TrailGuard


TrailGuard provides real-time AWS CloudTrail monitoring within your own AWS account—deployed via CloudFormation for easy setup. Built on AWS Lambda it leverages FraudGuard’s threat intelligence to detect suspicious activity, including leaked access keys, privilege escalations, and high-risk API calls as well as any operation from a high risk IP tracked in the FraudGuard Attack Coorelation Engine. TrailGuard automatically queries your FraudGuard account for any geoblocked regions, blacklisted IPs, and more—giving you tailored alerts based on your existing threat policies.



Runs in Your AWS Account

TrailGuard deploys directly into your AWS environment via CloudFormation—keeping your CloudTrail data private and compliant.

Flexible Alerting

TrailGuard uses AWS SNS for notifications, supporting email, Slack, custom webhooks, and more for easy integration into your existing workflows.

Threat Intelligence Integration

TrailGuard connects to your FraudGuard account, querying geoblocks, blacklisted IPs, and real-time threat lists—ensuring alerts are based on your unique risk profile.

Proactive Threat Detection

TrailGuard identifies leaked access keys, suspicious API calls, privilege escalations, and unusual geolocation access—before attackers can cause harm.

FraudGuard Intelligence

Every alert generated by TrailGuard is enhanced with FraudGuard’s global threat intelligence—providing context such as whether an IP is tracked by our Attack Coorelation Engine.

Included in Business Plan

TrailGuard source code is available in the FraudGuard Business Plan ($299/month) and above—bringing enterprise-grade AWS security to growing businesses.



What TrailGuard Detects


TrailGuard monitors AWS CloudTrail for a wide range of threats, including:

1. Leaked Access Keys

TrailGuard detects when AWS access keys are being used in suspicious ways—such as from unfamiliar IPs, unexpected locations, or with unusual API patterns—indicating they may have been exposed or compromised through sources like GitHub, Slack, or internal sharing.

2. Privilege Escalations

Flags attempts to gain elevated permissions by modifying roles, policies, or permissions—one of the most common tactics used after an initial breach.

3. Suspicious API Calls

Highlights rare, deprecated, or high-risk API actions that deviate from normal operations, such as creating IAM users, disabling logging, or modifying key services.

4. Geolocation Anomalies

Identifies access attempts from unexpected or high-risk regions based on your FraudGuard geoblock settings, flagging potential unauthorized access across global locations.

5. Sensitive Data Access

Detects unauthorized access to critical data stores such as S3 buckets, RDS instances, or secrets—alerting you when sensitive assets are touched unexpectedly.

6. Root Account Usage Detection

TrailGuard monitors for any use of the AWS root account—an immediate red flag for potential compromise or misconfiguration. Using the root account is rarely necessary, and TrailGuard alerts you instantly so you can investigate and take action.

7. Custom Blacklist Integration

TrailGuard automatically cross-references activity against your FraudGuard Blacklist, alerting you when requests come from IPs you've flagged as threats. This allows you to enforce your unique security policies and respond faster to known bad actors.



Get Started with TrailGuard

TrailGuard is simple to deploy and seamlessly integrates into your AWS environment. Want to see it in action? We offer a 14-day trial—just email us at hello@fraudguard.io to get started.