CloudTrail workflow - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

CloudTrail workflow

View event history for your Amazon account

You can view and search the last 90 days of events recorded by CloudTrail in the CloudTrail console or by using the Amazon CLI. For more information, see Viewing events with CloudTrail Event history.

Download events

You can download a CSV or JSON file containing up to the past 90 days of CloudTrail events for your Amazon account. For more information, see Downloading events or Downloading Insights events.

Download saved query results

You can download a CSV file containing your saved CloudTrail Lake query results. For more information, see Download your CloudTrail Lake saved query results.

Create a trail

A trail enables CloudTrail to deliver log files to your Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all regions. The trail logs events from all regions in the Amazon partition and delivers the log files to the S3 bucket that you specify. For more information, see Creating a trail for your Amazon Web Services account.

Create and subscribe to an Amazon SNS topic

Subscribe to a topic to receive notifications about log file delivery to your bucket. Amazon SNS can notify you in multiple ways, including programmatically with Amazon Simple Queue Service. For information, see Configuring Amazon SNS notifications for CloudTrail.


If you want to receive SNS notifications about log file deliveries from all regions, specify only one SNS topic for your trail. If you want to programmatically process all events, see Using the CloudTrail Processing Library.

View your log files

Use Amazon S3 to retrieve log files. For information, see Getting and viewing your CloudTrail log files.

Manage user permissions

Use Amazon Identity and Access Management (IAM) to manage which users have permissions to create, configure, or delete trails; start and stop logging; and access buckets that have log files. For more information, see Controlling user permissions for CloudTrail.

Monitor events with CloudWatch Logs

You can configure your trail to send events to CloudWatch Logs. You can then use CloudWatch Logs to monitor your account for specific API calls and events. For more information, see Monitoring CloudTrail Log Files with Amazon CloudWatch Logs.


If you configure a trail that applies to all regions to send events to a CloudWatch Logs log group, CloudTrail sends events from all regions to a single log group.

Log management and data events

Configure your trails to log read-only, write-only, or all management and data events. By default, trails log management events. For more information, see Working with CloudTrail log files.

Log CloudTrail Insights events

Configure your trails to log Insights events to help you identify and respond to unusual activity associated with write management API calls. If your trail is configured to log read-only or no management events, you cannot turn on CloudTrail Insights event logging. For more information, see Logging Insights events for trails.

Enable log encryption

Log file encryption provides an extra layer of security for your log files. For more information, see Encrypting CloudTrail log files with Amazon KMS keys (SSE-KMS).

Enable log file integrity

Log file integrity validation helps you verify that log files have remained unchanged since CloudTrail delivered them. For more information, see Validating CloudTrail log file integrity.

Enable CloudTrail Lake

CloudTrail Lake lets you run fine-grained SQL-based queries on events. Events are aggregated into event data stores, which are immutable collections of events based on criteria that you select by applying advanced event selectors. You can keep the event data in an event data store for up to seven years. CloudTrail Lake is part of an auditing solution that helps you perform security investigations and troubleshooting. For more information, see Working with Amazon CloudTrail Lake.

Copy trail events to CloudTrail Lake

You can copy existing trail events to a CloudTrail Lake event data store to create a point-in-time snapshot of events logged to the trail. For more information, see Copying trail events to CloudTrail Lake.

Save CloudTrail Lake query results to an Amazon S3 bucket

When you run a query, you can save the query results to an S3 bucket. For more information, see Run a query and save query results.

Share log files with other Amazon accounts

You can share log files between accounts. For more information, see Sharing CloudTrail log files between Amazon accounts.

Aggregate logs from multiple accounts

You can aggregate log files from multiple accounts to a single bucket. For more information, see Receiving CloudTrail log files from multiple accounts Redacting bucket owner account IDs for data events called by other accounts.

Register a delegated administrator to manage your organization's CloudTrail resources

You can register a delegated administrator to manage your organization's CloudTrail trails and event data stores. For more information, see Organization delegated administrator.

Work with partner solutions

Analyze your CloudTrail output with a partner solution that integrates with CloudTrail. Partner solutions offer a broad set of capabilities, such as change tracking, troubleshooting, and security analysis. For more information, see the Amazon CloudTrail partner page.