AWS CloudTrail

• Provides governance, compliance, and audit capabilities by recording all API activity in your AWS account.

• Enabled by default for event history (last 90 days of management events in the console).

Key Features

• Captures API calls made via:
• AWS Management Console
• AWS CLI
• AWS SDKs
• AWS services (service-to-service calls)

• Stores detailed information about each request, including:
• Who made the call (IAM user, role, or AWS service)
• When it was made
• Source IP address
• Actions performed and their parameters
• Response elements

• Can deliver logs to:
• Amazon S3 (long-term storage, auditing)
• CloudWatch Logs (monitoring, alerting)

Trail Configuration

• Trails can be created for all AWS Regions (recommended) or a single Region.

• Multi-Region trails ensure that activity in newly added Regions is also captured automatically.

Typical Uses

• Security investigations: Identify who performed a specific action.

• Change tracking: Monitor modifications to infrastructure.

• Compliance audits: Provide a record of API activity for regulators.

Architecture Flow

1. Event Source: AWS Console, CLI, SDK, or service-generated API call.

2. CloudTrail Processing: Event is logged and stored in the event history.

3. Destinations:
• Amazon S3 for archival and compliance
• CloudWatch Logs for operational monitoring

4. Access & Analysis: Use AWS Console, Athena queries on S3 logs, or SIEM tools.

Tip: For critical workloads, enable a Multi-Region trail with log file integrity validation to ensure tamper detection.