AWS CloudTrail
Learn how CloudTrail records AWS API activity, separates management and data events, and supports audit and investigation workflows.
AWS CloudTrail is the AWS audit service that records who did what, when, and from where across the account or organisation. For DevOps teams, it matters because it is essential for security review, compliance, change investigation, and proving that infrastructure changes are traceable. Instead of relying on one fragile manual configuration, you can design a repeatable service boundary that stays stable while the workload behind it changes.
Core ideas
The main ideas to understand are management events capture control plane actions such as creating instances or editing policies; data events capture object-level or item-level activity for selected services and are more detailed but can be higher volume; trails deliver logs to an S3 bucket for retention and wider analysis; and CloudTrail and CloudWatch are related but different because CloudTrail answers change history questions while CloudWatch answers runtime behaviour questions. These details shape architecture decisions, but they also shape day-to-day operations. When a team chooses defaults without understanding how the service behaves under failure, scale, or security review, the platform often becomes harder to debug than the application itself.
| Event type | Covers | Example |
|---|---|---|
| Management event | Control plane actions | CreateRole or StartInstances |
| Data event | Resource-level access | S3 object read or Lambda invoke |
| Event lookup | Quick investigation | Search recent activity in console |
From an operations perspective, the goal is to decide what level of audit detail is necessary and ensure logs land in durable storage with access controls that preserve integrity. The comparison below highlights the choices that usually matter first. It is often better to start with a simpler design and add sophistication only after metrics, incidents, or delivery requirements prove the change is necessary.
Practical commands
aws cloudtrail describe-trails
aws cloudtrail lookup-events --max-results 10
aws s3 ls s3://my-cloudtrail-logs/
Practical CLI checks make the service easier to support in real environments. Use the commands below to inspect the current state and confirm that automation matches intent. Before you promote a change, verify trail scope, log bucket permissions, and retention expectations before relying on CloudTrail for incident response. A safe default is organisation-wide trails when multi-account environments are in scope. That discipline makes later troubleshooting, scaling, and security reviews far less painful.
Audit service
What does AWS CloudTrail primarily record?
CloudTrail versus CloudWatch
Which service is mainly for API audit history rather than metrics and alarms?