AWS CloudTrail
Automatically records all API calls in your AWS account, enabling you to track who did what and when for auditing and security
Overview
AWS CloudTrail records all API activity in your AWS account as events. This includes Management Console operations, CLI commands, SDK calls, and internal calls from other AWS services. By default, you can view the last 90 days of management events for free, with options for long-term storage in S3 buckets and SQL-based query analysis via CloudTrail Lake. It serves as the foundation for security incident investigation, compliance auditing, and operational troubleshooting in virtually every AWS environment.
Three Event Types and Recording Cost Design
CloudTrail records three types of events, each with different cost implications. Management Events capture resource management operations such as IAM policy changes, EC2 instance start/stop, and S3 bucket creation - these are included in the free tier for the last 90 days. Data Events record data-level operations like S3 GetObject/PutObject and Lambda Invoke, but incur charges per event recorded. Since even read operations on S3 can generate massive volumes of events, it is critical to scope data event recording to specific buckets containing sensitive data rather than enabling it account-wide. Insights Events use machine learning to automatically detect anomalies in API call patterns, such as a 10x spike compared to normal levels. In contrast to Azure Activity Log, which only captures subscription-level management operations and requires per-service Diagnostic Settings for data plane auditing, CloudTrail provides a unified approach to recording both management and data plane events from a single configuration.
SQL-Based Investigation with CloudTrail Lake
CloudTrail Lake enables direct SQL-based querying of CloudTrail events without the need to export logs to S3 and set up a separate analytics pipeline. You can write SQL queries to identify which IAM entity accessed which resource from which IP address during a specific time window - making it invaluable for security incident investigations. Lake stores events in a columnar format optimized for analytical queries, supporting aggregation, filtering, and joining across event fields. You can create event data stores with configurable retention periods (up to 7 years) and scope them to specific event types or organizational units. Azure's equivalent workflow requires forwarding logs to a Log Analytics workspace and using KQL (Kusto Query Language), which adds setup overhead compared to CloudTrail Lake's integrated approach. AWS security books on Amazon provide further reading.
Real-Time Detection with EventBridge Integration
Integrating CloudTrail with EventBridge enables real-time notifications and automated responses to specific API calls. Common patterns include alerting on security group rule changes, IAM policy modifications, root account logins, and S3 bucket policy changes. EventBridge rules can match specific CloudTrail event patterns and route them to targets such as SNS for notifications, Lambda for automated remediation, or Step Functions for complex incident response workflows. For example, you can automatically revoke overly permissive security group rules within seconds of their creation. This event-driven approach is far more responsive than periodic log scanning and forms the backbone of a proactive security posture. A cost consideration: enabling data events for all S3 buckets can generate hundreds of dollars in monthly charges in high-traffic environments, so the best practice is to combine EventBridge rules for real-time detection of critical management events with targeted data event recording only for buckets containing sensitive data.