Skip to main content
Splunk Lantern

Amazon Web Services: CloudTrail and CloudWatch

CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. You can use it to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. In the Common Information Model, CloudTrail log data is typically mapped to the Authentication and Change data models.

CloudWatch is a service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources. CloudWatch enables you to monitor your complete stack and leverage alarms, logs, and events data to take automated actions and reduce Mean Time to Resolution (MTTR). CloudWatch collects, aggregates, and summarizes compute utilization information like CPU, memory, disk, and network data, as well as diagnostic information like container restart failures, to help DevOps engineers isolate issues and resolve them quickly.

Data visibility 

CloudTrail data provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. It increases visibility into your user and resource activity by recording AWS Management Console actions and API calls so you can detect unusual activity. 

CloudWatch gives you actionable insights that help you optimize application performance, manage resource utilization, and understand system-wide operational health. It allows you to perform historical analysis for cost optimization and derive real-time insights into optimizing applications and infrastructure resources.

Data application

When your Splunk deployment is ingesting Amazon CloudTrail data, you can use the data to achieve the following objectives:

When your Splunk deployment is ingesting Amazon CloudWatch data, you can use the data to achieve the following objectives:

You may also be interested in the following:


Additional guidance for onboarding data can be found in the Spunk Documentation, Getting Data In (Splunk Enterprise) or Getting Data In (Splunk Cloud).

  • Was this article helpful?