ISO 27001 demands control over access, changes, and monitoring. AWS CloudTrail captures every action taken in your account. The link between them is not theory—it’s compliance, proof, and security in real time.
Queries against CloudTrail logs can surface anomalies, detect unauthorized changes, and document evidence for audits. The challenge is speed. Most teams have the data, but no repeatable path to turn it into action. That’s where CloudTrail query runbooks come in.
A runbook is a predefined set of queries and steps you run whenever an ISO 27001 control needs validation. For example:
- Filter CloudTrail events for changes to IAM policies.
- Match results against approved changes logged in your change management system.
- Generate reports that map findings to ISO 27001 clauses.
When structured as runbooks, these queries move from ad-hoc scripts to a permanent compliance asset. Engineers can run them after a suspected incident or before an audit. Managers can trust the outputs because the process is consistent and documented.
The best runbooks include:
- Tight filters to reduce noise.
- Clear mappings between CloudTrail fields and ISO 27001 requirements.
- Steps for storing results in immutable form.
- Execution checks so you know if the runbook was followed.
CloudTrail query runbooks are not theory work. They are hands-on, executable assurance for ISO 27001 readiness. Build them once, refine them over time, and make them part of your operational routine.
See how this works without writing code. Go to hoop.dev, run a CloudTrail query runbook, and watch it produce ISO 27001-ready evidence in minutes.