Your AWS account is bleeding logs.

Every API call. Every console login. Every action someone or something takes. It’s all there in CloudTrail, an ocean of data waiting to tell you if you’re compliant or one step away from a reportable incident. For ISO 27001, that ocean needs a map — and that’s what CloudTrail query runbooks can give you.

Why ISO 27001 Needs CloudTrail Queries

ISO 27001 isn’t just about locking data away. It’s proof that you can track, detect, and investigate unusual activity. CloudTrail is perfect for this. It records every move in your AWS environment. But logs mean nothing without the ability to query them on demand and store those queries as repeatable runbooks.

A runbook turns compliance from a once-a-year panic into a daily practice. For ISO 27001 controls like A.12.4.1 (Event Logging) and A.16.1.5 (Response to Information Security Incidents), CloudTrail queries make your evidence exact, reproducible, and quick to produce during an audit.

Building Your ISO 27001 CloudTrail Query Runbooks

1. Identify Scope
   List all critical AWS services in use. Map them against your ISO 27001 controls that require monitoring.
2. Create Baseline Queries
   Use AWS Athena or CloudWatch Logs Insights to build filters for admin privilege escalations, root account usage, changes to IAM policies, access from unknown IPs, and modifications to security groups.
3. Parameterize for Reuse
   Store time ranges, usernames, and resource IDs as variables. This makes each query easily adjustable without rewriting SQL or filter syntax.
4. Document Purpose and Output
   Every runbook should state what it checks, why it exists, and which controls it supports. This makes audits faster and incident investigations sharper.
5. Schedule and Automate
   Run critical queries daily. Keep results in secure storage with retention aligned to your ISO 27001 evidence policy.

Example Core Queries for Compliance

• Root Account Usage: Filter eventName for any actions by Root principal.
• IAM Policy Changes: Search for PutUserPolicy, PutRolePolicy, AttachRolePolicy, and related events.
• Multi-Factor Authentication Changes: Detect DeactivateMFADevice or DeleteVirtualMFADevice.
• Access from Anomalous Regions: Compare awsRegion to your approved geography list.
• Security Group Open to World: Match events where cidrIp equals 0.0.0.0/0.

These are the building blocks. Together, they form the audit trail that ISO 27001 demands.

The Difference Between Logs and Control

Without runbooks, CloudTrail is just noise. With them, each query becomes a guardrail. You have an exact trigger for when to investigate, and a clear record that your monitoring works. This precision is what makes certification sustainable instead of exhausting.

The faster you turn queries into repeatable workflows, the less you bleed time when auditors start asking questions.

You can spend weeks gluing this together, or you can see it live in minutes. At hoop.dev, you can run, share, and automate your ISO 27001 CloudTrail query runbooks without the usual heavy lifting.

Would you like me to also create a complete list of 20 high-value CloudTrail queries directly mapped to ISO 27001 controls so you can paste them into Athena today?