Question 1

What's the difference between CloudTrail and CloudWatch?

Accepted Answer

CloudTrail records AWS API activity (who called what API, from where, and when). CloudWatch focuses on metrics, application/system logs, and alarms (how your systems are performing and what they are outputting). In practice, you use CloudTrail for auditing and investigations, and CloudWatch for monitoring and operational alerting—often together.

Question 2

When should I use CloudTrail?

Accepted Answer

Use CloudTrail whenever you need an audit trail of activity in AWS: security investigations (suspicious logins or privilege changes), compliance evidence (tracking administrative actions), change tracking (who modified a security group or IAM policy), and governance across multiple accounts. Most organizations enable it by default across all accounts and regions, then add alerts for high-risk events.

Question 3

How much does CloudTrail cost?

Accepted Answer

Pricing depends on what you log and how you store/analyze it. A basic level of management event history is available in the CloudTrail console for a limited time, but creating trails that deliver logs to S3, enabling multi-region trails, capturing data events (for example, S3 object-level activity), and using CloudTrail Lake for querying/retention can add cost. You also pay for downstream storage (S3), optional encryption (KMS requests), and any analytics tools you use (for example, Athena/CloudWatch Logs). Always estimate based on event volume, retention period, and whether you enable data events.

CloudTrail

Definition

Real-World Example

Related Terms

Cloud Provider Equivalencies

Explore More Cloud Computing Terms