AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
Cloud Trail is for auditing. Totally different from CloudWatch. Cloud trail logs all changes (create user, delete user, launch EC2 delete bucket etc) to your AWS account’s resources so you can go and see what changed when by who. AWS CloudTrail publishes events when you make API calls.
CloudWatch or CloudTrail? Amazon CloudWatch focuses on performance monitoring and system health. CloudTrail focuses on API activity
CloudTrail logs get saved with encryption to S3 or CloudWatch Logs.
The configuration settings for the trail apply consistently across all regions.
You receive CloudTrail events from all regions in a single S3 bucket and optionally in a CloudWatch Logs log group.
You manage trail configuration for all regions from one location.
You immediately receive events from a new region. When a new region launches, CloudTrail automatically creates a trail for you in the new region with the same settings as your original trail.
You can create trails in regions that you don’t use often to monitor for unusual activity
An event in CloudTrail is the record of an activity in an AWS account. CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
There are two types of events that can be logged in CloudTrail:
management events and data events. By default, trails log management events, but not data events.
Both management events and data events use the same CloudTrail JSON log format. You can identify them by the value in the managementEvent field.
Data events provide insight into the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities. Example data events include:Amazon S3 object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations). AWS Lambda function execution activity (the Invoke API).
CloudTrail event history provides a viewable, searchable, and downloadable record of the past 90 days of CloudTrail events. You can use this history to gain visibility into actions taken in your AWS account
AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions. Use IAM to create individual users for anyone who needs access to AWS CloudTrail.
If you have different but related user groups, such as developers, security personnel, and IT auditors, you can create multiple trails per region. This allows each group to receive its own copy of the log files
For most services, events are recorded in the region where the action occurred. For global services such as AWS Identity and Access Management (IAM), AWS STS, Amazon CloudFront, and Route 53, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region.