Almost anything that can be done to an AWS Account is logged by cloudtrail
90 days of event history is stored by default. Anything else needs to be customised.
Regional Service, logs event for region it's created in(By default).
One Region Trail: Trails events of region it's created in.
All Region Trail: Trails events of all regions. (Collection of trails of all regions.)
Global service always trails their event to us-east-1. Trail needs to have global service events enabled to be able to log Global Events.
IAM, STS (Security Token Service), CloudFront log Global Service Events.
No Real Time Data. There is some delay, within 15 minutes.
Two types of cloudtrail events Management events and Data events.
- Events of management operations of resource
- E.G.: EC2 Instance created, S3 Created/Deleted
- A.K.A: Control Plane operations.
- CloudTrail logs only management events by default.
- Resource operations performed in or on resource
- E.G.: Objects uploaded to S3, Lambda Invoked.
- Can be stored in S3 or in cloudwatch.
- In S3 data is stored in compressed JSON format.