AWS CloudTrail is a service that records and monitors API activity in your AWS account. It provides a history of actions taken by users, services, or applications, helping with auditing, security analysis, troubleshooting, and compliance.

---

1️⃣ Key Features of CloudTrail

• Event Recording: Captures all management events (create, delete, modify resources) and data events (object-level activity in S3, Lambda).
• Multi-Region: Can be configured to log across all AWS regions in a single trail.
• Delivery to S3: Logs are stored in an S3 bucket for long-term storage and analysis.
• Integration with CloudWatch: Sends events to CloudWatch Logs or EventBridge for real-time monitoring and alerts.
• Security & Compliance: Helps detect unauthorized access, policy violations, and configuration changes.

---

2️⃣ Types of CloudTrail Events

Event Type	Description
Management Events	Control-plane operations (e.g., creating an EC2 instance, deleting IAM role).
Data Events	Object-level operations (e.g., reading/writing S3 objects, Lambda invocations).
Insights Events	Detect unusual or anomalous activity, such as abnormal API call rates.

---

3️⃣ CloudTrail Architecture

1. Event Source: Any AWS service generates API activity.
2. CloudTrail: Captures this activity and formats it as a log event.
3. Destination: Stores logs in S3, optionally sends them to CloudWatch Logs/EventBridge.
4. Analysis: Use Athena, AWS SIEM, or external tools for queries and security checks.

---

4️⃣ Example CloudTrail Log Event (simplified)

{
  "eventVersion": "1.05",
  "userIdentity": {
    "type": "IAMUser",
    "userName": "AdminUser"
  },
  "eventTime": "2025-07-29T10:15:30Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "StartInstances",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.10"
}

This shows who did what, when, and from where in your AWS account.

---

✅ Use Cases

• Security Monitoring: Detect unauthorized logins or access changes.
• Operational Troubleshooting: Identify failed API calls.
• Compliance & Auditing: Maintain an immutable log of all actions.
• Forensics: Investigate past security incidents.

---

✅ AWS CloudTrail vs CloudWatch vs AWS Config

Feature	CloudTrail	CloudWatch	AWS Config
Purpose	Records API calls & account activity (Who did what, when, from where).	Monitors performance, metrics, logs, and alarms for AWS resources.	Tracks configuration changes and evaluates them against compliance rules.
Data Type Captured	API call history (Management & Data events).	Metrics (CPU, memory), application logs, custom events.	Configuration state of AWS resources and changes over time.
Data Source	AWS API calls via SDK, CLI, Console, Services.	AWS services, custom apps, and system logs.	AWS resources' configuration snapshots and changes.
Storage Destination	S3 (default), optionally CloudWatch Logs or EventBridge.	CloudWatch Logs, Metrics, Dashboards.	AWS Config Recorder → S3, Config Console, SNS notifications.
Real-time Alerts	Via EventBridge (on API activity).	Yes (CloudWatch Alarms).	Yes (SNS notifications on non-compliance or config changes).
Retention	Defined by S3 bucket lifecycle policies.	Metrics: 15 months (default). Logs: As configured.	Configuration history retained as per S3 lifecycle policy.
Compliance Support	Provides audit trails of all actions for security audits.	Helps detect performance anomalies or threshold breaches.	Ensures resources comply with policies & standards.
Pricing Model	Pay per event delivered (low cost).	Pay for metrics, dashboards, custom logs, and alarms.	Pay per recorded configuration item and evaluations.
Best Use Case	Security & forensic investigations of AWS account activity.	Operational monitoring and troubleshooting application health.	Governance and compliance tracking for AWS resources.

---

✅ Summary

• CloudTrail = Who did what (Activity tracking & auditing)
• CloudWatch = How it’s performing (Monitoring & alarms)
• AWS Config = Is it compliant (Policy and configuration checks)

---