CloudTrail Log Analyzer
Security audit & threat detection for AWS environments
AWS CloudTrail
Client-side only
No data uploaded
Drop CloudTrail JSON log file here
Supports .json CloudTrail log files — analyzed entirely in your browser
or paste raw JSON below
No log handy? Load a sample CloudTrail log to try the analyzer.
Summary
Security Findings
Threat Detection & Anomalies
0 findings
Event Timeline
Events per hour
Top IAM users / roles
Top events
Top source IPs
AWS regions
AWS Service Breakdown
Event Log
| Time (UTC) | Event name | Service | User / Role | Source IP | Region | Status |
|---|
What is AWS CloudTrail and why should you analyze it?
AWS CloudTrail records every API call made in your AWS account — who did what, when, from where, and whether it succeeded. Analyzing these logs is essential for security auditing, compliance (SOC 2, PCI-DSS, HIPAA), incident response, and detecting insider threats or compromised credentials. This tool parses your CloudTrail JSON logs entirely in your browser — your data never leaves your machine.
What threats does CloudTrail log analysis detect?
Root account logins, failed authentication attempts (brute force), privilege escalation via IAM policy changes, unusual geographic access, S3 bucket policy modifications, security group changes, new API keys, CloudTrail log tampering, and mass resource deletion events.
How do I download my CloudTrail logs from AWS?
Go to AWS Console → CloudTrail → Event History → Download events (JSON). Alternatively, your logs are stored in an S3 bucket (typically named aws-cloudtrail-logs-*). Download individual .json.gz files and decompress them. Each file contains a "Records" array of API events.
Is my CloudTrail data safe to upload here?
Yes — this tool runs entirely in your browser using JavaScript. Your log data is never transmitted to any server. You can verify this by checking your browser's network tab while running the analysis. No account data, IP addresses, or event information ever leaves your device.
What does errorCode in CloudTrail mean?
An errorCode field indicates the API call failed. Common codes: AccessDenied (missing IAM permissions), InvalidClientTokenId (invalid credentials), UnauthorizedOperation (EC2 authorization failure), NoSuchBucket (missing S3 bucket). High rates of AccessDenied from one principal often indicate a misconfiguration or credential stuffing attack.
What AWS services generate the most CloudTrail events?
IAM (identity operations), S3 (object access when data events enabled), EC2 (instance management), STS (AssumeRole calls), Lambda (invocations), CloudFormation (stack operations), and RDS (database management) are typically the highest-volume sources in production accounts.
How do I detect credential compromise in CloudTrail?
Look for: API calls from new geographic regions or IPs, unusual hours of activity, sudden spikes in IAM or STS calls, CreateAccessKey followed by new service usage, ConsoleLogin from unfamiliar user-agents, and any use of the root account (which should almost never appear in normal operations).
More Free Online Tools
Simple tools. Surgical fixes. Zero friction.
S3 Bucket Policy & Permissions Validator
Get an instant security audit for your S3 Bucket.
Open AnalyserAmazon Connect Agent Workstation Validator
Pre-flight check for Amazon Connect softphone agents.
Open Analyser