It is a global services supporting ALL regions that records and tracks for auditing purposes ( logs are by default retained for 90 days) ) all AWS API requests made
programmatically by a user with SDK
from AWS CLI
within AWS Console
by other AWS services
A CloudTrail Trail captures API requests and stores them as events in a log file ( in JSON format, within 15 mins ) on S3.
Events contain information about
caller
timestamp
source IP
CloudTrail is very useful for security to monitor restricted API calls and be notified of threshold breaches , as well for solving operational issues ( debugging and root cause analysis).
Even though there is a specific service to monitor and keep track of changes in your infrastructure ( AppConfig ), CloudTrail logs can be used as evidence for various compliance and governance controls.
Types of captured events:
Management events: also called control plane operations normally refers to management operation performed on resources in your account ( like configuring security with IAM, creatingVPC or Subnets and setting up logging)
Data events: aka data plane operations provide information about the resource operations performed in or on a resource ( like accessing S3 Object, invoking Lambdas, editing items on DynamoDB)
Insights events: capture unusual API call rate or error rate activity [since additional charges are applied, insights events are disabled by default]
AWS offers the ability to aggregate CloudTrail logs from multiple accounts into a single S3 bucket. This is achieved by - activating CloudTrail on the account owning the Bucket
creating a Bucket policy with a permission for each AWS Account we want to aggregate logs for
activating CloudTrail on the other accounts pointing to the right S3.
This is useful solution, but generally you don't want aws accounts writing logs to a bucket on another account, to be able to see log information from other accounts ( which are logging in the same bucket) therefore the best approach is - in the primary account :
to create an IAM Role for each account requiring Read Access
to assign a Policy to that roles to allow access only to their logs
to let users assume that Role, by setting Trusted Relationship
by creating on the secondary accounts a new Policy that allows to Assume the CloudTrailReadLogs Role.