We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
To not allow all other AWS cross-context behavioral advertising, complete this form by email.
For more information about how AWS handles your information, please read the AWS Privacy Notice.
We will only store essential cookies at this time, because we were unable to save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in the AWS console footer, or contact support if the problem persists.
AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting. CloudTrail records user activity and API calls across AWS services as events. CloudTrail events help you answer the question of "Who did what, where, and when?"
CloudTrail records four categories of events:
Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an AWS Region. There are no CloudTrail charges for viewing Event history.
CloudTrail Event history is enabled on all AWS accounts and records management events across AWS services without the need for any manual setup. With AWS Free Tier, you can view, search, and download the most recent 90-day history of your account’s management events at no charge using the CloudTrail console or by using the CloudTrail lookup-events API. To learn more, see Viewing events with CloudTrail Event history.
Trails capture a record of AWS account activities, delivering, and storing these events in Amazon S3, with optional delivery to Amazon CloudWatch Logs and Amazon EventBridge. These events can be fed into your security monitoring solutions. You can use your own third-party solutions or solutions such as Amazon Athena for searching and analyzing logs captured by CloudTrail. You can create trails for a single AWS account or for multiple AWS accounts by using AWS Organizations.
You can deliver your CloudTrail events to S3 and optionally to CloudWatch Logs by creating trails. By doing this, you get the complete event details, and you can export and store events as you like. To learn more, see Creating a trail for your AWS account.
You can validate the integrity of CloudTrail log files stored in your S3 bucket and detect whether the log files were unchanged, modified, or deleted since CloudTrail delivered them to your S3 bucket. You can use log file integrity validation in your IT security and auditing processes. By default, CloudTrail encrypts all log files delivered to your specified S3 bucket by using S3 server-side encryption (SSE). If necessary, you can also add a layer of security to your CloudTrail log files by encrypting the log files with your AWS Key Management Service (KMS) key. If you have decrypt permissions, S3 automatically decrypts your log files. For more information, see Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS).
You can configure CloudTrail to capture and store events from multiple AWS Regions in a single location. This configuration certifies that all settings apply consistently across existing and newly launched Regions. To learn more, see Receiving CloudTrail log files from multiple Regions.
You can configure CloudTrail to capture and store events from multiple AWS accounts in a single location. This configuration verifies that all settings apply consistently across all existing and newly created accounts. To learn more, see Creating a trail for an organization.
CloudTrail Lake is a managed data lake for capturing, storing, accessing, and analyzing user and API activity on AWS for audit and security purposes. You can aggregate, visualize, query, and immutably store your activity logs from both AWS and non-AWS sources. IT auditors can use CloudTrail Lake as an immutable record of all activities to meet audit requirements. Security administrators can verify that user activity is in accordance with internal policies. DevOps engineers can troubleshoot operational issues such as an unresponsive Amazon Elastic Compute Cloud (EC2) instance or a resource being denied access.
Because CloudTrail Lake is a managed audit and security lake, your events are stored within the lake. CloudTrail Lake grants read-only access to prevent changes to log files. Read-only access means that events are immutable.
CloudTrail Lake helps you gain deeper insights into your AWS activity logs through a combination of powerful querying and visualization tools. You can run SQL-based queries directly on activity logs stored in CloudTrail Lake, and for users less familiar with SQL, the AI-powered natural language query generation feature simplifies analysis without the need to write complex queries.
To further streamline analysis, CloudTrail Lake includes AI-powered query result summarization (in preview), which provides natural language summaries of key insights from your query results. This feature reduces the time and effort required to extract meaningful information from your AWS activity logs.
For more advanced analytics, you can use Amazon Athena to interactively query your CloudTrail Lake auditable logs alongside data from other sources without the operational complexity of moving or replicating data. This enables security engineers to correlate activity logs in CloudTrail Lake with application and traffic logs in Amazon S3 for security incident investigations. Compliance and operations engineers can further visualize activity logs using Amazon QuickSight and Amazon Managed Grafana for comprehensive analysis and reporting.
With AWS CloudTrail Lake, you can consolidate activity events from AWS and sources outside AWS — including data from other cloud providers, in-house applications, and SaaS applications running in the cloud or on premises — without having to maintain multiple log aggregators and reporting tools. You can also ingest data from other AWS services, like configuration items from AWS Config or audit evidence from AWS Audit Manager. You can use CloudTrail Lake APIs to set up your data integrations and push events to CloudTrail Lake. To integrate with third-party tools, you can start receiving activity events from these applications in a few steps through partner integrations in the CloudTrail console.
CloudTrail Lake helps you capture and store events from multiple Regions.
By using CloudTrail Lake, you can capture and store events for accounts across your AWS Organizations. Additionally, you can designate up to three delegated administrator accounts to create, update, query, or delete organization trails or CloudTrail Lake event data stores at the organization level.
AWS CloudTrail Insights events help AWS users identify and respond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events. CloudTrail Insights analyzes your normal patterns of API call volume and API error rates, also called the baseline, and generates Insights events when the call volume or error rates are outside normal patterns. You can enable CloudTrail Insights in your trails or event data stores to detect anomalous behavior and unusual activity.