AWS CloudTrail enables you to simplify governance, compliance, and risk auditing. CloudTrail accelerates analysis of operational and security issues by providing visibility into both API and non-API actions in your AWS account. With CloudWatch Logs integration, support for multi-region configurations, and log file integrity validation, CloudTrail provides comprehensive, secure, and searchable event history of activity made with the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

Get Started with AWS for Free

Create a Free Account
Or Sign In to the Console

Receive twelve months of access to the AWS Free Usage Tier and enjoy AWS Basic Support features including, 24x7x365 customer service, support forums, and more.

Simple Setup

AWS CloudTrail is enabled on all AWS accounts and records your account activity upon account creation. You can view and download the last 90 days of your account activity for create, modify, and delete operations of supported services without the need to manually setup CloudTrail.

Simple Setup

You can view, search, and download your recent AWS account activity. This allows you to gain visibility into changes in your AWS account resources so you can strengthen your security processes and simplify operational issue resolution.

100x100_benefit_managed-deployment1

You can configure AWS CloudTrail to deliver log files from multiple regions to a single Amazon S3 bucket for a single account. A configuration that applies to all regions ensures that all settings apply consistently across all existing and newly launched regions. For detailed instructions, see Aggregating CloudTrail Log Files to a Single Amazon S3 Bucket in the AWS CloudTrail User Guide.

 

 

Service Map

You can validate the integrity of AWS CloudTrail log files stored in your Amazon S3 bucket and detect whether the log files were unchanged, modified, or deleted since CloudTrail delivered them to your Amazon S3 bucket. You can use log file integrity validation in your IT security and auditing processes.

 

Data Annotation and Filtering

By default, AWS CloudTrail encrypts all log files delivered to your specified Amazon S3 bucket using Amazon S3 server-side encryption (SSE). Optionally, add a layer of security to your CloudTrail log files by encrypting the log files with your AWS Key Management Service (AWS KMS) key. Amazon S3 automatically decrypts your log files if you have decrypt permissions. For more information, see encrypting log files using your KMS key.

 

Console and Programmatic Access

Data events provide insights into the resource (“data plane”) operations performed on or within the resource itself. Data events are often high volume activities and include operations such as Amazon S3 object level APIs and AWS Lambda function invoke APIs. For example, you can log API actions on Amazon S3 objects and receive detailed information such as the AWS account, IAM user role, and IP address of the caller, time of the API call, and other details. You can also record activity of your Lambda functions, and receive details on Lambda function executions, such as the IAM user or service that made the Invoke API call, when the call was made, and which function was executed.

Security

Management events provide insights into the management (“control plane”) operations performed on resources in your AWS account. For example, you can log administrative actions such as creation, deletion, and modification of Amazon EC2 instances. For each event, you can get details such as the AWS account, IAM user role, and IP address of the user that initiated the action, time of the action, and which resources were affected.

Simple Setup

You can take advantage of the Amazon S3 bucket notification feature to direct Amazon S3 to publish object-created events to AWS Lambda. When CloudTrail writes logs to your S3 bucket, Amazon S3 can invoke your Lambda function to process the access records logged by CloudTrail.

Simple Setup

AWS CloudTrail integration with Amazon CloudWatch Logs enables you to send management and data events recorded by CloudTrail to CloudWatch Logs. CloudWatch Logs allows you to create metric filters to monitor events, search events, and stream events to other AWS services, such as AWS Lambda and Amazon Elasticsearch Service.

Simple Setup

AWS CloudTrail integration with Amazon CloudWatch Events enables you to automatically respond to changes to your AWS resources. With CloudWatch Events, you are able to define actions to execute when specific events are logged by AWS CloudTrail. For example, if CloudTrail logs a change to an Amazon EC2 security group, such as adding a new ingress rule, you can create a CloudWatch Events rule that sends this activity to an AWS Lambda function. Lambda can then execute a workflow to create a ticket in your IT Helpdesk system.