---
title: AWS CloudTrail
description: AWS audit logging service that records every API call and account activity across your AWS infrastructure for security, compliance, and operational investigation.
url: https://www.factualminds.com/glossary/aws-cloudtrail/
publishDate: 2026-06-13
updateDate: 2026-06-13
---

# AWS CloudTrail

> AWS audit logging service that records every API call and account activity across your AWS infrastructure for security, compliance, and operational investigation.

## Definition

AWS CloudTrail records API activity in your AWS accounts: who called what API, from which IP, with which parameters, and whether it succeeded. **Management events** (control plane — create/delete/modify resources) are the compliance baseline. **Data events** (data plane — S3 object reads, Lambda invokes, DynamoDB item operations) are optional and billed separately but essential for sensitive data buckets. CloudTrail delivers logs to S3 (and optionally CloudWatch Logs, EventBridge, and **CloudTrail Lake** for SQL-style investigation). It answers: _Who did what, when, and from where?_

## When to use it

- **Security forensics and incident response** — trace IAM changes, security group edits, and resource deletions after an alert.
- **Compliance evidence** — PCI DSS Req. 10, HIPAA audit controls, SOC 2, FedRMP; pair with log integrity validation and immutable storage.
- **Organization-wide visibility** with an **organization trail** in the management account so member accounts cannot disable logging locally.
- **Threat detection feeds** — pipe events to EventBridge, Security Hub, or GuardDuty (which consumes CloudTrail).
- **Operational debugging** — "Who changed this Auto Scaling policy?" is a CloudTrail query, not a guess.

## When not to use it

- **Application request logging** — CloudTrail logs AWS API calls, not HTTP requests inside your app; use CloudWatch Logs or OpenTelemetry for that.
- **Default 90-day Event history only** — the console event history is not long-term retention and is not delivered to your SIEM.
- **All S3 buckets with data events enabled globally** — data events are powerful but costly at high object volume; scope to sensitive buckets.

## Tips

- Create at least one **multi-region trail** with **log file integrity validation** enabled.
- Protect the destination S3 bucket with bucket policies, MFA delete considerations, and **S3 Object Lock** where regulations require WORM storage.
- Use **SCPs** to deny `cloudtrail:StopLogging` and `cloudtrail:DeleteTrail` in production OUs.
- Enable **CloudTrail Lake** when compliance teams need SQL queries across years without building your own Athena pipeline.
- Alert on high-signal events: root login, `CreateUser`, `AttachUserPolicy`, security group `0.0.0.0/0`, `DeleteTrail`, KMS key schedule deletion.

## Gotchas

### Serious

- **No trail to S3** — relying on 90-day console history fails audits and leaves you blind after an incident window closes.
- **Unprotected log bucket** — an attacker with sufficient permissions can delete the evidence bucket; treat it as crown-jewel infrastructure.
- **Disabled integrity validation** — without digest files you cannot demonstrate logs were not tampered with under PCI 10.5-style controls.

### Regular

- **Assuming CloudTrail is on by default everywhere** — management events appear in event history, but durable multi-region delivery requires an explicit trail.
- **Missing data events on PHI/PCI buckets** — object-level access is invisible in management events alone.
- **Wrong region trail** — global service events and multi-region coverage need explicit trail configuration; a single-region trail misses cross-region API patterns.

## Official references

- [What is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)
- [CloudTrail management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events.html)
- [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events.html)
- [Validating CloudTrail log file integrity](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html)

## Related FactualMinds content

- [AWS Cloud Security Services](/services/aws-cloud-security/)
- [Cloud Compliance Services](/services/cloud-compliance-services/)
- [AWS Security Hub and compliance monitoring setup](/blog/how-to-set-up-aws-security-hub-compliance-monitoring/)

## Related AWS Services

- aws-cloud-security
- cloud-compliance-services

## Related Posts

- how-to-set-up-aws-security-hub-compliance-monitoring

---

*Source: https://www.factualminds.com/glossary/aws-cloudtrail/*