CloudTrail is a governance, compliance, risk management, and auditing service that records account activities (by Console or APIs).
- CloudTrail tracks all user activities and API calls across your AWS accounts – through a console, SDKs, and CLI
- You can track the user name, event name, event date/time, IP address, access key, region, and error code.
AWS CloudTrail
CloudTrail is automatically enabled for all new accounts.
CloudTrail Event
- Activities are recorded as events – 90 days via event history by default.
CloudTrail log files
- CloudTrail can deliver log files from multiple accounts to a bucket belonging to a central account.
- By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).
Types of events
Management events
- Account Activities such as login, actions taken through APIs or the Console
- Enabled by default
Data events
- S3 object-level API activities or Lambda function execution activities
- Disabled by default
Insights events
- Unusual activities, e.g. when there are more than usual API calls (deleteBucket).