AWS CloudTrail enables you to simplify governance, compliance, and risk auditing. CloudTrail accelerates analysis of operational and security issues by providing visibility into API activity in your AWS account. With CloudWatch Logs integration, support for multi-region configurations, and log file integrity validation, CloudTrail provides comprehensive, secure, and searchable historical data of calls made with the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
You can configure AWS CloudTrail to deliver log files from multiple regions to a single S3 bucket for a single account. A configuration that applies to all regions ensures that all settings apply consistently across all existing and newly launched regions. For detailed instructions, see Aggregating CloudTrail Log Files to a Single Amazon S3 Bucket in the AWS CloudTrail User Guide.
You can validate the integrity of AWS CloudTrail log files stored in your Amazon S3 bucket and detect whether the log files were unchanged, modified, or deleted since CloudTrail delivered them to your Amazon S3 bucket. You can use log file integrity validation in your IT security and auditing processes.
By default, AWS CloudTrail encrypts all log files delivered to your specified Amazon S3 bucket using Amazon S3 server-side encryption (SSE). Optionally, add a layer of security to your CloudTrail log files by encrypting the log files with your AWS Key Management Service (AWS KMS) key. Amazon S3 automatically decrypts your log files if you have decrypt permissions. For more information, see encrypting log files using your KMS key.
You can now record all API actions on S3 Objects and receive detailed information such as the AWS account of the caller, IAM user role of the caller, time of the API call, IP address of the API, and other details.
By default, event selectors include management events. All events that are not object-level data events are management events. These management events include administrative actions such as creation, deletion, and modification of EC2 instances or S3 buckets. For each API call, you can get details such as which IAM user made the API call, when the call was made, and which resources were affected.
You can take advantage of the Amazon S3 bucket notification feature to direct Amazon S3 to publish object-created events to AWS Lambda. When CloudTrail writes logs to your S3 bucket, Amazon S3 can invoke your Lambda function to process the access records logged by CloudTrail.
CloudTrail integration with CloudWatch Logs enables you to receive SNS notifications that are triggered by specific API activity captured by CloudTrail. With SNS notifications, you can act immediately when a pattern of interest is detected. You can contact users identified in the API activity to learn more, automatically create a trouble ticket, or initiate other troubleshooting operations.
AWS CloudTrail integration with Amazon CloudWatch Events enables you to automatically respond to changes to your AWS resources. With CloudWatch Events, you are able to define actions to execute when specific events are logged by AWS CloudTrail. For example, if CloudTrail logs a change to an Amazon Elastic Compute Cloud (EC2) security group, such as adding a new ingress rule, you can create a CloudWatch rule that sends this activity to an AWS Lambda function. AWS Lambda can then execute a workflow to create a ticket in your IT Helpdesk system.