# How CloudTrail works
<a name="how-cloudtrail-works"></a>

You automatically have access to the CloudTrail **Event history** when you create your Amazon Web Services account. The **Event history** provides a viewable, searchable, downloadable, and immutable record of the past 90 days of recorded management events in an Amazon Web Services Region.

For an ongoing record of events in your Amazon Web Services account past 90 days, create a trail.

**Topics**
+ [CloudTrail Event history](#how-cloudtrail-works-eventhistory)
+ [CloudTrail trails](#how-cloudtrail-works-trails)
+ [CloudTrail Insights events](#how-cloudtrail-works-insights)
+ [CloudTrail channels](#how-cloudtrail-works-channels)

## CloudTrail Event history
<a name="how-cloudtrail-works-eventhistory"></a>

You can easily view the last 90 days of management events in the CloudTrail console by going to the **Event history** page. You can also view the event history by running the [https://docs.amazonaws.cn/cli/latest/reference/cloudtrail/lookup-events.html](https://docs.amazonaws.cn/cli/latest/reference/cloudtrail/lookup-events.html) command, or the [https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_LookupEvents.html](https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_LookupEvents.html) API operation. You can search events in **Event history** by filtering for events on a single attribute. For more information, see [Working with CloudTrail event history](view-cloudtrail-events.md).

The **Event history** is not connected to any trails that exist in your account and is not affected by configuration changes you make to your trails.

There are no CloudTrail charges for viewing the **Event history** page or running the `lookup-events` command.

## CloudTrail trails
<a name="how-cloudtrail-works-trails"></a>

A *trail* is a configuration that enables delivery of events to an Amazon S3 bucket that you specify. You can also deliver and analyze events in a trail with [Amazon CloudWatch Logs](send-cloudtrail-events-to-cloudwatch-logs.md) and [Amazon EventBridge](cloudtrail-aws-service-specific-topics.md#cloudtrail-aws-service-specific-topics-eventbridge).

Trails can log CloudTrail management events, data events, network activity events, and Insights events.

You can create both multi-Region and single-Region trails for your Amazon Web Services account.

**Multi-Region trails**  
When you create a multi-Region trail, CloudTrail records events in all Amazon Web Services Regions that are [enabled](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-standalone) in your Amazon Web Services account and delivers the CloudTrail event log files to an S3 bucket that you specify. As a best practice, we recommend creating a multi-Region trail because it captures activity in all enabled Regions. All trails created using the CloudTrail console are multi-Region trails. You can convert a single-Region trail to a multi-Region trail by using the Amazon CLI. For more information, see [Understanding multi-Region trails and opt-in Regions](cloudtrail-multi-region-trails.md), [Creating a trail with the console](cloudtrail-create-a-trail-using-the-console-first-time.md#creating-a-trail-in-the-console), and [Converting a single-Region trail to a multi-Region trail](cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.md#cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-examples-convert).

**Single-Region trails**  
When you create a single-Region trail, CloudTrail records the events in that Region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify. You can only create a single-Region trail by using the Amazon CLI. If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same S3 bucket or to separate buckets. This is the default option when you create a trail using the Amazon CLI or the CloudTrail API. For more information, see [Creating, updating, and managing trails with the Amazon CLI](cloudtrail-create-and-update-a-trail-by-using-the-aws-cli.md).

**Note**  
For both types of trails, you can specify an Amazon S3 bucket from any Region.

If you have created an organization in Amazon Organizations, you can create an *organization trail* that logs all events for all Amazon accounts in that organization. Organization trails can apply to all Amazon Regions, or the current Region. Organization trails must be created using the management account or delegated administrator account, and when specified as applying to an organization, are automatically applied to all member accounts in the organization. Member accounts can see the organization trail, but cannot modify or delete it. By default, member accounts do not have access to the log files for an organization trail in the Amazon S3 bucket.

By default, when you create a trail in the CloudTrail console, your event log files and digest files are encrypted with a KMS key. If you choose not to enable ** SSE-KMS encryption**, your event log files and digest files are encrypted using Amazon S3 server-side encryption (SSE). You can store your log files in your bucket for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically. If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications.

CloudTrail publishes log files multiple times an hour, about every 5 minutes. These log files contain API calls from services in the account that support CloudTrail. For more information, see [CloudTrail supported services and integrations](cloudtrail-aws-service-specific-topics.md).

**Note**  
CloudTrail typically delivers logs within an average of about 5 minutes of an API call. This time is not guaranteed.  
If you misconfigure your trail (for example, the S3 bucket is unreachable), CloudTrail will attempt to redeliver the log files to your S3 bucket for 30 days, and these attempted-to-deliver events will be subject to standard CloudTrail charges. To avoid charges on a misconfigured trail, you need to delete the trail.  
CloudTrail captures actions made directly by the user or on behalf of the user by an Amazon service. For example, an Amazon CloudFormation `CreateStack` call can result in additional API calls to Amazon EC2, Amazon RDS, Amazon EBS, or other services as required by the Amazon CloudFormation template. This behavior is normal and expected. You can identify if the action was taken by an Amazon service with the `invokedby` field in the CloudTrail event.

The following table provides information about tasks you can perform on trails.


| Task | Description | 
| --- | --- | 
|  [Logging management events](logging-management-events-with-cloudtrail.md)  |  Configure your trails to log read-only, write-only, or all management events.  | 
|  [Log data events](logging-data-events-with-cloudtrail.md)  |  You can use [advanced event selectors](https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html) to create fine-grained selectors to log only those data events of interest. For example, you can filter on the `eventName` field to include or exclude logging of specific API calls, which can help control costs. For more information, see [Filtering data events by using advanced event selectors](filtering-data-events.md).  | 
|  [Log network activity events](logging-network-events-with-cloudtrail.md)  |  Configure your trails to log network activity events. You can configure advanced event selectors to filter on the `eventName`, `errorCode`, and `vpcEndpointId` fields to log only those events of interest.  | 
|  [Log Insights events](logging-insights-events-with-cloudtrail.md)  |  Configure your trails to log Insights events to help you identify and respond to unusual activity associated with management API calls. Additional charges apply for Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see [Amazon CloudTrail Pricing](https://www.amazonaws.cn/cloudtrail/pricing/).  | 
|  [View Insights events](view-insights-events.md)  |  After you enable CloudTrail Insights on a trail, you can view up to 90 days of Insights events by using the CloudTrail console or the Amazon CLI.  | 
|  [Download Insights events](view-insights-events-console.md#downloading-insights-events)  |  After you enable CloudTrail Insights on a trail, you can download a CSV or JSON file containing up to the past 90 days of Insights events for your trail.  | 
|  [Create and subscribe to an Amazon SNS topic](configure-sns-notifications-for-cloudtrail.md)  |  Subscribe to a topic to receive notifications about log file delivery to your bucket. Amazon SNS can notify you in multiple ways, including programmatically with Amazon Simple Queue Service.  If you want to receive SNS notifications about log file deliveries from all Regions, specify only one SNS topic for your trail. If you want to programmatically process all events, see [Using the CloudTrail Processing Library](use-the-cloudtrail-processing-library.md).   | 
|  [View your log files](get-and-view-cloudtrail-log-files.md)  |  Find and download your log files from the S3 bucket.  | 
|  [Monitor events with CloudWatch Logs](monitor-cloudtrail-log-files-with-cloudwatch-logs.md)  |  You can configure your trail to send events to CloudWatch Logs. You can then use CloudWatch Logs to monitor your account for specific API calls and events.  If you configure a multi-Region trail to send events to a CloudWatch Logs log group, CloudTrail sends events from all Regions to a single log group.   | 
|  [Enable SSE-KMS encryption](encrypting-cloudtrail-log-files-with-aws-kms.md)  |  Encrypting your log files and digest files with a KMS key provides an extra layer of security for your CloudTrail data.  | 
|  [Enable log file integrity](cloudtrail-log-file-validation-intro.md)  |  Log file integrity validation helps you verify that log files have remained unchanged since CloudTrail delivered them.  | 
|  [Share log files with other Amazon Web Services accounts](cloudtrail-sharing-logs.md)  |  You can share log files between accounts.  | 
|  [Aggregate logs from multiple accounts](cloudtrail-receive-logs-from-multiple-accounts.md)  |  You can aggregate log files from multiple accounts to a single bucket.  | 
|  [Work with partner solutions](https://www.amazonaws.cn/cloudtrail/partners/)  |  Analyze your CloudTrail output with a partner solution that integrates with CloudTrail. Partner solutions offer a broad set of capabilities, such as change tracking, troubleshooting, and security analysis.  | 

You can deliver one copy of your ongoing management events to your S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information about CloudTrail pricing, see [Amazon CloudTrail Pricing](https://www.amazonaws.cn/cloudtrail/pricing/). For information about Amazon S3 pricing, see [Amazon S3 Pricing](https://www.amazonaws.cn/s3/pricing/).

## CloudTrail Insights events
<a name="how-cloudtrail-works-insights"></a>

Amazon CloudTrail Insights help Amazon users identify and respond to unusual activity associated with API call rates and API error rates by continuously analyzing CloudTrail management events. CloudTrail Insights analyzes your normal patterns of API call volume and API error rates, also called the *baseline*, and generates Insights events when the call volume or error rates are outside normal patterns. Insights events on API call rate are generated for `write` management APIs, and Insights events on API error rate are generated for both `read` and `write` management APIs.

By default, CloudTrail trails and event data stores don't log Insights events. You must configure your trail or event data store to log Insights events. For more information, see [Logging Insights events with the CloudTrail console](insights-events-enable.md) and [Logging Insights events with the Amazon CLI](insights-events-CLI-enable.md). 

Additional charges apply for Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see [Amazon CloudTrail Pricing](https://www.amazonaws.cn/cloudtrail/pricing/).

### Viewing Insights events for trails and event data stores
<a name="how-cloudtrail-works-insights-viewing"></a>

CloudTrail supports Insights events for both trails and event data stores, however, there are some differences in how you view and access Insights events.

**Viewing Insights events for trails**

If you have Insights events enabled on a trail, and CloudTrail detects unusual activity, Insights events are logged to a different folder or prefix in the destination S3 bucket for your trail. You can also see the type of insight and the incident time period when you view Insights events on the CloudTrail console. For more information, see [Viewing Insights events for trails with the console](view-insights-events-console.md).

After you enable CloudTrail Insights for the first time on a trail, CloudTrail may take up to 36 hours to begin delivering Insights events after you enable Insights events on a trail, provided that unusual activity is detected during that time.

**Viewing Insights events for event data stores**

To log Insights events in CloudTrail Lake, you need a destination event data store that logs Insights events and a source event data store that enables Insights and logs management events. For more information, see [Create an event data store for Insights events with the console](query-event-data-store-insights.md).

 After you enable CloudTrail Insights for the first time on the source event data store, CloudTrail may take up to 7 days to begin delivering Insights events, provided that unusual activity is detected during that time.

If you have CloudTrail Insights enabled on a source event data store and CloudTrail detects unusual activity, CloudTrail delivers Insights events to your destination event data store. You can then query your destination event data store to get information about your Insights events and can optionally save the query results to an S3 bucket. For more information, see [Create or edit a query with the CloudTrail console](query-create-edit-query.md) and [View sample queries with the CloudTrail console](lake-console-queries.md). 

You can view the **Insights events** dashboard to visualize the Insights events in your destination event data store. For more information about Lake dashboards, see [CloudTrail Lake dashboards](lake-dashboard.md).

## CloudTrail channels
<a name="how-cloudtrail-works-channels"></a>

CloudTrail supports service-linked channels.

**Service-linked channels**  
Amazon services can create a service-linked channel to receive CloudTrail events on your behalf. The Amazon service creating the service-linked channel configures advanced event selectors for the channel and specifies whether the channel applies to all Regions, or the current Region.  
You can use the [CloudTrail console](cloudtrail-service-linked-channels.md#viewing-service-linked-channels-console) or [Amazon CLI](cloudtrail-service-linked-channels.md#viewing-service-linked-channels-cli) to view information about any CloudTrail service-linked channels created by Amazon Web Services services.