable for detecting API abuse — a compromised credential making 10x the normal volume of DescribeInstances calls, or a burst of CreateUser calls indicating privilege escalation. Enable CloudTrail Insights for accounts where API abuse detection is a priority.

S3 Bucket Security for Trail Logs

The S3 bucket receiving CloudTrail logs is a critical security control. If an attacker can delete or modify the logs, your audit trail is compromised. Apply these protections to the CloudTrail bucket:

Enable S3 Object Lock with Compliance mode for long-term retention. Compliance mode prevents any principal — including the root account — from deleting or overwriting objects within the retention period. Set the retention period based on your compliance requirements (PCI DSS requires 12 months, many regulations require 7 years for financial records).

Enable S3 Versioning as a backstop if Object Lock is not appropriate. Versioning prevents object deletion from permanently removing data — deleted objects become noncurrent versions that can be recovered. Combined with MFA Delete (which requires MFA authentication to delete versions), this provides strong protection against accidental or malicious log deletion.

Restrict bucket access to CloudTrail service principal and auditor roles only. The bucket policy should explicitly deny all other access, including from the account's own administrators. Keeping the CloudTrail bucket in a dedicated logging account rather than the same account being monitored provides an additional layer of protection — an attacker who compromises the monitored account cannot reach the logging bucket.

CloudWatch Logs Integration

Delivering CloudTrail logs to CloudWatch Logs enables real-time metric filters and alarms. Without this integration, you can only detect threats by polling S3 — which introduces significant latency. With CloudWatch Logs, you can create metric filters that increment a counter when specific API calls appear (root login, IAM policy changes, security group modifications), and CloudWatch alarms that trigger SNS notifications when these counters exceed thresholds.

The latency for CloudWatch Logs delivery is typically 5–15 minutes from when the API call occurs. This is not real-time, but it is significantly faster than the batch delivery to S3 (which can take up to 15 minutes). For lower latency, use EventBridge directly from CloudTrail — EventBridge delivers management events with roughly 1–2 second latency and is the preferred mechanism for real-time security alerting.

Log File Validation

Enable log file validation on every trail. CloudTrail generates a digest file every hour that contains SHA-256 hashes of the log files delivered in that period and the digest file's own hash chain. AWS signs the digest with an RSA private key. To verify that logs have not been modified or deleted, use the AWS CLI: aws cloudtrail validate-logs --trail-arn <arn> --start-time <time>. This command validates the hash chain and reports any missing or tampered files.

Run log validation as part of your periodic security reviews or automate it with a Lambda function that runs weekly and alerts if validation fails. A validation failure indicates either a technical delivery issue or deliberate log tampering — both warrant investigation.

CloudTrail Lake

CloudTrail Lake is a managed analytics service for CloudTrail events. Instead of delivering logs to S3 and querying with Athena, CloudTrail Lake stores events in a managed data store optimized for query performance. SQL queries run directly against the event store with no Athena table configuration required. For organizations that need fast ad-hoc investigation queries and don't want to manage Athena infrastructure, CloudTrail Lake provides a convenient alternative at a cost measured per GB of data scanned.

FAQ

Does CloudTrail record every API call, including calls by AWS services on your behalf?

CloudTrail records API calls regardless of whether they originate from the console, CLI, SDK, or AWS service automation. CloudTrail distinguishes between user-initiated events (where the principal is a user or role) and AWS service-initiated events (where the principal is a service). Both types appear in the trail. You can filter CloudTrail logs to show only user-initiated events for security investigations focused on human or application activity.

How long should I retain CloudTrail logs?

Retention requirements vary by compliance framework. PCI DSS requires 12 months with 3 months immediately accessible. HIPAA recommends 6 years. SOC 2 auditors typically want 12 months of evidence. As a practical baseline, retain logs in S3 Standard for 90 days for fast investigation access, then transition to S3 Glacier Instant Retrieval for up to 7 years. CloudTrail Lake has configurable retention from 90 days to 7 years.

Can I exclude specific API calls from CloudTrail to reduce costs?

Yes. CloudTrail allows you to exclude specific management events — particularly high-volume, low-signal read-only calls like DescribeInstances, ListBuckets, and GetObject. Be careful about excluding read calls entirely: GetSecretValue calls on Secrets Manager and Decrypt calls on KMS are security-relevant read operations that you want in your logs.

What is the cost of CloudTrail?

The first copy of management events in each region is free. Additional copies of management events (for organization trails) cost $2.00 per 100,000 events. Data events cost $0.10 per 100,000 events. CloudTrail Insights costs $0.35 per 100,000 events analyzed. CloudTrail Lake costs $0.005 per GB of data ingested and $0.005 per GB scanned in queries.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Vigilare Engineering

Platform Team