Logging and monitoring in Amazon Identity and Access Management

Amazon CloudTrail captures all API calls for IAM and Amazon STS as events, including calls from the console and API calls. To learn more about using CloudTrail with IAM and Amazon STS, see Logging IAM and Amazon STS API calls with Amazon CloudTrail. For more information about CloudTrail, see the Amazon CloudTrail User Guide.

Amazon Identity and Access Management Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This helps you identify unintended access to your resources and data, which is a security risk. To learn more, see What is IAM Access Analyzer?

Amazon CloudWatch monitors your Amazon resources and the applications that you run on Amazon in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the Amazon CloudWatch User Guide.

Amazon CloudWatch Logs helps you monitor, store, and access your log files from Amazon EC2 instances, CloudTrail, and other sources. CloudWatch Logs can monitor information in the log files and notify you when certain thresholds are met. You can also archive your log data in highly durable storage. For more information, see the Amazon CloudWatch Logs User Guide.