AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    AWS CloudTrail

    Records AWS API calls for governance and compliance auditing

    CloudTrail is like a security camera system that records everything happening in your AWS account. Every action, such as launching an EC2 instance, deleting an S3 object, changing a security group, is recorded with who did it, when, and from where. It's your audit trail for compliance, security investigations, and troubleshooting. If someone accidentally deletes a database or a hacker gains access, CloudTrail shows exactly what happened. Think of it as a detailed logbook that answers 'who did what, when, and how' for every AWS action. It's essential for security, compliance, and operational troubleshooting.

    CloudTrail logs AWS API calls as events, storing them in S3 buckets. Events include identity (who), time (when), source IP (where from), request parameters (what), and response (result). CloudTrail supports two types of trails: management events (control plane operations like CreateBucket, TerminateInstances) and data events (data plane operations like GetObject, PutObject).

    Key Capabilities

    • Logs every AWS API call (console, CLI, SDK) with caller identity, source IP, timestamp, request parameters, and response
    • Management Events cover control-plane actions (create, modify, delete resources) and are enabled by default; Data Events cover data-plane actions (S3 object reads/writes, Lambda invocations) and must be explicitly enabled
    • Delivers logs to S3 and optionally streams to CloudWatch Logs or EventBridge for alerting and analysis
    • CloudTrail Insights automatically detects unusual spikes or drops in API call volume that may indicate operational or security issues
    • Log file validation generates a digest file for each log delivery so you can detect tampering; combine with S3 Object Lock for compliance-grade immutability
    • Supports organization-wide trails that capture activity across all accounts in an AWS Organizations structure from a single configuration

    Gotchas & Constraints

    Gotcha #1: Data events are not logged by default (they're high-volume and costly); enable only for critical resources. Gotcha #2: CloudTrail logs are eventually consistent, so events can take up to 15 minutes to appear. Constraints: CloudTrail stores events for 90 days in Event History (free); for longer retention, create a trail to S3. S3 storage and data event logging incur charges.

    A financial services company must maintain audit logs for 7 years per regulatory requirements. They create an organization trail that logs all API calls across 50 AWS accounts to a centralized S3 bucket. They enable data events for critical S3 buckets containing customer data; every GetObject and PutObject is logged. CloudTrail logs are encrypted with KMS and stored in S3 with Glacier lifecycle policies (move to Glacier after 90 days for cost savings). They integrate CloudTrail with CloudWatch Logs and create alarms for suspicious activities: root account usage, security group changes, IAM policy modifications. When a developer accidentally deletes a production RDS database, CloudTrail logs show who did it and when; they restore from backup and implement preventive controls. During a security audit, they use CloudTrail logs to prove compliance with access controls and data handling policies.

    The Result

    complete audit trail, regulatory compliance, and rapid incident response.

    Official AWS Documentation