AWS Glossary
AWS CloudTrail
AWS audit logging service that records every API call and account activity across your AWS infrastructure for security, compliance, and operational investigation.
AI & assistant-friendly summary
This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.
Summary
AWS audit logging service that records every API call and account activity across your AWS infrastructure for security, compliance, and operational investigation.
Key Facts
- • AWS audit logging service that records every API call and account activity across your AWS infrastructure for security, compliance, and operational investigation
- • Definition AWS CloudTrail records API activity in your AWS accounts: who called what API, from which IP, with which parameters, and whether it succeeded
- • Data events** (data plane — S3 object reads, Lambda invokes, DynamoDB item operations) are optional and billed separately but essential for sensitive data buckets
- • CloudTrail delivers logs to S3 (and optionally CloudWatch Logs, EventBridge, and **CloudTrail Lake** for SQL-style investigation)
- • When to use it - **Security forensics and incident response** — trace IAM changes, security group edits, and resource deletions after an alert
Entity Definitions
- Lambda
- Lambda is an AWS service relevant to aws cloudtrail.
- S3
- S3 is an AWS service relevant to aws cloudtrail.
- DynamoDB
- DynamoDB is an AWS service relevant to aws cloudtrail.
- CloudWatch
- CloudWatch is an AWS service relevant to aws cloudtrail.
- IAM
- IAM is an AWS service relevant to aws cloudtrail.
- EventBridge
- EventBridge is an AWS service relevant to aws cloudtrail.
- Athena
- Athena is an AWS service relevant to aws cloudtrail.
- GuardDuty
- GuardDuty is an AWS service relevant to aws cloudtrail.
- compliance
- compliance is a cloud computing concept relevant to aws cloudtrail.
- HIPAA
- HIPAA is a cloud computing concept relevant to aws cloudtrail.
- SOC 2
- SOC 2 is a cloud computing concept relevant to aws cloudtrail.
- PCI DSS
- PCI DSS is a cloud computing concept relevant to aws cloudtrail.
Related Content
- AWS CLOUD SECURITY — Related service
- CLOUD COMPLIANCE SERVICES — Related service
Definition
AWS CloudTrail records API activity in your AWS accounts: who called what API, from which IP, with which parameters, and whether it succeeded. Management events (control plane — create/delete/modify resources) are the compliance baseline. Data events (data plane — S3 object reads, Lambda invokes, DynamoDB item operations) are optional and billed separately but essential for sensitive data buckets. CloudTrail delivers logs to S3 (and optionally CloudWatch Logs, EventBridge, and CloudTrail Lake for SQL-style investigation). It answers: Who did what, when, and from where?
When to use it
- Security forensics and incident response — trace IAM changes, security group edits, and resource deletions after an alert.
- Compliance evidence — PCI DSS Req. 10, HIPAA audit controls, SOC 2, FedRMP; pair with log integrity validation and immutable storage.
- Organization-wide visibility with an organization trail in the management account so member accounts cannot disable logging locally.
- Threat detection feeds — pipe events to EventBridge, Security Hub, or GuardDuty (which consumes CloudTrail).
- Operational debugging — “Who changed this Auto Scaling policy?” is a CloudTrail query, not a guess.
When not to use it
- Application request logging — CloudTrail logs AWS API calls, not HTTP requests inside your app; use CloudWatch Logs or OpenTelemetry for that.
- Default 90-day Event history only — the console event history is not long-term retention and is not delivered to your SIEM.
- All S3 buckets with data events enabled globally — data events are powerful but costly at high object volume; scope to sensitive buckets.
Tips
- Create at least one multi-region trail with log file integrity validation enabled.
- Protect the destination S3 bucket with bucket policies, MFA delete considerations, and S3 Object Lock where regulations require WORM storage.
- Use SCPs to deny
cloudtrail:StopLoggingandcloudtrail:DeleteTrailin production OUs. - Enable CloudTrail Lake when compliance teams need SQL queries across years without building your own Athena pipeline.
- Alert on high-signal events: root login,
CreateUser,AttachUserPolicy, security group0.0.0.0/0,DeleteTrail, KMS key schedule deletion.
Gotchas
Serious
- No trail to S3 — relying on 90-day console history fails audits and leaves you blind after an incident window closes.
- Unprotected log bucket — an attacker with sufficient permissions can delete the evidence bucket; treat it as crown-jewel infrastructure.
- Disabled integrity validation — without digest files you cannot demonstrate logs were not tampered with under PCI 10.5-style controls.
Regular
- Assuming CloudTrail is on by default everywhere — management events appear in event history, but durable multi-region delivery requires an explicit trail.
- Missing data events on PHI/PCI buckets — object-level access is invisible in management events alone.
- Wrong region trail — global service events and multi-region coverage need explicit trail configuration; a single-region trail misses cross-region API patterns.
Official references
- What is AWS CloudTrail?
- CloudTrail management events
- Logging data events
- Validating CloudTrail log file integrity
Related FactualMinds content
Related Services
AWS Security Consulting
AWS security consulting from an AWS Select Tier Partner. 2-week assessment, 4–6 week remediation, zero disruption. IAM hardening, public exposure, compliance gaps, and continuous monitoring.
Cloud Compliance Services — HIPAA, SOC 2, PCI DSS on AWS
Cloud compliance services — HIPAA, SOC 2, PCI DSS, ISO 27001, GDPR. Expert consulting from FactualMinds.
Need help with this topic?
Our AWS-certified team implements, audits, and optimizes these services in production — from Bedrock RAG pipelines to multi-account landing zones.