AWS CloudTrail のアイコン

AWS CloudTrail Essential2013年〜

A service that records and monitors API activity in your AWS account

About 3 min read

What It Does

AWS CloudTrail records all API calls (operations) made within your AWS account. It captures detailed information about who performed an action, when, from which IP address, on which resource, and what the action was. Recorded logs are stored in an S3 bucket and can be used for security auditing, compliance, and troubleshooting.

Use Cases

CloudTrail is used for investigating security incidents, such as identifying who changed a security group and when, or for compliance audits where you need to provide the history of IAM policy changes over the past 90 days. It is also used to investigate unintended resource deletions and detect unauthorized access.

Everyday Analogy

Think of it like a building's security cameras. Security cameras record who enters and exits the building and which rooms they access, 24 hours a day. CloudTrail is the security camera for your AWS account, recording every operation. Just as you would rewind footage to investigate an incident, you can examine CloudTrail logs to identify the cause of a problem.

What Is CloudTrail?

AWS CloudTrail is an audit logging service that records activity within your AWS account. Operations from the AWS Management Console, AWS CLI commands, and SDK API calls are all recorded as events. CloudTrail is enabled by default, and you can view the past 90 days of event history for free.

Event Types

CloudTrail records three types of events. Management events capture resource operations such as creating, modifying, or deleting resources (launching EC2 instances, changing IAM policies, etc.). Data events capture data operations performed on resources (reading/writing S3 objects, invoking Lambda functions, etc.). Insights events automatically detect and record unusual activity patterns that differ from normal behavior.

Creating Trails and Long-Term Storage

The default event history is retained for only 90 days. For long-term storage, create a "trail" to continuously deliver logs to an S3 bucket. When you create a trail, management events are automatically saved to S3. Data events and Insights events must be explicitly enabled in the trail settings. You can also send logs to CloudWatch Logs for real-time alerting. To understand the technical background of trail creation and long-term storage, books on Amazon are a useful resource.

Getting Started

CloudTrail is enabled by default on all AWS accounts. You can immediately view the past 90 days of operation history from the "Event history" section in the CloudTrail console. If you need long-term storage or data event recording, create a trail by specifying an S3 bucket under "Create trail." To centrally manage logs across your organization, create an organization trail integrated with AWS Organizations.

Things to Watch Out For

  • The default event history is only 90 days. If compliance requirements demand long-term retention, create a trail to store logs in S3
  • Data events (S3 object operations, Lambda invocations, etc.) are not recorded unless explicitly enabled in a trail. Recording large volumes of data events increases costs, so narrow down the target resources
  • To prevent CloudTrail log tampering, enable log file integrity validation and configure MFA Delete on the S3 bucket
共有するXB!

Related Services

Amazon CloudWatch iconAmazon CloudWatchA service that provides monitoring, log management, and alarms for AWS resources and applicationsAWS Config iconAWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors complianceAmazon GuardDuty iconAmazon GuardDutyA machine learning-powered threat detection serviceAWS Security Hub iconAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practices

Related Articles

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.API Audit Logging with AWS CloudTrail - Trail Design and Security AnalysisRecord all API activity and run advanced analysis with SQL queries in CloudTrail Lake. This article covers automatic anomaly detection with Insights and real-time detection through EventBridge integration.

More in This Category

AWS AppFabric iconAWS AppFabric NewA service that standardizes and aggregates audit logs from SaaS applicationsAWS AppConfig iconAWS AppConfig SpecializedA service for safely deploying and managing application configurationAWS Chatbot iconAWS Chatbot SpecializedAn interactive agent that delivers AWS notifications and enables resource operations through Slack and Microsoft TeamsAWS CloudFormation iconAWS CloudFormation EssentialAn IaC service that defines and provisions AWS resources as code using templatesAmazon CloudWatch iconAmazon CloudWatch EssentialA service that provides monitoring, log management, and alarms for AWS resources and applicationsAWS Config iconAWS Config PopularA service that records and evaluates AWS resource configuration changes and continuously monitors complianceAWS Control Tower iconAWS Control Tower PopularA service that automates multi-account environment setup and governanceAmazon CloudWatch RUM iconAmazon CloudWatch RUM NewA real user monitoring service that collects client-side performance and error data from web applications

Similar Articles and Services

Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.API Audit Logging with AWS CloudTrail - Trail Design and Security AnalysisRecord all API activity and run advanced analysis with SQL queries in CloudTrail Lake. This article covers automatic anomaly detection with Insights and real-time detection through EventBridge integration.CloudTrail Sees Everything - How API Calls Are Recorded and Practical Forensic InvestigationThis article explains how CloudTrail records AWS API calls, the differences between management events and data events, SQL analysis with CloudTrail Lake, and forensic investigation techniques when a security incident occurs.AWS CloudTrailAutomatically records all API calls in your AWS account, enabling you to track who did what and when for auditing and securityAmazon EventBridgeA serverless event bus that routes events from AWS services, SaaS applications, and custom applications, serving as the backbone of event-driven architectures