How CloudTrail Works
AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS account and delivers log files to an Amazon S3 bucket that you specify. A trail is a configuration that enables logging of AWS API calls and related events in your account. You can create a trail with the CloudTrail console, the AWS CLI, or the CloudTrail API.
You can create two types of trails:
- A trail that applies to all regions
When you create a trail that applies to all regions, CloudTrail creates the same trail in each region. It then records the log files in each region and delivers the log files to an S3 bucket that you specify. This is the default option when you create a trail in the CloudTrail console.
- A trail that applies to one region
When you create a trail that applies to one region, CloudTrail records the log files in that region only and delivers the log files log to an S3 bucket that you specify. If you create additional individual trails that apply to specific regions, you can have those trails deliver log files to a single S3 bucket.
For both types of trails, you can specify an S3 bucket from any region.
By default, log files are encrypted using Amazon S3 server-side encryption (SSE). You can store your log files in your bucket for as long as you want. You can also define Amazon S3 lifecycle rules to archive or delete log files automatically.
CloudTrail typically delivers log files within 15 minutes of an API call. In addition, CloudTrail publishes log files multiple times an hour, about every five minutes. These log files contain API calls from services in the account that support CloudTrail. For more information, see CloudTrail Supported Services.
CloudTrail captures API calls made directly by the user or on behalf of the user by an AWS
service. Services that make API calls on behalf of users include AWS CloudFormation, AWS Elastic Beanstalk,
AWS OpsWorks, and Auto Scaling. For example, an AWS CloudFormation
CreateStack call can result in
additional API calls to Amazon EC2, Amazon RDS, Amazon EBS, or other services as required by the AWS CloudFormation
template. This behavior is normal and expected. You can identify if the API call was
made by an AWS service with the
invokedby field in the CloudTrail event.
To get started with CloudTrail, see Getting Started with CloudTrail.