AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting. CloudTrail records user activity and API calls across AWS services as events. CloudTrail events help you answer the question of "Who did what, where, and when?"
- Management events that capture control plane actions on resources, such as creating or deleting Amazon Simple Storage Service (S3) buckets.
- Data events that capture data plane actions within a resource, such as reading or writing an Amazon S3 object.
- Configuration items from AWS Config that capture resource configuration history and resource compliance history as evaluated by AWS Config rules.
- Audit evidence from AWS Audit Manager that contains the information needed to demonstrate compliance with the requirements as specified by Audit Manager controls.
- Event history provides a 90-day history of control plane actions at no additional cost. As part of its core audit capabilities, CloudTrail provides customer managed keys for encryption and log file validation to enable immutability. You pay for only what you use of the paid features. Some of the following features are provided at no additional charge. No minimum fees or upfront commitments are required.
- AWS CloudTrail Lake is a managed data lake for capturing, storing, accessing, and analyzing user and API activity on AWS for audit and security purposes. You can aggregate, immutably store your activity logs (management events, data events, and AWS Config configuration items) for up to seven years and query logs within seconds for search and analysis. Additionally, you can import any existing CloudTrail logs from your S3 buckets into an existing or new CloudTrail Lake event data store. IT auditors can use CloudTrail Lake as an immutable record of all activities to meet audit requirements. Security administrators can verify that user activity is in accordance with internal policies. DevOps engineers can troubleshoot operational issues such as an unresponsive Amazon Elastic Compute Cloud (EC2) instance or a resource being denied access. CloudTrail Lake helps security teams perform retrospective investigations by answering who made what configuration changes to resources associated with security incidents such as data exfiltration or unauthorized access to your AWS environment. CloudTrail Lake helps compliance engineers investigate non-compliant changes to their production environments by relating non-compliant AWS Config rules to who and what resource changes prompted them. IT teams can perform historical asset inventory analysis on configuration items with CloudTrail Lake’s seven-year retention period and SQL query engine.
- Trails capture a record of AWS account activities, delivering and storing these events in S3, with optional delivery to Amazon CloudWatch Logs and Amazon EventBridge. These events can be fed into your security monitoring solutions. You can use your own third-party solutions or solutions such as Amazon Athena for searching and analyzing logs captured by CloudTrail. You can create trails for a single AWS account or for multiple AWS accounts by using AWS Organizations. AWS CloudTrail Insights analyzes control plane events for anomalous behavior in API call volumes and can detect unusual activity such as spikes in resource provisioning or gaps in periodic activity.
CloudTrail is enabled on all AWS accounts and records management events across AWS services without the need for any manual setup. With AWS Free Tier, you can view, search, and download the most recent 90-day history of your account’s management events at no charge using the CloudTrail console or by using the CloudTrail lookup-events API. To learn more, see Viewing events with CloudTrail Event history.
Storage and monitoring
You can deliver your ongoing management and data events to S3 and optionally to CloudWatch Logs by creating trails. By doing this, you get the complete event details, and you can export and store events as you like. To learn more, see Creating a trail for your AWS account. Because CloudTrail Lake is a managed audit and security lake, your events (including management events, data events, and configuration items from AWS Config) are stored automatically within the lake. You must first enable AWS Config recording to ingest configuration items in CloudTrail Lake.
Immutable and encrypted activity logs
You can validate the integrity of CloudTrail log files stored in your S3 bucket and detect whether the log files were unchanged, modified, or deleted since CloudTrail delivered them to your S3 bucket. You can use log file integrity validation in your IT security and auditing processes. CloudTrail Lake encrypts all logs automatically.
By default, CloudTrail encrypts all log files delivered to your specified S3 bucket by using S3 server-side encryption (SSE). If necessary, you can also add a layer of security to your CloudTrail log files by encrypting the log files with your AWS Key Management Service (KMS) key. If you have decrypt permissions, S3 automatically decrypts your log files. For more information, see Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS). CloudTrail Lake grants read-only access to prevent changes to log files. Read-only access means that events are automatically immutable.
Insights and analytics
With CloudTrail Lake, you can run SQL-based queries on activity logs for auditing within the lake. You can also enable CloudTrail Insights in your trails to identify unusual activity in your AWS accounts. Examples of this are spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity. You can enable CloudTrail Insights events in your trails.
You can configure CloudTrail to capture and store events from multiple AWS Regions in a single location. This configuration certifies that all settings apply consistently across existing and newly launched Regions. To learn more, see Receiving CloudTrail log files from multiple Regions. CloudTrail Lake also helps you capture and store events from multiple Regions.
You can configure CloudTrail to capture and store events from multiple AWS accounts in a single location. This configuration verifies that all settings apply consistently across all existing and newly created accounts. To learn more, see Creating a trail for an organization. By using CloudTrail Lake, you can also capture and store events from multiple accounts. Additionally, you can designate up to three delegated administrator accounts to create, update, query, or delete organization trails or CloudTrail Lake event data stores at the organization level.