AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting. CloudTrail records user activity and API usage across AWS services as Events. CloudTrail Events help you answer the questions of "who did what, where, and when?"
CloudTrail records two types of events: Management events capturing control plane actions on resources such as creating or deleting Amazon Simple Storage Service (Amazon S3) buckets, and data events capturing data plane actions within a resource, such as reading or writing an Amazon S3 object.
CloudTrail uses these events in three features:
- Trails enables delivery and storage of events in Amazon S3, with optional delivery to Amazon CloudWatch Logs and EventBridge.
- Insights analyzes control plane events for anomalous behavior in API call volumes.
- Event history provides a 90-day history of control plane actions for free. As part of its core audit capabilities, CloudTrail provides customer managed keys for encryption and log file validation to guarantee immutability.
AWS CloudTrail is enabled on all AWS accounts and records management events across AWS services without the need for any manual setups. You can view, search, and download the most recent 90-day history of your account’s management events for free using CloudTrail in the AWS console or the AWS CLI Lookup API. Learn more on Viewing Events with CloudTrail Event History in the User Guide.
Deliver ongoing events for storage or monitoring
You can deliver your ongoing management and data events to Amazon S3 and optionally to Amazon CloudWatch Logs by creating trails. This lets you get the complete event details, export, and store events as you like. Learn more on Creating a trail for your AWS account in the User Guide. CloudTrail’s integration with Amazon EventBridge provides a convenient way to create rules-based alerts and set automated workflows in response to events.
You can configure AWS CloudTrail to capture and store events from multiple regions in a single location. This ensures that all settings apply consistently across all existing and newly-launched regions. Learn more on Aggregating CloudTrail Log Files to a Single Amazon S3 Bucket in the User Guide.
You can configure AWS CloudTrail to capture and store events from multiple accounts in a single location. This ensures that all settings apply consistently across all existing and newly-created accounts. Learn more on Creating a trail for an organization in the User Guide.
Log file integrity validation
You can validate the integrity of AWS CloudTrail log files stored in your Amazon S3 bucket and detect whether the log files were unchanged, modified, or deleted since CloudTrail delivered them to your Amazon S3 bucket. You can use log file integrity validation in your IT security and auditing processes.
Log file encryption
By default, AWS CloudTrail encrypts all log files delivered to your specified Amazon S3 bucket using Amazon S3 server-side encryption (SSE). Optionally, add a layer of security to your CloudTrail log files by encrypting the log files with your AWS Key Management Service (KMS) key. Amazon S3automatically decrypts your log files if you have decrypt permissions. For more information, see encrypting log files using your KMS key.
Identify unusual activity in your AWS accounts, such as spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity. You can enable CloudTrail Insights events in your trails.