Intro

• Global Service (a single trail can be applied to multiple regions)
• Provides governance, compliance and audit by recording all the API calls to AWS services made within the account.
• Enabled by default
• Event retention: 90 days
• Export CloudTrail logs into
  • CloudWatch Logs
  • S3 (encrypted by default using SSE-S3)
• CloudTrail logs up to the last 90 days can be analyzed in CloudTrail Console. Older logs should be present in S3 and can be analyzed using Athena.

<aside> 💡 Modifications to log files can be detected by enabling Log File Validation on the logging bucket

</aside>

Event Types

Management Events

• Events of operations that modify AWS resources. Ex:
  • Creating a new IAM user
  • Deleting a subnet
• Enabled by default
• Can separate Read Events (that don’t modify resources) from Write Events (that may modify resources)

Data Events

• Events of operations that modify data
  • S3 object-level activity
  • Lambda function execution
• Disabled by default (due to high volume of data events)

Insight Events

• Enable CloudTrail Insights to detect unusual activity in your account
  • inaccurate resource provisioning
  • hitting service limits
  • bursts of AWS IAM actions
  • gaps in periodic maintenance activity