CloudTrail Event History

Like most AWS services, CloudTrail can be interacted with via the CLI, the API, or the management console. These labs use the management console.

AWS accounts come with CloudTrail enabled, so your account activity is automatically recorded as log files known as CloudTrail events. However, by default, the only way to access these is via the Event History pane of the CloudTrail console, where you can see the past 90 days of management activity.

For long-term extensive logging, you should enable trails. A trail is simply a set of instructions that tells CloudTrail what to do with events of specific types. For example, a trail you set up for monitoring management activity in your account would tell CloudTrail which S3 bucket to store those logs in, whether to validate them, which region you want to monitor, and so on.

Trails can either apply to a single region or to all regions. It's best practice to monitor activity across all regions in your account, although it can be helpful to have single region trails if you want to delegate monitoring responsibilities to local teams. For multi-region and single region trails, you can specify an S3 bucket from any region as the log destination.

Something to bear in mind is that CloudTrail delivers logs around 15 minutes after the API call they reference. For more detail, refer to the AWS CloudTrail Service Level Agreement.