Skip to main content

Capturing EKS API Calls with CloudTrail

Hands-On Lab


Photo of Mark Richman

Mark Richman

AWS Training Architect II in Content





What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Capturing EKS API Calls with CloudTrail


CloudTrail is one of the primary services for logging in AWS. CloudTrail logs every API call that is made to the account, the console, the command line, and the AWS SDK.

CloudTrail is very important in security because it records every API call executed on our resources. We can also create trails that allow us to store logs longer than 90 days and then use them to trigger automation events. For security purposes, it is considered best practice to make sure CloudTrial logging is always enabled.

In this hands-on AWS lab, we will:

  • Configure CloudTrail to capture key events and deliver log files to a specific S3 bucket
  • Generate AWS EKS API calls in order to verify that CloudTrail is working
  • Use the CloudTrail console to learn more about the events CloudTrail captures

Log in to the AWS Management Console with the credentials provided on the lab instructions page. Make sure you are using the us-east-1 (N. Virginia) region.

Create a CloudTrail Trail

  1. In the AWS Management Console, navigate to the CloudTrail service.
  2. Click Create Trail.
  3. On the Create trail page, configure the following settings:
    • Trail name: EKS (or any name you like)
    • Apply trail to all regions: Yes
    • Read/write events: All
    • Create a new S3 bucket: Yes
    • S3 bucket: (Give the bucket a unique name.)
  4. Click Create.
  5. Click the name of the bucket we just created to open it.
  6. At the top of the page, click Amazon S3.
  7. On the S3 buckets page, click the name of our bucket to open it.
  8. Click the AWSLogs folder to open it.
  9. Click the folder named with your account number to open it.

Create a New EKS Cluster

  1. Navigate to the EKS service.
  2. Under Create EKS cluster, enter a cluster name (e.g., "CloudTrail").
  3. Click Next step.
  4. On the Create cluster page, configure the following settings:
    • Role name: (Select the pre-provisioned role with ServiceRole in the name.)
    • VPC: (Select the pre-provisioned VPC from the dropdown.)
      • Note: The subnets should auto-populate.
    • Security groups: (Select the pre-provisioned security group with ControlPlaneSecurityGroup in the name.)
  5. Click Create.

Find the EKS CreateCluster API Action in the CloudTrail Event History

  1. Navigate to the CloudTrail service.
  2. Click Event history in the left sidebar.
  3. Wait about 15 minutes for CloudTrail to register the EKS CreateCluster API call. (You may need to refresh the page for it to appear.)
  4. Click the arrow on the left side of the CreateCluster row to see the event details.
  5. Click View event.
  6. Explore the JSON content under View Event, then click Close.

Find the CreateCluster API Call in the CloudTrail S3 Bucket

  1. Navigate to the S3 service.
  2. In the CloudTrail bucket, click each folder name until you reach a list of .gz log files.
  3. Open each .gz file and locate the CreateCluster API call in the JSON data.


Congratulations, you've successfully completed this hands-on lab!