At 2:37 a.m., an engineer found a production credential used in a way that made no sense. The logs were there—thousands of lines—but no clear answer: Who accessed what, and when?
This is the moment every AWS-powered team dreads. Questions come fast. Was this a bug? A malicious actor? An over-permissioned service account? Every second without clarity is another second of risk.
AWS offers the tools to find the truth, but they’re scattered across services. CloudTrail, CloudWatch, IAM Access Analyzer, S3 server access logs—the data lives in many places. To answer “who accessed what and when” with speed, you have to bring these together.
Step 1: Enable CloudTrail Across All Regions
CloudTrail is the first source of truth. Without it running in all regions, you have blind spots. Certain actions—like IAM changes—can happen in any region. Set it to log all management and data events. Store these logs in a central S3 bucket with proper encryption.
Step 2: Use Event History and Athena for Fast Queries
AWS’s Event History is fine for quick triage, but Athena over CloudTrail logs lets you search with precision. You can filter by user, resource, or timeframe to see exactly when an action took place and which credentials were involved.
Step 3: Turn On IAM Access Analyzer
This tool identifies resources with public or cross-account access. It’s not a replay of events—it shows ongoing exposure. When combined with CloudTrail records, you get both the real-time map of risk and the historical evidence of access.
Step 4: Extend to Data Layer Logging
If you store sensitive data in S3, enable S3 server access logs or CloudTrail data events for object-level access details. For databases like RDS or DynamoDB, enable query or table-level logging. The more granular your logs, the faster you can validate or rule out potential breaches.
Step 5: Automate Detection and Alerting
Don’t wait for someone to manually sift logs. Wire CloudWatch Alarms or EventBridge rules to trigger alerts on suspicious patterns, such as IAM role assumptions from unexpected IP ranges or repeated access denied events.
The power move is having a single place to view all this: Who accessed what, and when. No jumping between AWS consoles. No waiting for someone to patch together ad-hoc queries.
This visibility is not optional. Without it, you’re guessing in the dark when something breaks or when security is on the line. With it, you can pinpoint activity in minutes and act with confidence.
You can piece this together manually with AWS services—or you can see it live in minutes. With Hoop.dev, all your AWS access history, resource usage, and user actions are in one clear interface, ready to answer your questions the moment they come up. No setup marathon. No stitching tools together.
The difference between guessing and knowing is the difference between chaos and control. See it in action today on Hoop.dev—and never wonder again who accessed what and when.