CloudTrail is a governance, compliance, risk management, and auditing service that records account activities (by Console or APIs).
CloudTrail is automatically enabled for all new accounts.
- Activities are recorded as events – 90 days via event history by default.
CloudTrail log files
- CloudTrail can deliver log files from multiple accounts to a bucket belonging to a central account.
- By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).
Types of events
- Account Activities such as login, actions taken through APIs or the Console
- Enabled by default
- S3 object-level API activities or Lambda function execution activities
- Disabled by default
- Unusual activities, e.g. when there are more than usual API calls (deleteBucket).