Certified Security - Specialty

Sign Up Free or Log In to participate!

If using Cloudtrails combined with Cloudwatch events to alert on unwanted actions

 What is technically the longest time between an unwanted event happening and an actual Cloudwatch Event trigger? Could this be 15 minutes or 20 minutes? (going on the premise that Cloutrail logs are 15 minutes behind and recorded every 5 minutes)


CloudTrail docs mention "up to 15 minutes" for API events to get sent to S3. CloudWatch Logs docs mention "a few minutes". Once the CloudTrail events are sent to a CloudWatch Log, the alarms setup can start being evaluated. When the alarm is triggered depends on the alarm settings.

1 Answers

In my own experience the delay is minimal between a CloudTrail event and CloudWatch event trigger. I recently set up an event rule looking for api-gateway rest-api update events via CloudTrail (there were no ‘native’ api gateway event I could look for) and these events triggers an api-gateway deployment. The delay is only a few seconds, so the CloudTrail event must be sent without delay. Maybe it is different for different services, and I do remember reading about a delay for CloudTrail events but I suspect the delay is the actual delivery of the event to S3 (or CloudWatch logs), and not a delay for the actual event to be registered.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?