AWS CloudTrail
CloudTrail is the audit-log layer that records AWS API calls and account activity in time order. It preserves enough history to reconstruct who performed which action through which path.
▶Architecture Diagram
📊 Data FlowDashed line animations indicate the flow direction of data or requests
If permissions change or a resource disappears and there is no record of who called what and when, incident investigation stalls immediately. Monitoring system state is not enough when compliance also depends on a history of actual actions.
In early operations, configuration changes and permission modifications often happened without records of who did them or when. As the pace of change in the cloud accelerated, services like CloudTrail that ensure auditability became essential.
CloudTrail records AWS API activity from the console, CLI, and SDK and sends it to S3 or CloudWatch. Each record includes caller identity, event time, source IP, request parameters, and response elements so you can reconstruct who changed what and how.
CloudTrail and CloudWatch both deal with operational information, but their focus differs. CloudTrail keeps an audit record of who invoked which API, while CloudWatch focuses on current state and performance metrics. If the problem is tracing changes and auditing actions, look at CloudTrail; if the problem is reacting to latency, errors, and resource health, look at CloudWatch.
Well-suited for security investigations, change tracking, compliance, and anomalous behavior analysis. Not a good fit for real-time performance metric monitoring or threshold alarms.