Day 3 – Restricting users to disable CloudTrail or Creating IAM Users
Welcome to Day 3of 100 Days of AWS. The topic for today is restricting users to disable CloudTrail or Creating IAM Users.
This is one of the common tasks we used to encounter as a part of our daily job where we don’t want our user to disable/stop logging to CloudTrail or creating IAM user.
What Is AWS CloudTrail?
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

- It’s enabled when the account is created(for 7 days)
- When activity occurs in your AWS account, that activity is recorded in a CloudTrail event.
- Entries can be viewed in Event History(for 90 days)
- Event logs can be aggregated across accounts and regions.
NOTE
- Historically CloudTrail was not enabled by default
- It won’t logs events like SSH/RDP only API call.
As you can see CloudTrail is important for admin perspective as it recorded activity occurs in your AWS account. At the same time we didn’t want to give any user permission to create IAM account.
This can be achieved using Service Control Policy(SCP). For more about SCP please check the following link https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail",
"iam:CreateUser"
],
"Resource": "*",
"Effect": "Deny"
}
]
}