AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    AWS CloudTrail

    Records AWS API calls for governance and compliance auditing

    CloudTrail is like a security camera system that records everything happening in your AWS account. Every action, such as launching an EC2 instance, deleting an S3 object, changing a security group, is recorded with who did it, when, and from where. It's your audit trail for compliance, security investigations, and troubleshooting. If someone accidentally deletes a database or a hacker gains access, CloudTrail shows exactly what happened. Think of it as a detailed logbook that answers 'who did what, when, and how' for every AWS action. It's essential for security, compliance, and operational troubleshooting.

    CloudTrail logs AWS API calls as events, storing them in S3 buckets. Events include identity (who), time (when), source IP (where from), request parameters (what), and response (result). CloudTrail supports two types of trails: management events (control plane operations like CreateBucket, TerminateInstances) and data events (data plane operations like GetObject, PutObject).

    Key Capabilities

    Key features: multi-region trails (log all regions), organization trails (log all accounts in AWS Organizations), CloudTrail Insights (detect unusual API activity), and integration with CloudWatch Logs (real-time monitoring).

    Gotchas & Constraints

    Gotcha #1: Data events are not logged by default (they're high-volume and costly); enable only for critical resources. Gotcha #2: CloudTrail logs are eventually consistent, so events can take up to 15 minutes to appear. Constraints: CloudTrail stores events for 90 days in Event History (free); for longer retention, create a trail to S3. S3 storage and data event logging incur charges.

    A financial services company must maintain audit logs for 7 years per regulatory requirements. They create an organization trail that logs all API calls across 50 AWS accounts to a centralized S3 bucket. They enable data events for critical S3 buckets containing customer data; every GetObject and PutObject is logged. CloudTrail logs are encrypted with KMS and stored in S3 with Glacier lifecycle policies (move to Glacier after 90 days for cost savings). They integrate CloudTrail with CloudWatch Logs and create alarms for suspicious activities: root account usage, security group changes, IAM policy modifications. When a developer accidentally deletes a production RDS database, CloudTrail logs show who did it and when; they restore from backup and implement preventive controls. During a security audit, they use CloudTrail logs to prove compliance with access controls and data handling policies.

    The Result

    complete audit trail, regulatory compliance, and rapid incident response.

    Official AWS Documentation