CloudTrail

Definition

AWS service that records all API calls made in your account for security and compliance. Like a detailed security log that tracks who did what and when.

Use Cases

Provider Equivalents

Frequently Asked Questions

What's the difference between AWS CloudTrail and Amazon CloudWatch?
CloudTrail records AWS API activity (who called which API, when, from what IP, and whether it succeeded). CloudWatch is primarily for metrics, alarms, and operational logs from applications and AWS resources. In practice, you often send CloudTrail events to CloudWatch Logs to create alerts on specific API actions.
When should I use CloudTrail?
Use CloudTrail whenever you need an audit trail of activity in AWS: security investigations, compliance evidence, tracking configuration changes, and detecting suspicious behavior (like unexpected IAM changes or disabling security controls). Most organizations enable it by default for all accounts and regions, then add alerting for high-risk actions.
How much does CloudTrail cost?
Pricing depends on what you enable and where you send logs. CloudTrail typically includes a free tier for basic event history, while delivering events to S3/CloudWatch Logs, enabling data events (like S3 object-level or Lambda invoke events), Insights, and long-term storage/analysis can add cost. Main cost drivers are the volume of logged events (especially data events), CloudWatch Logs ingestion/retention if used, and S3 storage plus any query/analytics tools you run on the logs.

Category: security

Difficulty: intermediate

Related Terms

See Also