Controls1 May 2026 7 min read

CloudTrail for SOC 2: Setting Up Audit Logging on AWS

Configure AWS CloudTrail for SOC 2 compliance. Learn multi-region trails, log file validation, S3 security, and how to use CloudTrail as audit evidence.

Key Takeaways

CloudTrail is the primary audit log for all AWS API activity — mandatory for SOC 2 CC7.2 and CC7.3.
Enable a multi-region trail in all AWS accounts logging management and data events.
Log file validation ensures logs haven't been tampered with — a key integrity requirement.
CloudTrail logs must be stored in a dedicated S3 bucket with access logging, versioning, and MFA delete enabled.
CloudWatch Alarms on CloudTrail provide real-time alerting for high-risk events.

In this guide

Why CloudTrail Is Essential for SOC 2
Setting Up a Multi-Region Trail
Securing CloudTrail Log Storage
Log File Validation
Data Event Logging
CloudWatch Alarms for SOC 2
CloudTrail Evidence for Auditors

Why CloudTrail Is Essential for SOC 2

AWS CloudTrail records every API call made in your AWS account — who did what, from where, and when. It is the foundational audit log for cloud infrastructure and directly satisfies SOC 2 criteria: CC7.2 (anomaly detection), CC7.3 (incident investigation), CC8.1 (change management audit trail), and CC6.1 (access control verification).

Without CloudTrail, you cannot answer the auditor's most basic question: "Show me every change made to your production infrastructure during the audit period." With CloudTrail, that question is answerable with a filtered log query.

Setting Up a Multi-Region Trail

Create a trail that applies to all regions: in CloudTrail console, create a new trail, name it (e.g., "org-management-trail"), select "Apply trail to all regions: Yes," enable for all accounts in your organization (if using AWS Organizations), and specify an S3 bucket for log storage.

Enable CloudTrail in all AWS accounts — not just your management account. Use AWS Organizations CloudTrail to create an organization-level trail from the management account that automatically applies to all member accounts. This is the most efficient approach for multi-account environments.

Via CLI: aws cloudtrail create-trail --name org-management-trail --s3-bucket-name your-cloudtrail-bucket --is-multi-region-trail --include-global-service-events --enable-log-file-validation.

Securing CloudTrail Log Storage

The S3 bucket receiving CloudTrail logs must itself be secured — an attacker who can delete logs can cover their tracks. Required bucket settings: (1) Block all public access — enable all four "Block public access" settings. (2) Enable versioning — prevents overwriting or deleting log objects. (3) Enable MFA delete — requires MFA authentication to delete objects or disable versioning. (4) Enable server-side encryption (SSE-KMS) — encrypt logs at rest with a KMS key. (5) Enable S3 access logging to a separate bucket — logs access to the log bucket itself.

Restrict bucket policy so that only the CloudTrail service principal (cloudtrail.amazonaws.com) can write to the bucket, and only designated log reviewers or automated tools can read from it.

Log File Validation

CloudTrail log file validation creates a digitally signed digest file for each hour of logs. The digest references the log files and their SHA-256 hashes, and is signed with a public/private key pair. You can validate the integrity of any log file using the AWS CLI: aws cloudtrail validate-logs --trail-arn your-trail-arn --start-time start --end-time end.

If a log file was modified or deleted after delivery, validation will fail. This provides the non-repudiation and integrity assurance auditors expect for audit logs. Ensure "Enable log file validation" is checked when creating or updating your trail.

Data Event Logging

By default, CloudTrail only logs management events (API calls that manage AWS resources). For SOC 2, you should also enable data event logging for high-value resources: S3 data events (GetObject, PutObject, DeleteObject) on buckets containing customer data, and Lambda function invocations.

Warning: data events significantly increase log volume and cost. Be selective — enable data events only for S3 buckets containing PII or sensitive customer data, not all buckets. Use S3 bucket-level settings to specify which buckets to log.

DynamoDB and RDS data events are logged through different mechanisms — CloudTrail for DynamoDB data events, and RDS Enhanced Monitoring or database audit logs (pgaudit for PostgreSQL, MariaDB audit plugin) for RDS.

CloudWatch Alarms for SOC 2

CloudTrail integrates with CloudWatch Logs to create metric filters and alarms for high-risk events. The CIS AWS Foundations Benchmark (which maps to SOC 2 CC7.2) recommends alarms for: root account usage, MFA console sign-in failures, IAM policy changes, CloudTrail configuration changes, S3 bucket policy changes, and Security Group rule changes.

Create a CloudWatch Log Group linked to CloudTrail, then create metric filters for each event type, and CloudWatch Alarms that fire when the metric exceeds zero. Route alarms to SNS topics connected to Slack or PagerDuty.

Alternatively, use AWS Security Hub with the CIS AWS Foundations Benchmark standard enabled — it checks many of these conditions automatically and consolidates findings.

CloudTrail Evidence for Auditors

(1) CloudTrail trail configuration screenshot showing multi-region enabled, all management events, log file validation, and S3 bucket. (2) S3 bucket policy screenshot. (3) AWS Config rule "cloud-trail-enabled" showing compliant status. (4) Log file validation output: aws cloudtrail validate-logs run for a representative period. (5) CloudWatch alarm configurations for CIS benchmark events. (6) Sample CloudTrail log query results showing investigation of a specific event — demonstrates you can actually use the logs.

Frequently Asked Questions

How long should CloudTrail logs be retained for SOC 2?

Retain CloudTrail logs for at least 12 months for SOC 2. Best practice is 90 days in S3 Standard (hot), 9 months in S3 Standard-IA, then transition to S3 Glacier for 6+ years. Configure S3 lifecycle policies to automate this tiering. The 7-year retention aligns with common audit and legal hold requirements.

Does CloudTrail log RDS database queries?

No. CloudTrail logs AWS API calls — creating, modifying, and deleting RDS instances. It does not log SQL queries. For database query logging, enable RDS database audit logs: pgaudit for PostgreSQL, general_log for MySQL, or MSSQL audit. These logs are evidence for CC6.1 (access to data) and CC7.2 (anomaly detection).

We use multiple AWS accounts. Do we need a CloudTrail trail in each?

Use an AWS Organizations CloudTrail trail created from the management account. It automatically enables CloudTrail in all current and future member accounts, and logs are centralized to a single S3 bucket in the management account. This is far more efficient than managing per-account trails.

What is the difference between CloudTrail and AWS Config for audit purposes?

CloudTrail logs API call events — who did what and when. AWS Config tracks resource configuration state — what resources exist and how they are configured over time. Both are needed for SOC 2. CloudTrail answers "who changed this?" Config answers "what did this look like before and after the change?" Use both together for complete audit coverage.

How do we query CloudTrail logs for a specific incident investigation?

Use AWS CloudTrail Lake (managed query service), Athena on the CloudTrail S3 bucket, or the CloudTrail console event history (last 90 days). For forensic investigation, export the relevant time range to Athena and query with SQL: SELECT * FROM cloudtrail_logs WHERE sourceIPAddress = 'x.x.x.x' AND eventTime BETWEEN ... .