CloudQuery is now SOC 2 Type II Certified! Learn more ❯

CloudQuery

Back to reports list
aws
security

AWS CloudTrail Log Detections

Monitor AWS CloudTrail logs for signs of compromise, unauthorized access, or abnormal API usage patterns.

Report logo

About this report

Detect suspicious activity patterns across your AWS accounts by analyzing CloudTrail logs for security anomalies. Security teams can quickly spot potential account compromises, unauthorized access attempts, and risky administrative actions before they result in breaches.

AWS CloudTrail Log Detections

Key questions

  • Is someone attempting to breach my AWS environment?
  • How can I detect unauthorized access to my AWS accounts?
  • Who's making changes to IAM policies in my AWS organization?
  • Is my root account being used inappropriately?

Visualizations in the report

Total AWS API Calls Logged

Shows overall API activity volume for your AWS organization. Establishes a baseline to help identify unusual spikes that might indicate automated attacks or compromised credentials.

Total AWS API Calls Logged
API Requests by Region

Visualizes API call distribution across AWS geographic regions. Quickly detect activity in regions you do not normally use, which often indicates compromise.

Failed vs. Successful Login Attempts

Tracks authentication failures across your environment. Helps identify potential brute force attacks and credential stuffing attempts targeting your accounts.

IAM Policy Changes

Monitors modifications to permission policies and access controls. Catch unauthorized privilege escalations or security policy weakening attempts early.

Newly Created IAM Users

Shows when new identities appear in your AWS accounts. Verify these additions were authorized and not created by attackers establishing persistence.

Root Account Usage

Alerts on any use of the highly-privileged root account. Since root should rarely be accessed in a secure environment, this visualization quickly highlights concerning behavior.

Top IAM Users by Activity

Lists the most active identities in your environment by API call volume. Spot potentially compromised accounts through unusual activity patterns or volume changes.

Top 5 Most Invoked APIs

Ranks the most frequently used AWS service calls. Helps security teams understand normal operational patterns and spot anomalous API usage.

Get a personalized demo

Book a demo and see how easy it is to get started with CloudQuery Reports. We'll walk you through connecting your data sources and show you the information that's available. Book a demo today for a complete overview of CloudQuery's Reporting tools.

Video thumbnail

© 2025 CloudQuery, Inc. All rights reserved.