Amazon CloudTrail Features

Amazon CloudTrail is enabled on all Amazon Web Services accounts and records your account activity upon account creation. You can view and download the last 90 days of your account activity for create, modify, and delete operations of supported services without the need to manually setup CloudTrail.

You can view, search, and download your recent Amazon Web Services account activity. This allows you to gain visibility into changes in your Amazon Web Services account resources so you can strengthen your security processes and simplify operational issue resolution.

You can configure Amazon CloudTrail to deliver log files from multiple regions to a single Amazon S3 bucket for a single account. A configuration that applies to all regions ensures that all settings apply consistently across all existing and newly launched regions. For detailed instructions, see Aggregating CloudTrail Log Files to a Single Amazon S3 Bucket in the Amazon CloudTrail User Guide.

You can configure CloudTrail to capture and store events from multiple Amazon Web Services accounts in a single location by using an organization trail. This configuration verifies that all settings apply consistently across all existing and newly created accounts. Additionally, you can designate up to three delegated administrator accounts to create, update, query, or delete organization trails at the organization level.

Management events provide insights into the management (“control plane”) operations performed on resources in your Amazon Web Services account. For example, you can log administrative actions such as creation, deletion, and modification of Amazon EC2 instances. For each event, you can get details such as the Amazon Web Services account, IAM user role, and IP address of the user that initiated the action, time of the action, and which resources were affected.

By enabling data event logging in CloudTrail, you can record object-level API activity, and receive detailed information such as who made the request, where and when the request was made, and other details. Data events record the resource operations (data plane actions) performed on or within the resource itself. Data events are often high volume activities. CloudTrail data event logging includes operations such as Amazon S3 object level APIs, Amazon Lambda function Invoke APIs, and Amazon DynamoDB item-level APIs. For example, you can log API actions on all or specific DynamoDB tables to determine which items were created, read, updated, or deleted. For more information about how to log data events in CloudTrail, and the resources on which you can log data events, see Logging data events for trails in the CloudTrail documentation.

Amazon CloudTrail Insights helps Amazon Web Services users identify and respond to unusual activity associated with write API calls by continuously analyzing CloudTrail management events. Insights events are logged when CloudTrail detects unusual write management API activity in your account. If you have CloudTrail Insights enabled and CloudTrail detects unusual activity, Insights events are delivered to the destination S3 bucket for your trail. For more information about Insights, see Logging Insights events for trails in the Amazon CloudTrail User Guide.