⭐⭐⭐⭐⭐ Critical — "Log all AWS API calls"

📜 AWS CloudTrail

CloudTrail records every API call made to AWS — who called it, when, from where, and what they changed. It's the audit log for your entire AWS account. Essential for compliance, security investigations, and change tracking.

🔑 Covers: API Activity Logging · Event Types · Compliance · Trails · CloudTrail Insights

📜 What is CloudTrail? — The AWS Audit Log

Every action in AWS is made through an API call — whether you click in the console, run the CLI, or use the SDK. CloudTrail records all of these calls.

📌 Analogy
Think of CloudTrail as the security camera footage for your AWS account. It records who walked in, what they touched, what they changed, and when. If something goes missing or changes unexpectedly, you rewind the footage (CloudTrail logs) to see what happened.

🎯 Key Use Cases

🕵️ Security Investigations

Someone deleted a production database. Who did it? CloudTrail shows: IAM user "john-dev" called DeleteDBInstance at 3am from IP 192.168.1.100.

📋 Compliance Auditing

Prove to auditors that access controls work. Show that only authorized users accessed sensitive data. Generate audit reports covering months/years.

🔧 Change Tracking

App broke after deployment. What changed? CloudTrail shows what Lambda configurations, IAM policies, or security groups were modified and when.

🎯 #1 Exam Rule for CloudTrail
If the question mentions ANY of these words: "API calls", "who deleted/changed", "audit log", "compliance", "security investigation", "track AWS resource access" → The answer is AWS CloudTrail. Not CloudWatch, not X-Ray, not VPC Flow Logs.

📊 CloudTrail Event Types — Three Kinds of Records

🔑 Management Events

What: API calls that configure/manage AWS resources.

Examples: CreateS3Bucket, TerminateInstances, CreateSecurityGroup, UpdateFunction, PutRolePolicy, ConsoleLogin

Enabled by default: YES — free for first trail

Also called: Control plane operations

📁 Data Events

What: API calls that read/write actual data inside resources.

Examples: S3 GetObject, PutObject, DeleteObject; Lambda InvokeFunction; DynamoDB GetItem, PutItem

Enabled by default: NO — must enable explicitly, costs extra

Also called: Data plane operations

💡 Insights Events

What: Automatically detected unusual API activity patterns.

Examples: Sudden 100x spike in TerminateInstances calls, unusual IAM API usage pattern, unexpected resource creation bursts

Enabled by default: NO — opt-in feature

Use for: Automatic anomaly detection without setting thresholds

🎯 Critical Exam Distinction
Management Events = "What happened to my AWS infrastructure" (who created/deleted/changed resources)
Data Events = "What happened to my data" (who read/wrote S3 objects, who invoked Lambda)

Exam scenario: "Log every time someone reads a file from S3 bucket X" → Enable S3 Data Events for that bucket.

⚙️ Trails — Long-Term CloudTrail Storage

By default, CloudTrail shows events for the last 90 days in the Event History (free, no trail needed). For longer retention, you create a Trail.

Trail
A configuration that tells CloudTrail to continuously deliver event records to an S3 bucket (and optionally to CloudWatch Logs). A trail is how you get long-term retention beyond 90 days, enable advanced search, and integrate with other tools.

📋 Trail Configuration Options

SettingOptionsRecommendation
ScopeSingle region or All regionsAlways use All regions to catch global API calls
StorageS3 bucket (required)Enable S3 server-side encryption (SSE-KMS)
CloudWatch LogsOptional — send to a CW Log GroupEnable for real-time alerting on specific API calls
SNS NotificationsOptional — notify on new log filesUseful for triggering automated processing
Log File ValidationEnable/disableAlways enable — ensures log files haven't been tampered with
Organization TrailApply to all accounts in AWS OrgUse for multi-account logging from one central trail
💡 Best Practice — Enable CloudWatch Logs Integration
Send CloudTrail events to CloudWatch Logs → Create Metric Filters on specific API calls → Create Alarms that fire when those calls happen.
Example alarm: Alert whenever someone calls DeleteTrail or StopLogging — someone might be trying to hide their tracks!

📋 What a CloudTrail Event Record Looks Like

Each event is a JSON object containing complete details about the API call:

JSON — CloudTrail Event Record (simplified) { "eventVersion": "1.08", "userIdentity": { // WHO made the call "type": "IAMUser", "userName": "john-developer", "arn": "arn:aws:iam::123456789:user/john-developer" }, "eventTime": "2024-01-15T03:22:15Z", // WHEN "eventSource": "s3.amazonaws.com", // Which AWS service "eventName": "DeleteBucket", // WHAT was called "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.195", // FROM WHERE "userAgent": "aws-cli/2.11.0", "requestParameters": { // WHAT parameters "bucketName": "my-production-data" }, "responseElements": null, "errorCode": null, // if null = success "errorMessage": null }

Every event tells you: Who? When? What? Where from? Which service? Parameters?

💡 CloudTrail Insights — Automatic Anomaly Detection

CloudTrail Insights watches your write API call rates over time and learns what "normal" looks like. When it detects an unusual spike or unusual pattern, it creates an Insights event and notifies you.

📌 Example Scenarios CloudTrail Insights Catches
  • Normally your account creates 2 EC2 instances per day. Suddenly 200 are created in 10 minutes. (Possible: compromised credentials being used for crypto mining)
  • Normally 0 security groups are deleted per week. Suddenly 50 are deleted. (Possible: automated attack or misconfigured script)
  • IAM CreateAccessKey is called 5x more than normal. (Possible: someone is creating backdoor access keys)
🎯 Exam Tip — CloudTrail vs CloudWatch
CloudTrail = records "who made API calls to AWS" (control plane). It's about AWS infrastructure operations.
CloudWatch Logs = records "what happened inside your application" (application plane).
Do NOT confuse them! If question asks "track who deleted Lambda function" → CloudTrail. If "track application errors" → CloudWatch Logs.