AWS CloudTrail

AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

CloudTrail is active in your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event.

⁠

CloudTrail provides three ways to record events:

Event history – The Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an AWS Region. You can search events by filtering on a single attribute. You automatically have access to the Event history when you create your account. For more information, see

Working with CloudTrail Event history⁠

There are no CloudTrail charges for viewing the Event history.

CloudTrail Lake –

AWS CloudTrail Lake⁠

is a managed data lake for capturing, storing, accessing, and analyzing user and API activity on AWS for audit and security purposes. CloudTrail Lake converts existing events in row-based JSON format to

Apache ORC⁠

format. ORC is a columnar storage format that is optimized for fast retrieval of data. Events are aggregated into event data stores, which are immutable collections of events based on criteria that you select by applying advanced event selectors. You can keep the event data in an event data store for up to 3,653 days (about 10 years) if you choose the One-year extendable retention pricing option, or up to 2,557 days (about 7 years) if you choose the Seven-year retention pricing option. You can create an event data store for a single AWS account or for multiple AWS accounts by using AWS Organizations. You can import any existing CloudTrail logs from your S3 buckets into an existing or new event data store. You can also visualize top CloudTrail event trends with

Lake dashboards⁠

. For more information, see

Working with AWS CloudTrail Lake⁠

CloudTrail Lake event data stores and queries incur charges. When you create an event data store, you choose the

pricing option⁠

you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. When you run queries in Lake, you pay based upon the amount of data scanned. For information about CloudTrail pricing and managing Lake costs, see

AWS CloudTrail Pricing⁠

and

Managing CloudTrail Lake costs⁠

Trails – Trails capture a record of AWS activities, delivering and storing these events in an Amazon S3 bucket, with optional delivery to

CloudWatch Logs⁠

and

Amazon EventBridge⁠

. You can input these events into your security monitoring solutions. You can also use your own third-party solutions or solutions such as Amazon Athena to search and analyze your CloudTrail logs. You can create trails for a single AWS account or for multiple AWS accounts by using AWS Organizations. You can

log Insights events⁠

to analyze your management events for anomalous behavior in API call volumes and error rates. For more information, see

Creating a trail for your AWS account⁠

You can deliver one copy of your ongoing management events to your S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information about CloudTrail pricing, see

AWS CloudTrail Pricing⁠

. For information about Amazon S3 pricing, see

Amazon S3 Pricing⁠

Visibility into your AWS account activity is a key aspect of security and operational best practices. You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account.

You can integrate CloudTrail into applications using the API, automate trail or event data store creation for your organization, check the status of event data stores and trails you create, and control how users view CloudTrail events.

⁠

CloudTrail trails

You can create two types of trails for an AWS account: multi-Region trails and single-Region trails.

Multi-Region trails

When you create a multi-Region trail, CloudTrail records events in all AWS Regions in the AWS partition in which you are working and delivers the CloudTrail event log files to an S3 bucket that you specify. If an AWS Region is added after you create a multi-Region trail, that new Region is automatically included, and events in that Region are logged. Creating a multi-Region trail is a recommended best practice since you capture activity in all Regions in your account. All trails you create using the CloudTrail console are multi-Region. You can convert a single-Region trail to a multi-Region trail by using the AWS CLI. For more information, see Creating a trail in the console and Converting a trail that applies to one Region to apply to all Regions.

Single-Region trails

When you create a single-Region trail, CloudTrail records the events in that Region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify. You can only create a single-Region trail by using the AWS CLI. If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same S3 bucket or to separate buckets. This is the default option when you create a trail using the AWS CLI or the CloudTrail API.

CloudTrail trails

Multi-Region trails

Single-Region trails

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.