AWS Glossary
AWS CloudTrail
AWS audit logging service that records every API call and account activity across your AWS infrastructure for security, compliance, and operational investigation.
AI & assistant-friendly summary
This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.
Summary
AWS audit logging service that records every API call and account activity across your AWS infrastructure for security, compliance, and operational investigation.
Key Facts
- • AWS audit logging service that records every API call and account activity across your AWS infrastructure for security, compliance, and operational investigation
- • Definition AWS CloudTrail records every API call made in your AWS account — who made the call, from where, when, and what action was taken
- • CloudTrail answers the question: **"Who did what, when, and from where in AWS
- • Common Mistakes **Mistake 1:** Relying on the default 90-day event history
- • The default CloudTrail console history retains only 90 days
Entity Definitions
- Lambda
- Lambda is an AWS service relevant to aws cloudtrail.
- S3
- S3 is an AWS service relevant to aws cloudtrail.
- DynamoDB
- DynamoDB is an AWS service relevant to aws cloudtrail.
- CloudWatch
- CloudWatch is an AWS service relevant to aws cloudtrail.
- Amazon CloudWatch
- Amazon CloudWatch is an AWS service relevant to aws cloudtrail.
- IAM
- IAM is an AWS service relevant to aws cloudtrail.
- GuardDuty
- GuardDuty is an AWS service relevant to aws cloudtrail.
- Amazon GuardDuty
- Amazon GuardDuty is an AWS service relevant to aws cloudtrail.
- IaC
- IaC is a cloud computing concept relevant to aws cloudtrail.
- compliance
- compliance is a cloud computing concept relevant to aws cloudtrail.
- HIPAA
- HIPAA is a cloud computing concept relevant to aws cloudtrail.
- SOC 2
- SOC 2 is a cloud computing concept relevant to aws cloudtrail.
- PCI DSS
- PCI DSS is a cloud computing concept relevant to aws cloudtrail.
Related Content
- AWS CLOUD SECURITY — Related service
- CLOUD COMPLIANCE SERVICES — Related service
Definition
AWS CloudTrail records every API call made in your AWS account — who made the call, from where, when, and what action was taken. It is the foundation for security forensics, compliance auditing, operational troubleshooting, and threat detection. CloudTrail answers the question: “Who did what, when, and from where in AWS?”
What CloudTrail Records
Every CloudTrail event captures:
- eventTime: When the action occurred
- userIdentity: Who made the call (IAM user, role, service, root account)
- eventName: What action was taken (
CreateBucket,TerminateInstances,DeleteUser) - sourceIPAddress: Where the call originated
- requestParameters: Parameters passed to the API
- responseElements: Response returned by AWS
- errorCode / errorMessage: If the call failed
Event Types
Management Events (enabled by default)
- Control-plane operations: creating/modifying/deleting AWS resources
- Examples:
CreateVpc,DeleteS3Bucket,AttachRolePolicy,RunInstances - Always enable; critical for compliance
Data Events (optional, extra cost)
- Data-plane operations on specific resources
- Examples: S3 object-level operations (
GetObject,PutObject,DeleteObject), Lambda invocations, DynamoDB item-level API calls - Enable for buckets containing PHI, financial data, or audit-required content
Insights Events (optional)
- Machine learning-based detection of unusual API activity
- Triggers when API call volume deviates significantly from baseline
- Examples: sudden spike in
CreateUsercalls, unusualDescribeInstancesrate
Trail Configuration
Organization Trail
- Single trail covering all accounts in an AWS Organization
- Logs delivered to a centralized S3 bucket in the management account
- Recommended — prevents account-level admins from disabling their own trails
Log File Integrity Validation
- CloudTrail generates a digest file every hour with SHA-256 hashes of log files
- Proves that logs have not been tampered with
- Required for HIPAA, PCI DSS, SOC 2, and FedRAMP compliance
- Enable on all production trails
Log Retention
- CloudTrail logs delivered to S3; retain in S3 using lifecycle policies
- S3 Object Lock (WORM) prevents log deletion — required for some compliance frameworks
CloudTrail Lake
CloudTrail Lake is an immutable data lake for audit and investigation:
- Store CloudTrail events in a queryable format for up to 7 years
- Query with SQL-like syntax directly in the AWS Console or via API
- No S3 data pipeline required — events available for query in minutes
- Federated queries: include events from external sources alongside CloudTrail data
- Best for compliance teams needing long-term queryable audit history
Using CloudTrail for Security
Threat Detection Patterns:
- Root account usage (should never happen in normal operations)
- IAM user creation outside of IaC pipelines
- Security group rule changes
- Disabling CloudTrail or Config
- S3 bucket policy changes on sensitive buckets
Pipe CloudTrail events to Amazon Security Hub or Amazon GuardDuty for automated threat detection and alerting.
Common Mistakes
Mistake 1: Relying on the default 90-day event history. The default CloudTrail console history retains only 90 days. Create a trail that delivers logs to S3 for long-term retention — required for most compliance frameworks.
Mistake 2: Not enabling log file integrity validation. Without integrity validation, you cannot prove logs are unmodified — this fails PCI DSS Requirement 10.5 and similar controls.
Mistake 3: Not protecting the CloudTrail S3 bucket. Use S3 Object Lock, bucket policies denying deletion, and SCPs preventing DeleteTrail — the audit trail is only valuable if it cannot be deleted.
Related AWS Services
- Amazon CloudWatch: Operational metrics and dashboards — complements CloudTrail (what is happening vs who did it)
- Amazon GuardDuty: Threat detection that analyzes CloudTrail events using ML
- AWS Security Hub: Aggregates CloudTrail-sourced findings with other security signals
- AWS Config: Configuration compliance — pairs with CloudTrail for full audit coverage
Related FactualMinds Content
Need Help with This Topic?
Our AWS experts can help you implement and optimize these concepts for your organization.