- CloudTrail logs calls between AWS services
- governance, compliance, operational auditing, and risk auditing are keywords relating to CloudTrail
- When you need to know who to blame think CloudTrail
- CloudTrail by default logs event data for the past 90s days via Event History
- To track beyond 90 days you need to create Trail
- To ensure logs have not been tampered with you need to turn on Log File Validation option
- CloudTrail logs can be encrypted using KMS (Key Management Service) - a key costs $1
- CloudTrail can be set to log across all AWS accounts in an Organization and all regions in an account.
- CloudTrail logs can be streamed to CloudWatch logs
- Trails are outputted to an S3 bucket that you specify
- CloudTrail logs two kinds of events: Management Events and Data Events
- Management events log management operations eg. AttachRolePolicy
- Data Events log data operations for resources (S3, Lambda) eg. GetObject, DeleteObject, and PutObject. Data Events are disabled by default when creating a Trail.
- Trail logs in S3 can be analyzed using Athena