What Is Amazon CloudTrail? - Amazon CloudTrail
Accessing CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What Is Amazon CloudTrail?

Amazon CloudTrail is an Amazon Web Service that helps you enable operational and risk auditing, governance, and compliance of your Amazon Web Services account. Actions taken by a user, role, or an Amazon service are recorded as events in CloudTrail. Events include actions taken in the Amazon Web Services Management Console, Amazon Command Line Interface, and Amazon SDKs and APIs.

CloudTrail is active in your Amazon Web Services account when you create it. When activity occurs in your Amazon Web Services account, that activity is recorded in a CloudTrail event.

CloudTrail provides two ways to record events:

  • Event history – The Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an Amazon Web Services Region. You can search events by filtering on a single attribute. You automatically have access to the Event history when you create your account. For more information, see Working with CloudTrail Event history.

    There are no CloudTrail charges for viewing the Event history.

  • TrailsTrails capture a record of Amazon activities, delivering and storing these events in an Amazon S3 bucket, with optional delivery to CloudWatch Logs and Amazon EventBridge. You can input these events into your security monitoring solutions. You can also use your own third-party solutions or solutions such as Amazon Athena to search and analyze your CloudTrail logs. You can create trails for a single Amazon Web Services account or for multiple Amazon Web Services accounts by using Amazon Organizations. You can log Insights events to analyze your management events for anomalous behavior in API call volumes and error rates. For more information, see Creating a trail for your Amazon Web Services account.

    You can deliver one copy of your ongoing management events to your S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information about CloudTrail pricing, see Amazon CloudTrail Pricing. For information about Amazon S3 pricing, see Amazon S3 Pricing.

Visibility into your Amazon account activity is a key aspect of security and operational best practices. You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your Amazon infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your Amazon account.

You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of trails you create, and control how users view CloudTrail events.

Accessing CloudTrail

You can work with CloudTrail in any of the following ways.

CloudTrail console

Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

The CloudTrail console provides a user interface for performing many CloudTrail tasks such as:

  • Viewing recent events and event history for your Amazon account.

  • Downloading a filtered or complete file of the last 90 days of management events from Event history.

  • Creating and editing CloudTrail trails.

  • Configuring CloudTrail trails, including:

    • Selecting an Amazon S3 bucket for trails.

    • Setting a prefix.

    • Configuring delivery to CloudWatch Logs.

    • Using Amazon KMS keys for encryption of trail data.

    • Enabling Amazon SNS notifications for log file delivery on trails.

    • Adding and managing tags for your trails.

For more information about the Amazon Web Services Management Console, see Amazon Web Services Management Console.

Amazon CLI

The Amazon Command Line Interface is a unified tool that you can use to interact with CloudTrail from the command line. For more information, see the Amazon Command Line Interface User Guide. For a complete list of CloudTrail CLI commands, see cloudtrail and cloudtrail-data in the Amazon CLI Command Reference.

CloudTrail APIs

In addition to the console and the CLI, you can also use the CloudTrail RESTful APIs to program CloudTrail directly. For more information, see the Amazon CloudTrail API Reference and the CloudTrail-Data API Reference.

Amazon SDKs

As an alternative to using the CloudTrail API, you can use one of the Amazon SDKs. Each SDK consists of libraries and sample code for various programming languages and platforms. The SDKs provide a convenient way to create programmatic access to CloudTrail. For example, you can use the SDKs to sign requests cryptographically, manage errors, and retry requests automatically. For more information, see the Tools to Build on Amazon page.