What is AWS CloudTrail?

AWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account by recording all API calls made in your account. What it records: who (IAM identity — user, role, service), when (timestamp), from where (IP address, user agent), what action (API call), on what resource (ARN), result (success/failure), request/response parameters. Trail types: Management events — operations on AWS resources (CreateBucket, RunInstances, TerminateInstances, PutBucketPolicy — control plane); Data events — resource operations (S3 object-level Get/Put/Delete, Lambda function invocations — data plane, not enabled by default); Insights events — detect unusual API activity patterns (spikes, anomalies). Configuration: create a trail → select event types → store logs in S3 → optionally: CloudWatch Logs (real-time monitoring), EventBridge (trigger actions on specific events). Log file integrity validation: CloudTrail signs log files — detects if tampered. Multi-region trails: one trail capturing events from all regions. Organization trails: capture events from all accounts in AWS Organizations. Event History: free 90-day history in CloudTrail console (last 90 days, management events). Athena integration: query CloudTrail logs stored in S3 with SQL — find all actions by a specific IAM user, identify unauthorized API calls. Use cases: security incident investigation, compliance auditing, operational troubleshooting, change tracking. CloudTrail + GuardDuty = security monitoring foundation.