AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.


Simplified Compliance
With AWS CloudTrail, simplify your compliance audits by automatically recording and storing event logs for actions made within your AWS account. Integration with Amazon CloudWatch Logs provides a convenient way to search through log data, identify out-of-compliance events, accelerate incident investigations, and expedite responses to auditor requests.

Visibility into User and Resource Activity
AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.

Security Analysis and Troubleshooting
With AWS CloudTrail, you can discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account within a specified period of time.

Security Automation
AWS CloudTrail allows you track and automatically respond to account activity threatening the security of your AWS resources. With Amazon CloudWatch Events integration, you can define workflows that execute when events that can result in security vulnerabilities are detected. For example, you can create a workflow to add a specific policy to an Amazon S3 bucket when CloudTrail logs and API call that makes that bucket public.


Always On
AWS CloudTrail is enabled on all AWS accounts and records your account activity upon account creation. You can view and download the last 7 days of your account activity for create, modify, and delete operations of supported services without the need to manually setup CloudTrail.

Event History
You can view, search, and download your recent AWS account activity. This allows you to gain visibility into changes in your AWS account resources so you can strengthen your security processes and simplify operational issue resolution.

Multi-region Configuration
You can configure AWS CloudTrail to deliver log files from multiple regions to a single Amazon S3 bucket for a single account. A configuration that applies to all regions ensures that all settings apply consistently across all existing and newly launched regions. For detailed instructions, see Aggregating CloudTrail Log Files to a Single Amazon S3 Bucket in the AWS CloudTrail User Guide.

Management Events
Management events provide insights into the management (“control plane”) operations performed on resources in your AWS account. For example, you can log administrative actions such as creation, deletion, and modification of Amazon EC2 instances. For each event, you can get details such as the AWS account, IAM user role, and IP address of the user that initiated the action, time of the action, and which resources were affected.

Data Events
Data events provide insights into the resource (“data plane”) operations performed on or within the resource itself. Data events are often high volume activities and include operations such as Amazon S3 object level APIs and AWS Lambda function invoke APIs. For example, you can log API actions on Amazon S3 objects and receive detailed information such as the AWS account, IAM user role, and IP address of the caller, time of the API call, and other details. You can also record activity of your Lambda functions, and receive details on Lambda function executions, such as the IAM user or service that made the Invoke API call, when the call was made, and which function was executed.


Compliance Aid
AWS CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards by providing a history of activity in your AWS account. For more information, download the AWS compliance whitepaper, “Security at Scale: Logging in AWS.”

Security Analysis
You can perform security analysis and detect user behavior patterns by ingesting AWS CloudTrail events into your log management and analytics solutions.

Operational Issue Troubleshooting
You can troubleshoot operational issues by leveraging the AWS API call history produced by AWS CloudTrail. For example, you can quickly identify the most recent changes made to resources in your environment, including creation, modification, and deletion of AWS resources (e.g., Amazon EC2 instances, Amazon VPC security groups, and Amazon EBS volumes).


Amazon CloudWatch Logs Integration
AWS CloudTrail integration with Amazon CloudWatch Logs enables you to send management and data events recorded by CloudTrail to CloudWatch Logs. CloudWatch Logs allows you to create metric filters to monitor events, search events, and stream events to other AWS services, such as AWS Lambda.  

Amazon CloudWatch Events
AWS CloudTrail integration with Amazon CloudWatch Events enables you to automatically respond to changes to your AWS resources. With CloudWatch Events, you are able to define actions to execute when specific events are logged by AWS CloudTrail. For example, if CloudTrail logs a change to an Amazon EC2 security group, such as adding a new ingress rule, you can create a CloudWatch Events rule that sends this activity to an AWS Lambda function. Lambda can then execute a workflow to create a ticket in your IT Helpdesk system.


Your use of this service is subject to the AWS Customer Agreement.