CloudTrail Insights vs CloudTrail Events – A Comparison

In November 2019, Amazon Web Services announced the release of CloudTrail Insights, a new CloudTrail feature that leverages CloudTrail Events to highlight unexpected actions inside an organization’s cloud infrastructure.

What are CloudTrail Events?

AWS CloudTrail Events are a log of all API calls that have taken place inside an AWS environment. They’re a contemporaneous collection that allows organizations to track and audit activity often used to identify causes of any unexpected activity that has occurred inside an AWS environment.

What are CloudTrail Insights?

CloudTrail Insights are the result of Amazon applying Machine Learning to your CloudTrail Events. Historically, the logging and inspection of CloudTrail events have been onerous given their breadth and volume. Even once you’ve undertaken the highly challenging process of accessing and identifying any CloudTrail Events that may have had an effect (adverse or otherwise) on your environment, it can be very tricky to identify the exact patterns and causes that may have led to any undesired outcomes.

Now, CloudTrail Insights will alert organizations to any pattern of events that deviates from a baseline of expected activity, rather than you having to identify the patterns after the fact.

By applying Machine Learning to an environment’s events and surfacing the resulting insights Amazon is able to short circuit the inspection process. CloudTrail Insights provide the answer to your questions rather than just the breadcrumbs to find your own way there.

CloudTrail Insights can be viewed inside the CloudTrail Console or via the AWS CLI. Equally, the Insights are stored inside your S3 bucket alongside your other CloudTrail Events.

The difference between CloudTrail Insights and CloudTrail Events

CloudTrail Events are a log of every event that takes place inside your AWS environment whereas CloudTrail Insights applies Machine Learning to report on “insights” into groups of events that deviate from expected behavior.

Should I activate Insights?

If you’re already using CloudTrail Events (which you should be), there’s no hard in activating Insights as well. Often, CloudTrail Events go unnoticed and unaudited until such time as something has already gone wrong. One way to remedy this is to leverage Insights to surface any patterns of malfeasance before they occur.

Equally, that’s why GorillaStack created its Real Time Events product, to allow organizations to track and react to unexpected singular events in real time. As an alternative to Insights which requires an accumulation of unexpected behavior to surface warnings, GorillaStack will remediate before an accumulation of events gets the opportunity to do any real damage.

You can start a free trial in less than a minute and execute alerts and remediation within seconds of an unexpected events.