AWS CloudTrail

• Almost anything done on an AWS account is logged by CloudTrail.
• Logs API calls/activities as a CloudTrail Event performed by a user, role or a service.
• Enabled for 90 days event history by default. Trail can store events within an S3 bucket indefinitely in the format of set of compressed JSON formatted files.
• Trails
• There are two types of events; Management and Data.
  • Management Event provides operational info, control plane operations such as creating, terminating instances.
  • Data Event provides info about resource operations on or in resource such as object accessed or Lambda functions invoked. It’s not enabled by default.
• CloudTrail Trail is the unit of configuration. Trail logs event within a region. You can set per region or for all regions. Single region logs only for that region whereas all Regions aggregated all of the logs.
• Global Services (IAM, STS and CloudFront) log to us-east-1 and needs to be enabled, otherwise it’s region specific.
• It can be integrated with CloudWatch Logs. Then you can search through the data by using metric filters.
• It can also create organisational trail to be able to manage multiple accounts.
• CloudTrail is not realtime and delivers activities witihn 15 minutes.