• Enabled by default to track API calls , can export logs to S3/CW logs
• Trail is applied to all regions by default , can create for specific region/service/user
• Can setup Organizational trail to log API calls for the enter ORG
• Up to 15 min delay - set up Event Bridge to react to events with metrics from CloudWatch
• Events are stored event logs for 90 days - can export to S3 + query with Athena
  • Management events - actions on AWS resources in your account
  • Data events - off by default - object level activity , lambda execution events
  • Insights events - off by default - can detect unusual activity in your account

CloudTrail with AWS Organizations

To create an organization trail, ensure that the “Enable for all accounts in my organization” option is checked when creating a new CloudTrail trail.

Cloud Trail to S3

Multi account - multi region logging

Alerts per API call