AWS CSS - Domain 2 - Centralized Security Monitoring with CloudTrail, CloudWatch & Athena.

Built a centralized logging and monitoring architecture in AWS using CloudTrail, CloudWatch and Athena to detect suspicious API activity such as root account usage, API calls without MFA and attempts to disable logging.

Why it matters: Security analytics on CloudTrail logs allow proactive detection of risky behavior across an AWS Organization. By combining logging, alerts and query-based hunting, teams gain real-time visibility and the ability to investigate at scale.

---

Table of Contents

• Overview
• Objectives
• Diagram
• Steps Performed
  • [1. CloudTrail Setup & Log Delivery]
  • [2. CloudWatch Alarms for Critical Events]
  • [3. Athena Threat-Hunting Queries]
  • [4. Cleanup]
• Screenshots
• Lessons Learned
• References
• Contact

---

Overview

CloudTrail is the foundation for AWS security monitoring, but raw logs in S3 are not actionable. This lab demonstrates how to:

• Centralize CloudTrail logs across accounts.
• Detect high-risk API activity with CloudWatch alarms.
• Hunt for suspicious events with Athena queries.

---

Objectives

• Enable organization-wide CloudTrail logging.
• Detect sensitive events like ConsoleLogin, DeleteBucket and StopLogging.
• Query logs in Athena for insights into MFA usage and root account activity.
• Deliver alerts via SNS for immediate notification.

---

Diagram

Flow: CloudTrail Logs → S3 → CloudWatch Alarms (real-time detection) → Athena Queries (threat hunting) → QuickSight Dashboard (visualization & reporting) → SNS Notifications

---

Steps Performed

• 1. CloudTrail Setup & Log Delivery

  • Created org-wide CloudTrail trail OrgSecurityTrail.
  • Configured delivery to S3 bucket org-security-trail-logs-ssc.
  • Validated logs stored in S3 (Screenshots: S3-BucketLogs.png & CloudTrail-LogFile.png)
  • Integrated CloudTrail with CloudWatch Logs (Screenshot: CloudTrail-To-CloudWatch.png)

• 2. CloudWatch Alarms for Critical Events

  • Created metric filter for ConsoleLogin.
  • Configured CloudWatch Alarm on ConsoleLoginCount metric.
  • Delivered real-time notifications via SNS.
  • Validated alarm triggered on login (Screenshots: MetricFilter-ConsoleLogin.png, CloudWatch-Metric-ConsoleLogin.png, CloudWatch-Alarm-ConsoleLogin.png, CloudWatch-Alarm-Triggered.png, SNS-SubscriptionEmail.png & SNS-EmailAlert.png)

• 3. Athena Threat-Hunting Queries

  • Created Athena database cloudtraillabdb.
  • Defined external table cloudtrail_events pointing to CloudTrail logs.
  • Ran baseline queries to sample logs (Screenshot: Athena-QuerySample.png)
  • Queried for API calls without MFA and Root account usage (Screenshots: Athena-NonMFA.png & Athena-RootUsage.png)
  • Built advanced query for Top 5 API calls by frequency (Screenshot: Athena-Top5APICalls.png)
  • Saved queries for reuse (Screenshot: Athena-SavedQueries.png)

• 4. Cleanup

  • Deleted CloudWatch Alarms and SNS topic to stop notifications.
  • Removed Athena table and database to avoid unnecessary storage costs.
  • Deleted S3 bucket used for CloudTrail logs (after verifying no other trails depended on it).
  • Disabled or deleted the CloudTrail trail created for the lab.
  • Removed QuickSight dataset and analysis to free up SPICE capacity.

---

Screenshots

All screenshots are included in the screenshots/ folder.

Step	Filename	Description
1	S3-BucketLogs.png	S3 bucket containing CloudTrail logs
1	CloudTrail-LogFile.png	Raw CloudTrail JSON event in S3
1	CloudTrail-To-CloudWatch.png	Trail integrated with CloudWatch Logs
2	MetricFilter-ConsoleLogin.png	Metric filter for detecting ConsoleLogin events
2	CloudWatch-Metric-ConsoleLogin.png	ConsoleLoginCount metric visible in CloudWatch
2	CloudWatch-Alarm-ConsoleLogin.png	CloudWatch Alarm created on ConsoleLoginCount
2	CloudWatch-Alarm-Triggered.png	Alarm triggered after login event
2	SNS-SubscriptionEmail.png	SNS email subscription confirmation
2	SNS-EmailAlert.png	Real-time SNS alert delivered via email
3	Athena-CreateDatabase.png	Athena database created for CloudTrail
3	Athena-CreateTable.png	External table defined on CloudTrail logs
3	Athena-QuerySample.png	Sample query results from CloudTrail logs
3	Athena-NonMFA.png	Query results: API calls without MFA
3	Athena-RootUsage.png	Query results: Root account usage
3	Athena-Top5APICalls.png	Query results: Top 5 API calls by frequency
3	Athena-SavedQueries.png	Saved queries in Athena

---

Lessons Learned

• CloudTrail is central: It provides the raw data needed for all AWS security monitoring.
• CloudWatch detects in real time: Metric filters and alarms ensure immediate visibility into sensitive events.
• Athena scales threat hunting: SQL queries let you investigate activity patterns without standing up infrastructure.
• Permissions matter: Missing QuickSight S3 permissions caused initial errors — always check IAM + bucket access.
• Real-world takeaway: Combining logging, monitoring, analytics and visualization provides a complete security monitoring pipeline.

---

References

• AWS CloudTrail Documentation
• Amazon CloudWatch
• Amazon Athena
• Amazon SNS

---

Contact

Sebastian Silva C. – September 2025 – Berlin, Germany.

• LinkedIn
• GitHub
• sebastian@playbookvisualarts.com