All posts
August 25, 20222 min read

Multi-Cloud Security CloudTrail Query Runbooks

Managing security in a multi-cloud environment is one of the more challenging tasks in modern software operations. With AWS CloudTrail logging trillions of events each day across diverse services, digging through data to uncover risks can feel like finding a needle in a haystack. The problem compounds further when adding other cloud providers into the picture. This is where CloudTrail query runbooks can be a game-changer for securing your multi-cloud architecture. Let’s break down what makes Cl

Free White Paper

Multi-Cloud Security Posture + AWS CloudTrail: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Managing security in a multi-cloud environment is one of the more challenging tasks in modern software operations. With AWS CloudTrail logging trillions of events each day across diverse services, digging through data to uncover risks can feel like finding a needle in a haystack. The problem compounds further when adding other cloud providers into the picture. This is where CloudTrail query runbooks can be a game-changer for securing your multi-cloud architecture.

Let’s break down what makes CloudTrail query runbooks useful, how they simplify cloud audit operations, and how to implement them to improve your security workflows—step by step.

Why CloudTrail Query Runbooks Matter in Multi-Cloud Security

What are they?
A CloudTrail query runbook is a set of predefined queries designed to sift through volumes of CloudTrail logs, pinpointing suspicious or notable activity. Instead of manually inspecting event logs, these reusable queries let you automate investigations, making it easy to pull insights in seconds.

Why do we care about CloudTrail query runbooks?
Cloud logs are noisy. Trying to manually search for malicious activity across services, users, or regions isn't practical. Runbooks provide focused search patterns to detect red flags for unauthorized access, privilege escalation attempts, or unusual API calls. They also remove guesswork by standardizing processes, leading to faster incident response times.

Common Security Scenarios Simplified by Query Runbooks

1. Detect Unauthorized API Calls

Malicious actors often attempt to access APIs they shouldn’t. Using prebuilt runbook queries, you can fetch API calls marked as unauthorized, and then trace the IP addresses or sessions behind them.

Continue reading? Get the full guide.

Multi-Cloud Security Posture + AWS CloudTrail: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • What to query for?
    Specifically, you’ll want to inspect EventName for Denied operations, alongside ErrorCode fields like AccessDenied.
  • Why it helps:
    Identifying failed login attempts or blocked access quickly can prevent data breaches or further escalation.

2. Flag Configuration Changes

Unexpected changes to configurations—like opening a previously secured S3 bucket to public traffic—signal potential risks, unintentional errors, or active intrusions.

  • Query Tip:
    Look for PutBucketPublicAccessBlock, UpdateRole, or any administrative-level API calls.
  • Why it matters:
    Many data leaks stem from unauthorized configuration changes. Runbooks allow you to catch misconfigurations within minutes of their occurrence.

3. Identify Region-Specific Anomalies

Multi-region setups are common, but bad actors often exploit less-monitored regions to mask their tracks.

  • What to check:
    Query for access events happening in unusual regions (e.g., SourceIP paired with uncommonly used geolocations).
  • How this increases safety:
    Spotting activity in unfamiliar regions can point to compromised accounts or unauthorized systems in play.

Steps to Implement CloudTrail Query Runbooks

  1. Define Key Threat Scenarios: Think of your frequent vulnerabilities—API misuse, privilege escalation, or stalled audit requirements.
  2. Pre-Build Your Queries: Tailor SQL-like queries that map directly to potential attack surfaces or compliance gaps.
  3. Test Across a Sample Dataset: Measure the accuracy of these queries using real-world data pulled from CloudTrail.
  4. Automate Execution: Integrate queries with alerting systems like Slack, PagerDuty, or webhook-based responses executed in CI/CD pipelines.
  5. Iterate Regularly on Evolving Threats: As your cloud environment grows, so should your runbooks.

Leveraging Tools to Simplify Multi-Cloud Security

Building effective CloudTrail query runbooks doesn’t require building everything from scratch. With tools like Hoop.dev, you can streamline the entire process of crafting, testing, and automating these runbooks across multiple cloud providers.

Here’s why that’s valuable:

  • Preconfigured runbook templates help you skip hours of manual query writing.
  • Real-time querying across AWS, Azure, and GCP eliminates the complexity of multi-cloud correlation.
  • Visual dashboards organize results clearly, so interpreting and acting on security alerts is faster.

See it live in minutes: Hoop.dev removes the technical hurdles, letting you secure your cloud environments without deep manual effort. Learn how to track suspicious activity with ready-to-run multi-cloud query templates and start acting faster today.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts