You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Every action you take in AWS — whether you click a button in the console, run an AWS CLI command, or make an API call from an SDK — is an API call under the hood. AWS CloudTrail records those API calls and delivers them as events that you can search, analyse, and archive. CloudTrail is the backbone of governance, compliance, and security auditing on AWS.
Without CloudTrail, you have no reliable way to answer questions like:
CloudTrail provides the evidence you need for incident investigation, compliance reporting, and operational troubleshooting.
An event is a record of a single API call. Every event includes:
| Field | Description |
|---|---|
| eventTime | When the call was made (UTC) |
| eventName | The API action (e.g. RunInstances, DeleteBucket) |
| userIdentity | Who made the call (IAM user, role, root, federated user) |
| sourceIPAddress | The IP address the call came from |
| awsRegion | The region where the call was made |
| requestParameters | The input parameters of the call |
| responseElements | The response returned by AWS |
| errorCode / errorMessage | Present if the call failed |
| Type | What It Records | Enabled By Default |
|---|---|---|
| Management events | Control-plane operations (create, delete, modify resources) | Yes |
| Data events | Data-plane operations (S3 object-level, Lambda invocations, DynamoDB item-level) | No — must be enabled |
| Insights events | Unusual API activity patterns (e.g. a spike in API calls) | No — must be enabled |
Management events are always captured at no charge for the most recent 90 days. Data events generate far more volume and incur additional costs, so enable them selectively for sensitive buckets or critical functions.
The CloudTrail Event History in the AWS console lets you view, search, and download the last 90 days of management events for free — no trail configuration required. You can filter by:
This is your first stop when investigating an incident.
To retain events beyond 90 days, deliver them to other services, or capture data events, you create a trail. A trail is a configuration that tells CloudTrail where to send events.
| Destination | Purpose |
|---|---|
| S3 bucket | Long-term archival, compliance, Athena queries |
| CloudWatch Logs | Real-time alerting via metric filters and alarms |
You can configure a trail to log events from:
If you use AWS Organisations, you can create an organisation trail that captures events from every account in the organisation and delivers them to a central S3 bucket. This is a best practice for multi-account environments.
CloudTrail can generate a digest file every hour that contains a hash of the log files delivered to S3. You can use the aws cloudtrail validate-logs CLI command to verify that no log files have been tampered with or deleted. This is critical for compliance frameworks that require tamper-proof audit logs.
CloudTrail Insights automatically analyses management event patterns and alerts you when there is unusual activity. Examples:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.