Definition: A web service that records activity (API calls) made on your AWS account.
Purpose: Enables governance, compliance, and operational/risk auditing of your AWS account.
Provides visibility into user activity by recording actions taken.
API history enables security analysis, resource change tracking, and compliance auditing.
Records API calls made via:
- AWS Management Console
- AWS SDKs
- AWS Command Line Interface (CLI)
- Higher-level AWS services (e.g., CloudFormation, EC2, S3).
Records details like: Identity of API caller, time of call, source IP, request parameters, response elements.
Default State: CloudTrail is enabled on your AWS account when you create it. (Exam Tip!)
Event History: By default, CloudTrail records 90 days of management events in the CloudTrail Event History (viewable in console). A trail is needed for longer retention and S3 delivery.
CloudTrail is per AWS account and regional when you create a trail, but a single trail can apply to all regions.

A configuration that delivers log files to an Amazon S3 bucket.
Two types of trails:
- Trail that applies to all regions: Records events in all regions and delivers to a single S3 bucket. (Recommended for centralized logging).
- Trail that applies to a single region: Records events only in that specific region. Additional single-region trails can use the same or different S3 buckets.
Event Selectors: Allow you to filter which events a trail logs (e.g., specific event names, read/write type, resources).

Trails can be configured to log Management Events and/or Data Events.
Management Events (Control Plane Operations):
- Provide insight into management operations performed on resources in your AWS account.
- Examples: Configuring security (IAM AttachRolePolicy), registering devices (EC2 CreateDefaultVpc), configuring routing rules (EC2 CreateSubnet), setting up logging (CloudTrail CreateTrail).
- Non-API events (e.g., console sign-in) can also be included.
- Charged: Management events are typically free for a certain volume, then charged.
Data Events (Data Plane Operations):
- Provide insight into resource operations performed on or within a resource.
- Examples: Amazon S3 object-level API activity (GetObject, DeleteObject, PutObject), AWS Lambda function execution activity (Invoke API).
- Charged: Data events incur additional charges and are not logged by default. You must explicitly enable them. (Exam Tip!)

CloudTrail log files are delivered to an Amazon S3 bucket.
Default Encryption: Log files are encrypted at rest using S3 Server-Side Encryption (SSE-S3) by default.
Optional Encryption: You can enable encryption using SSE-KMS for additional security (using your own KMS key).
A single KMS key can be used to encrypt log files for trails applied to all regions.

You can consolidate logs from multiple AWS accounts into a single S3 bucket for centralized auditing.
Steps:
1. Turn on CloudTrail in the paying account.
2. Create an S3 bucket policy that allows cross-account access (write permissions from other accounts).
3. Turn on CloudTrail in the other accounts and configure them to use the S3 bucket in the paying account.

You can integrate CloudTrail with CloudWatch Logs to deliver captured events to a CloudWatch Logs log stream.
This enables:
- Real-time monitoring: Create CloudWatch Alarms based on specific API calls or patterns in the logs.
- Longer retention: Configure custom retention periods for logs in CloudWatch Logs.
- Metrics: Create CloudWatch Metrics from log data.

Feature that allows you to determine whether a CloudTrail log file was unchanged, deleted, or modified since CloudTrail delivered it to S3.
Uses cryptographic hashing (SHA-256) and digital signing for validation.
Crucial for compliance and forensic analysis.

Characteristic	AWS CloudWatch	AWS CloudTrail
Primary Focus	Performance monitoring, operational health, resource utilization.	Auditing, governance, compliance, security analysis.
What it Logs	Logs events across AWS services (operational data, application logs, metrics).	Logs API activity across AWS services (actions, events).
Level of Detail	Higher-level comprehensive monitoring and events.	More low-level, granular API activity.
Data Origin	Metrics from services, custom metrics, application logs.	API calls made by users, roles, or AWS services.
Storage	Logs stored to CloudWatch Logs (configurable retention). Metrics stored for 15 months.	Logs delivered to S3 (indefinite storage). Event History (console) for 90 days.
Alarms	Native alarming capabilities based on metrics and log patterns.	No native alarming; integrates with CloudWatch Logs to create alarms.
Cost	Charges for metrics, logs ingestion/storage, alarms.	Charges for management events (after free tier) and data events. S3 storage costs.

"Who did what, when, where?" If a question asks about auditing, security analysis, compliance, or tracking changes made to your AWS environment, think CloudTrail.
"How is my application performing?" If a question asks about performance, resource utilization, application health, or operational insights, think CloudWatch.
Default Behavior: CloudTrail is enabled by default for your account, but to get logs delivered to S3 for long-term storage and detailed analysis, you must create a trail. The console's Event History only shows 90 days.
Data Events vs. Management Events: Data events are not logged by default and cost more. You need to explicitly enable them for S3 object-level actions or Lambda invokes.
Encryption: Logs are SSE-S3 encrypted by default; SSE-KMS is an option.
Log Integrity: Remember the log file integrity validation feature for compliance.
Centralized Logging: Know the process for setting up cross-account CloudTrail logging to a central S3 bucket.
Real-time Alarms: To get real-time alerts from CloudTrail events, you must integrate CloudTrail with CloudWatch Logs and then create CloudWatch Alarms on specific log patterns.