CloudTrail logs CloudTrail events, i.e. AWS API actions (e.g. change security group, add EC2 instance)
- NOT real-time
- by default stores 90 days, but can be alteranatively stored as JSON in S3 indefinitely
- free on default settings, to customize, create more trails
- event types
- management event: creating EC2, etc
- by default, mgmt. event is the only type being recorded
- data event: adding/reading objects to S3, use lambda function, etc
- much higher volume
- insight event
- management event: creating EC2, etc
- By default, CloudTrail has a trail that is for one region. Trails can be set to record all regions.
- A trail can also be configured to receive global service events (IAM events). By default global service events are logged to us-east-1.
- Data flow
- save logs to S3 to bypass 90 day history limit
- send events to CloudWatch Logs to search and use metric filters.