Cargando...
Cargando...
Every API call recorded, every action accountable — your immutable audit trail for AWS
AWS CloudTrail is a governance, compliance, and operational auditing service that records every API call made in your AWS account — who did what, when, from where, and on which resource. It captures management events (control plane), data events (resource-level), and Insights events (anomaly detection) and delivers them to S3, CloudWatch Logs, or EventBridge. CloudTrail is enabled by default for all AWS accounts and retains 90 days of management event history in the console at no charge.
Provide a complete, tamper-evident audit trail of all AWS API activity for security investigations, compliance mandates (PCI-DSS, HIPAA, SOC), and operational troubleshooting across single or multi-account AWS environments.
Use When
Avoid When
Management Events (Control Plane)
Enabled by default for all Trails. Captures create, modify, delete operations on AWS resources (e.g., RunInstances, CreateBucket, DeleteSecurityGroup). Split into read-only and write-only.
Data Events (Data Plane)
NOT enabled by default — must be explicitly configured. Covers S3 object-level operations (GetObject, PutObject, DeleteObject), Lambda invocations, DynamoDB item-level operations, and more. Incurs additional cost.
CloudTrail Insights
Detects unusual write API activity patterns using ML baselines. Must be explicitly enabled. Generates Insights events delivered to S3 and optionally EventBridge.
Organization Trail
Created in the management account (or delegated admin), applies to ALL accounts in the AWS Organization. Member accounts cannot modify or delete it — enforces centralized governance.
Multi-Region Trail
Single trail configuration captures events from all regions. Recommended best practice. Global service events (IAM, STS, CloudFront) are always logged in us-east-1.
Log File Integrity Validation
Creates SHA-256 digest files signed with RSA. Allows you to prove log files have not been tampered with after delivery — critical for forensics and compliance.
CloudTrail Lake (Managed Analytics)
Immutable, queryable event data store with SQL support. Eliminates need for S3+Glue+Athena pipeline. Supports federated queries across multiple event data stores.
SSE-KMS Encryption
CloudTrail log files in S3 can be encrypted with a customer-managed KMS key (CMK). The KMS key policy must grant CloudTrail permissions to use the key.
CloudWatch Logs Integration
CloudTrail can stream events to CloudWatch Logs in near real-time, enabling metric filters and alarms on specific API patterns (e.g., root account usage, security group changes).
EventBridge Integration
CloudTrail management events are natively delivered to EventBridge (default event bus) within seconds, enabling automated response without CloudWatch Logs.
Global Service Events
IAM, STS, CloudFront API calls are global and always delivered to the us-east-1 region trail. Multi-region trails capture these automatically.
Delegated Administrator for Organizations
A member account can be designated as CloudTrail delegated admin, allowing it to create and manage Organization Trails without needing management account access.
S3 Data Event Filtering by Prefix
Can filter data events to specific S3 buckets or prefixes to control cost and noise.
Read-Only vs Write-Only Event Filtering
Management events can be filtered to log only read events, only write events, or both — useful for reducing volume and cost.
Centralized Immutable Audit Log Archive
high freqCloudTrail delivers signed, encrypted log files to a dedicated S3 bucket (ideally in a separate security/log-archive account). Enable S3 Object Lock (WORM) to prevent deletion. Enable log file integrity validation to detect tampering. Use S3 Lifecycle policies to transition to Glacier for long-term cost-effective retention. This is the foundational compliance architecture.
API Activity Alerting with Metric Filters
high freqStream CloudTrail events to CloudWatch Logs, then create Metric Filters to count specific API patterns (e.g., ConsoleLogin failures, root account usage, security group changes). Create CloudWatch Alarms on those metrics to trigger SNS notifications. This satisfies CIS AWS Foundations Benchmark requirements. NOTE: CloudWatch Logs is for alerting on patterns — CloudTrail is the audit source.
Real-Time Automated Remediation
high freqCloudTrail management events are delivered to EventBridge within seconds (much faster than S3 delivery). Create EventBridge rules matching specific API calls (e.g., DeleteTrail, StopLogging, AuthorizeSecurityGroupIngress with 0.0.0.0/0) to trigger Lambda functions for automated remediation. This is the preferred pattern for real-time security response.
Automated Security Response
high freqEventBridge rule detects a CloudTrail event (e.g., IAM user creating access keys), triggers Lambda function to evaluate context, and automatically revokes the keys or notifies security team. Lambda can also cross-reference with AWS Config or Security Hub for enriched context.
Configuration Change Correlation
high freqAWS Config records resource configuration state while CloudTrail records the API call that caused the change. Together they answer both 'what changed' (Config) and 'who changed it and when' (CloudTrail). Config Rules can use CloudTrail data for compliance evaluation. In the console, Config links directly to CloudTrail events for each configuration change.
Ad-Hoc Forensic Investigation
high freqCloudTrail logs in S3 can be queried with Athena using the AWS-provided CloudTrail table template. Create a partitioned Glue table over the S3 prefix structure (account/region/date) for cost-efficient queries. Use SQL to answer questions like 'which IAM principal called DeleteObject on this bucket between 2pm and 3pm?'. CloudTrail Lake is the newer managed alternative that eliminates the Glue/Athena setup.
Operational Troubleshooting
high freqWhen an SSM Automation runbook or Session Manager session makes API calls, those calls appear in CloudTrail. Use CloudTrail to audit which SSM documents were executed, by whom, and what AWS API calls they made — critical for privileged access auditing.
Multi-Account Centralized Governance
high freqCreate an Organization Trail in the management account targeting a centralized S3 bucket in a dedicated Log Archive account. All member accounts automatically have their events captured. Member accounts cannot disable or modify the Organization Trail. This is the AWS recommended architecture for enterprise security.
Threat Detection
high freqGuardDuty consumes CloudTrail management events and data events as one of its primary data sources to detect threats like credential compromise, unusual API patterns, and reconnaissance activity. You do NOT need to create a separate Trail for GuardDuty — it has independent access to CloudTrail events.
Centralized Security Findings
high freqSecurity Hub ingests CloudTrail-based findings from GuardDuty, Config, and IAM Access Analyzer, providing a unified security posture view. CIS AWS Foundations Benchmark checks in Security Hub directly reference CloudTrail configuration requirements (multi-region trail enabled, log file validation enabled, etc.).
CloudTrail is for API auditing (WHO did WHAT via AWS APIs). CloudWatch Logs is for application/OS log monitoring. NEVER confuse these two. If a question asks 'how do you audit which IAM user deleted this resource?' — the answer is ALWAYS CloudTrail, not CloudWatch.
The 90-day Event History is FREE but has critical limitations: (1) it only shows management events, (2) it cannot be queried with Athena, (3) it cannot be exported programmatically at scale, (4) it disappears if you close the account. You MUST create a Trail to persist logs beyond 90 days or for compliance.
Data events are NOT enabled by default and cost extra. For exam scenarios asking about auditing S3 object-level access (GetObject, PutObject, DeleteObject) or Lambda function invocations, you must explicitly state that Data Events need to be enabled on the Trail.
Global service events (IAM, STS, CloudFront) are ALWAYS delivered to the us-east-1 region. If you have a single-region trail in eu-west-1, you will MISS IAM API calls. Always use multi-region trails or an Organization Trail to capture global service events.
For real-time response to API events, use EventBridge (seconds latency), NOT S3 log delivery (15+ minutes) and NOT CloudWatch Logs (near-real-time but requires setup). EventBridge is the fastest path from CloudTrail event to automated action.
CloudTrail = AWS API audit trail (who called what API). CloudWatch Logs = application/OS logs. These are NEVER interchangeable. Any question about auditing AWS API activity has CloudTrail as the answer.
Data Events (S3 object-level, Lambda invocations) are DISABLED by default and cost extra — must be explicitly enabled. Management Events are enabled by default on new Trails.
For real-time automated response to API events, always choose EventBridge (seconds). For compliance archiving, choose S3 with Object Lock + Log File Integrity Validation. For analytics/investigation, choose CloudTrail Lake or S3+Athena.
Log File Integrity Validation must be explicitly enabled on the Trail. It creates SHA-256 hash digest files. If an exam question asks how to PROVE logs have not been tampered with after a security incident, the answer is Log File Integrity Validation — not S3 versioning or Object Lock alone.
An Organization Trail can ONLY be created from the management account or a designated delegated administrator account. Member accounts can VIEW the trail but cannot modify or delete it — this is a key security control. If a member account tries to disable logging, they cannot affect the Organization Trail.
CloudTrail Insights detects anomalies in WRITE management events only (not reads, not data events). It compares current activity against a 7-day baseline. Insights events are delivered to the same S3 bucket as regular trail events but under a separate prefix.
When encrypting CloudTrail logs with KMS, the KMS key policy must explicitly grant the CloudTrail service principal (cloudtrail.amazonaws.com) kms:GenerateDataKey and kms:DescribeKey permissions. Without this, log delivery will silently fail.
CloudTrail Lake vs S3+Athena: CloudTrail Lake is the modern managed approach — no Glue catalog needed, immutable storage, SQL queries natively. S3+Athena is the legacy pattern still tested on exams. Know both patterns and when each is preferred (Lake = simpler ops; S3+Athena = more flexibility, lower cost at scale).
The S3 bucket receiving CloudTrail logs must have a bucket policy granting cloudtrail.amazonaws.com s3:GetBucketAcl and s3:PutObject. If the bucket policy is missing or wrong, CloudTrail will STOP delivering logs silently. Always verify bucket policy when troubleshooting missing logs.
For the SCS-C02 (Security Specialty) exam: The CIS AWS Foundations Benchmark v1.4 requires: (1) multi-region trail enabled, (2) log file validation enabled, (3) CloudTrail logs encrypted with KMS CMK, (4) S3 bucket NOT publicly accessible, (5) CloudWatch Logs integration enabled. Know all five.
Common Mistake
CloudWatch Logs can be used instead of CloudTrail for API audit trails
Correct
CloudWatch Logs collects application logs, OS logs, and Lambda function output — it has NO visibility into AWS API calls unless CloudTrail explicitly streams to it. CloudTrail is the ONLY native AWS service that records API-level activity. CloudWatch Logs is a destination for CloudTrail data, not a replacement.
This is the #1 misconception on certification exams. Remember: CloudTrail = WHO called the AWS API. CloudWatch = WHAT happened inside your application/OS. They are complementary, not interchangeable. If a question asks about auditing AWS API activity, CloudTrail is always the answer.
Common Mistake
CloudTrail is enabled and logs everything by default, so no additional configuration is needed for compliance
Correct
CloudTrail Event History (free, 90 days, management events only) is enabled by default, but this is NOT sufficient for compliance. You must explicitly: (1) create a Trail to persist logs beyond 90 days, (2) enable Data Events if you need S3/Lambda/DynamoDB auditing, (3) enable Log File Integrity Validation, (4) enable encryption with KMS CMK, (5) enable multi-region coverage. Default ≠ compliant.
Exam scenarios often describe a company needing to meet PCI-DSS or HIPAA requirements and ask what ADDITIONAL steps are needed. The answer always involves creating a proper Trail with validation, encryption, and multi-region coverage — not relying on the default 90-day history.
Common Mistake
AWS managed KMS keys (aws/cloudtrail) can be shared across accounts and support custom key policies for restricting access
Correct
AWS managed keys (aws/cloudtrail) are account-specific, cannot be shared across accounts, and do NOT support custom key policies. You cannot restrict which IAM roles can use an AWS managed key. For cross-account log encryption or fine-grained access control, you MUST use a customer-managed KMS key (CMK) with a custom key policy.
This trap appears on both SCS-C02 and SAP-C02. If an exam question asks how to allow a centralized security account to decrypt CloudTrail logs from multiple member accounts, the answer requires a CMK with a cross-account key policy — AWS managed keys cannot do this.
Common Mistake
CloudTrail records all activity inside EC2 instances, including OS commands and application calls
Correct
CloudTrail ONLY records AWS API calls made via the AWS Management Console, CLI, SDKs, or other AWS services. It has zero visibility into what happens INSIDE an EC2 instance (OS commands, application logs, in-memory operations). For in-instance auditing, use CloudWatch Agent, AWS Systems Manager Session Manager logging, or OS-level audit frameworks.
Exam scenarios about auditing SSH sessions or application database queries are designed to trap you into answering CloudTrail. The correct answers for in-instance activity are CloudWatch Agent + CloudWatch Logs or SSM Session Manager with CloudWatch/S3 logging.
Common Mistake
Enabling CloudTrail in one region covers all regions automatically
Correct
A single-region trail ONLY captures events in that specific region. To capture events across all regions (including future regions), you must create a multi-region trail (check 'Apply trail to all regions' option) or use an Organization Trail. Additionally, global service events (IAM, STS, CloudFront) are ONLY captured if your trail includes us-east-1 or is a multi-region trail.
Attackers know this gap — they may operate in an unmonitored region. Exam questions about comprehensive audit coverage always require multi-region trails. Remember: IAM calls are global but logged in us-east-1 — a single-region trail in eu-west-1 will MISS all IAM activity.
Common Mistake
CloudTrail Insights detects anomalies in all event types including read events and data events
Correct
CloudTrail Insights ONLY analyzes write management events (e.g., RunInstances, CreateUser, AuthorizeSecurityGroupIngress). It does NOT analyze read-only management events (DescribeInstances, ListBuckets) or any data events. It establishes a 7-day baseline of normal write API call volume and alerts on deviations.
Exam questions about detecting unusual read activity (reconnaissance) cannot be solved with CloudTrail Insights alone — you'd need GuardDuty (which uses CloudTrail as a data source and analyzes both read and write events) for that use case.
Common Mistake
Deleting a CloudTrail Trail removes all historical log data
Correct
Deleting a Trail only stops FUTURE log delivery — it does NOT delete the log files already stored in S3. The S3 objects remain until you explicitly delete them or they expire via S3 Lifecycle policy. This is why S3 Object Lock (WORM) is recommended — it prevents deletion of log files even if the Trail is deleted.
This is both a security and compliance knowledge point. For forensics, you can always recover historical events from S3 even if someone deleted the Trail. Conversely, deleting the Trail is a common attacker technique to stop NEW logging while historical evidence remains in S3.
TRAIL = Track, Record, Archive, Investigate, Log — the five verbs of CloudTrail
CloudTrail answers the '5 Ws of AWS': WHO (principal), WHAT (API action), WHEN (timestamp), WHERE (source IP + region), WHICH (resource ARN)
Data Events = 'D' for Disabled by Default and D for Dollar signs (extra cost) — always needs explicit enabling
CIS Benchmark CloudTrail checklist: MEVK = Multi-region, Enable validation, Valid KMS CMK, Keep bucket private
EventBridge = Seconds. CloudWatch Logs = Near real-time. S3 delivery = 15 minutes. Remember the speed hierarchy for choosing the right integration.
Global services (IAM, STS, CloudFront) → Always go to us-EAST-1. Remember: IAM is EAST-centric.
Organization Trail: Management account CREATES it, member accounts CANNOT touch it — like a rule set by headquarters that field offices must follow
CertAI Tutor · SAP-C02, DEA-C01, DOP-C02, SAA-C03, SCS-C02, AIF-C01, CLF-C02, DVA-C02 · 2026-02-21
In the Same Category
Comparisons
Guides & Patterns