Cloud Trail ¶
AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
AWS CloudTrail records API calls
for your account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, and more.
Events are typically updated in CloudTrail within 15 minutes after an API call
.
Type of Trails 🛣️¶
A trail is a configuration that enables delivery of CloudTrail events to an S3 bucket, with optional delivery to CloudWatch Logs and Amazon EventBridge. You can use a trail to choose the CloudTrail events you want delivered, encrypt your CloudTrail event log files with an AWS KMS key, and set up Amazon SNS notifications for log file delivery.
Multi-Region trail 🌎¶
When you create a multi-Region trail, CloudTrail records events in all AWS Regions in the AWS partition in which you are working and delivers the CloudTrail event log files to an S3 bucket that you specify.
If an AWS Region is added after you create a multi-Region trail, that new Region is automatically included, and events in that Region are logged. Creating a multi-Region trail is a recommended best practice since you capture activity in all Regions in your account.
Single-Region trail 🌐¶
When you create a single-Region trail, CloudTrail records the events in that Region only
. It then delivers the CloudTrail event log files to an Amazon S3 bucket
that you specify.
You can only create a single-Region trail by using the AWS CLI
. If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same S3 bucket or to separate buckets.
Organization trail 🏢¶
An organization trail is a configuration that enables delivery of CloudTrail events in the management account
and all member accounts in an AWS Organizations
organization to the same Amazon S3 bucket
, CloudWatch Logs
, and Amazon EventBridge
.
Creating an organization trail helps you define a uniform event logging strategy for your organization.
Cloudtrail Lake 🐟¶
AWS CloudTrail Lake lets you run SQL-based queries
on your events. CloudTrail Lake converts existing events in row-based JSON format to Apache ORC format. ORC is a columnar storage
format that is optimized for fast retrieval of data. Events are aggregated into event data stores, which are immutable collections of events based on criteria that you select by applying advanced event selectors.
You can keep the event data in an event data store for up to 3,653 days (about 10 years) if you choose the One-year extendable retention pricing option, or up to 2,557 days (about 7 years) if you choose the Seven-year retention pricing option.