Skip to content

Cloudtrail

Basics

  • Cloud Trail is a regional service
  • CloudTrail logs API calls for account activities
  • Each of the account activity is called a CloudTrail event
  • CloudTrail by default stores 90 days of event history for no cost. By default it does not save to S3
  • To customize a new Trail needs to be created
  • Events are of 3 types
  • Management Events aka ControlPlane Operations
  • Data Events
  • Insight Events
  • By default Cloud Trail logs only Management Events
  • A custom trail can be created as a single region trail or all region trail
  • All region trail is a collection of trails in each region but managed at one place. Any new regions added by AWS get automatically added to this
  • Additionally for Global Services(IAM,STS,CloudFront) which log events only to 1 region i.e. US East 1 Cloud Trail needs to be specifically configured to store them
  • A trail stores its events in an S3 bucket as json files
  • CloudTrail can also send its events to CWL
  • An organizational trail when created stores events for all accounts within that organization
  • Cloud Trail is not real time service. Events are logged within 15 minutes of activity