- Almost anything done on an AWS account is logged by CloudTrail.
- Logs API calls/activities as a CloudTrail Event performed by a user, role or a service.
- Enabled for 90 days event history by default. Trail can store events within an S3 bucket indefinitely in the format of set of compressed JSON formatted files.
- Trails
- There are two types of events; Management and Data.
- Management Event provides operational info, control plane operations such as creating, terminating instances.
- Data Event provides info about resource operations on or in resource such as object accessed or Lambda functions invoked. It’s not enabled by default.
- CloudTrail Trail is the unit of configuration. Trail logs event within a region. You can set per region or for all regions. Single region logs only for that region whereas all Regions aggregated all of the logs.
- Global Services (IAM, STS and CloudFront) log to us-east-1 and needs to be enabled, otherwise it’s region specific.
- It can be integrated with CloudWatch Logs. Then you can search through the data by using metric filters.
- It can also create organisational trail to be able to manage multiple accounts.
- CloudTrail is not realtime and delivers activities witihn 15 minutes.