AWS CloudTrail Documentation
AWS CloudTrail is designed to enable auditing, security monitoring, and operational troubleshooting. CloudTrail is designed to record user activity and API calls across AWS services as events. CloudTrail events help you answer the questions of "who did what, where, and when?"
CloudTrail records three types of events:
- Management events that capture control plane actions on resources, such as creating or deleting Amazon Simple Storage Service (Amazon S3) buckets.
- Data events that capture data plane actions within a resource, such as reading or writing an Amazon S3 object.
- Insights events that help AWS users identify and respond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events.
AWS CloudTrail Event History
CloudTrail Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an AWS Region. CloudTrail Event history is enabled on all AWS accounts and is designed to record your account activity upon account creation. You can view, search, and download your recent recorded account activity for create, modify, and delete operations of supported services without the need to manually set up CloudTrail.
AWS CloudTrail Trails
Trails is designed to capture a record of AWS account activities, delivering and storing these events in Amazon S3, with optional delivery to Amazon CloudWatch Logs and Amazon EventBridge. These events can be fed into your security monitoring solutions. You can use your own third-party solutions or solutions such as Amazon Athena for searching and analyzing logs captured by CloudTrail. You can create trails for a single AWS account or for multiple AWS accounts by using AWS Organizations.
Storage and monitoring
Log file integrity and encryption validation
Multi-region
You can configure CloudTrail to capture and store events from multiple AWS Regions in a single location. You can use this configuration to apply settings consistently across existing and newly launched Regions.
Multi-account
You can configure CloudTrail to capture and store events from multiple AWS accounts in a single location. You can use this configuration to apply settings consistently across all existing and newly created accounts.
AWS CloudTrail Lake
CloudTrail Lake is a managed data lake for capturing, storing, accessing, and analyzing user and API activity on AWS for audit and security purposes. You can aggregate, visualize, query, and immutably store your activity logs from both AWS and non-AWS sources. IT auditors can use CloudTrail Lake as an immutable record of activities to help meet audit requirements. Security administrators can use CloudTrail Lake to help determine that user activity is in accordance with internal policies. DevOps engineers can troubleshoot operational issues such as an unresponsive Amazon Elastic Compute Cloud (EC2) instance or a resource being denied access.
Immutable storage
Because CloudTrail Lake is a managed audit and security lake, your events are stored within the lake. CloudTrail Lake grants read-only access to prevent changes to log files. Read-only access means that events are immutable.
Querying and analytics
With CloudTrail Lake, you can run SQL-based queries on activity logs for auditing within the lake. Additionally, you can use Amazon Athena to interactively query your CloudTrail Lake auditable logs alongside data from other sources without the operational complexity of moving or replicating data.
Multi-region configuration
CloudTrail Lake allows you to capture and store events from multiple Regions.
Multi-account configuration
By using CloudTrail Lake, you can capture and store events for accounts across your AWS Organizations.
AWS CloudTrail Insights
AWS CloudTrail Insights events help AWS users identify and respond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events. CloudTrail Insights analyzes your normal patterns of API call volume and API error rates, also called the baseline, and generates Insights events when the call volume or error rates are outside normal patterns. You can enable CloudTrail Insights in your trails or event data stores to detect anomalous behavior and unusual activity.
Additional Information
For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.