AWS CloudTrail
The audit ledger of AWS — records every API call made against your account as an event, answering "who did what, where, and when." CloudTrail itself does not analyze or judge that activity; analysis is layered on top via Insights (statistical anomalies), GuardDuty (broad ML threat detection), or your own queries.
Detective — raw activity record
Compliance — audit trail
Governance
90 days
Default Event History (no trail needed)
~15 min
Typical trail log delivery latency
May 31 2026
Lake closes to NEW customers
4
Event types: mgmt/data/network/insights
How CloudTrail Actually Works
The Core Mechanism — A Record, Not a Judgment
- Every API call is captured — whether made via console, CLI, SDK, or another AWS service calling on your behalf — and recorded as a structured JSON event containing who made the request, what action, against what resource, from where, and the result.
- Event History is always on, with no trail required — every account automatically retains the last 90 days of management events, viewable directly in the console/CLI, completely free. This is frequently confused with "you must create a trail to get any CloudTrail data" — you don't, for recent management events.
- A Trail is what extends this — delivering events continuously to an S3 bucket (and optionally CloudWatch Logs) for retention beyond 90 days, multi-region/multi-account aggregation, and real-time alerting via metric filters and alarms.
- CloudTrail itself has zero awareness of "good" vs "bad" — it is a faithful recorder. Any anomaly detection, behavioral analysis, or threat scoring on top of these events is done by something else: CloudTrail Insights (statistical), GuardDuty (ML/threat intel), or a query you write yourself.
⚠️ The Recurring Exam Theme
CloudTrail questions almost always test one of three things: (1) which event type (management/data/network activity/Insights) actually captures the described scenario, (2) can you distinguish CloudTrail Insights' narrow, statistical, rate/volume-based anomaly detection from GuardDuty's broad ML-based threat detection, and (3) do you know the service's current direction — CloudTrail Lake is closing to new customers (May 31, 2026), with AWS steering new analytics workloads toward CloudWatch.
Exam Domain Mapping
| Domain | Where CloudTrail Shows Up |
|---|
| Security Logging & Monitoring | The centerpiece — event types, trails, log integrity, encryption, CloudWatch Logs integration |
| Threat Detection & Incident Response | Insights anomaly detection, the source data underlying GuardDuty/Detective |
| Management & Security Governance | Organization trails, multi-account/region log aggregation, audit evidence |
| Infrastructure Security | Network activity events for VPC endpoints — data perimeter visibility |
Decision Tree — Mental Model
Threat
Unauthorized or unexplained API activity; need to answer "who did this, when, from where"; unusual spikes in API call volume; potential data exfiltration through a VPC endpoint
↓
Security Goal
A complete, tamper-evident, queryable record of account activity — for audit, investigation, and as the raw input to higher-level detection services
↓
AWS Service
AWS CloudTrail
Management events (control plane)
Data events (object/record level)
Network activity events (VPC endpoints)
Insights (statistical anomalies)
↓
Implementation
Create an organization trail with log file validation and KMS encryption. Opt into data/network activity events for sensitive resources. Send to CloudWatch Logs for real-time alerting.
↓
Monitoring
CloudWatch metric filters/alarms on log patterns; Insights for rate/volume anomalies; GuardDuty consumes the same data for broader ML-based threat detection.
↓
Remediation
CloudTrail itself takes no action — alarms/events drive EventBridge → Lambda/SSM Automation for actual response.
Final Summary
Must Memorize
- 4 event types: management (default on), data (opt-in), network activity (opt-in, VPC endpoints), Insights (anomaly detection)
- 90-day Event History is free and automatic, no trail required
- Insights = statistical rate/volume anomaly detection, NOT broad ML threat detection (that's GuardDuty)
- CloudTrail Lake is closing to new customers May 31, 2026 — existing customers unaffected
Must Understand
- Why data/network activity events are opt-in (volume/cost), unlike management events
- How network activity events close the "VPC endpoint denied-access" visibility gap
- The distinction triangle: CloudTrail (raw record) vs CloudTrail Insights (statistical anomaly) vs GuardDuty (ML threat detection)
Can De-prioritize
- Exact dollar pricing per event type
- Console UI navigation specifics
- Full list of every CloudTrail Lake pre-built dashboard
Exam appearance probability: HIGH
Event Types & Insights
Each event type has a different default state, cost profile, and use case — this mapping is the single most tested CloudTrail detail.
2.1 Management Events Default on
WhatControl-plane actions — e.g. creating/deleting an S3 bucket, modifying a security group, creating an IAM role
DefaultLogged by default when creating a trail or event data store
- The first copy of management events delivered to your first trail per region is free; additional trails/copies incur cost.
2.2 Data Events Opt-in
WhatData-plane actions — e.g. S3 GetObject/PutObject, Lambda Invoke, DynamoDB item-level operations
DefaultNOT logged by default — must be explicitly enabled due to high volume/cost
- Typically scoped selectively — e.g. only sensitive S3 buckets or critical Lambda functions — rather than account-wide, to manage cost.
2.3 Network Activity Events (VPC Endpoints) High — GA Feb 2025
WhatAPI calls (both control-plane and data-plane) that traverse a VPC endpoint from a private VPC to an AWS service
DefaultNOT logged by default — explicitly opt-in per service
Supported servicesS3, EC2, KMS, Secrets Manager, CloudTrail (expanding over time)
- Closes a real visibility gap: previously, VPC endpoint owners had no way to record denied actions due to VPC endpoint policies, and no built-in mechanism to detect when external credentials were used at an endpoint — without this, you'd need custom TLS traffic inspection tooling.
- Key benefits: comprehensive visibility into all API activity traversing the endpoint (regardless of which account initiated it), external-credential detection, data exfiltration investigation, and security monitoring without decrypting TLS traffic.
- Can be configured to log ALL API calls through the endpoint, or only the denied (
VpceAccessDenied) calls — useful for testing a new restrictive VPC endpoint policy without disrupting existing functionality.
- "Detect if access through our VPC endpoint was denied by policy" or "detect external credentials being used at a VPC endpoint" → Network Activity Events, not data events or GuardDuty.
2.4 CloudTrail Insights High-trap, recently expanded
WhatContinuously analyzes management API call volume to detect unusual patterns — e.g. spikes in resource provisioning, bursts of IAM actions, unusual error rates
MechanismStatistical baseline of normal API call RATE/VOLUME for your account; deviations generate Insights events
Recent expansion (Nov 2025)Insights now also supports DATA EVENTS, with event aggregation — previously limited mostly to management event rate anomalies
- This is narrower and more statistical than GuardDuty: Insights specifically watches API call rate/volume/error-rate patterns, not the broader behavioral/threat-intel-driven analysis GuardDuty performs across CloudTrail, VPC Flow Logs, and DNS.
- "Detect an unusual spike/burst in API call rate" is the precise Insights use case — when the scenario is specifically about volume/rate anomalies (not "is this malicious"), Insights can be the sharper, more direct answer than GuardDuty.
- Insights events can be delivered to CloudTrail Lake for correlation against the management/data events that may have caused the anomaly.
2.5 CloudTrail Lake High-trap — service direction change
WhatA managed data lake for aggregating, immutably storing, and running SQL-based queries across activity logs (AWS and non-AWS sources)
FormatConverts JSON events to Apache ORC (columnar) format for fast querying
Newer capabilitiesGenerative AI natural-language query generation (GA), AI-powered query result summarization (preview), 14+ pre-built dashboards plus custom dashboards, cross-account event data store sharing via resource-based policies
Critical direction changeCloudTrail Lake will no longer be open to NEW customers starting May 31, 2026 — existing customers continue normally, including new regions/accounts under an existing org-level event data store; AWS points customers toward CloudWatch for similar capability going forward
- Retention pricing options include seven-year retention pricing or one-year extendable retention pricing for event data stores.
- Exam trap: a scenario asking "what should a NEW customer use today for this kind of analytics" should likely point to CloudWatch, not CloudTrail Lake, given this availability change.
2.6 Trails vs Event Data Stores
Trail (classic)Delivers events to S3 (and optionally CloudWatch Logs) for storage, real-time monitoring, and alerting
Event Data Store (Lake)Stores events for SQL querying/analytics/dashboards within CloudTrail Lake itself
- These are not mutually exclusive — many architectures use a trail for S3/CloudWatch-based alerting AND an event data store for deeper analytics (subject to the Lake's new-customer restriction above).
2.7 Log File Integrity Validation & Encryption
Integrity validationDigest files using SHA-256 hashing let you cryptographically verify log files haven't been tampered with or deleted after delivery
EncryptionLog files can be encrypted with KMS (SSE-KMS) for an additional layer of protection at rest
AWS Exam Thinking
Requirement → Keywords → Expected Answer → why every distractor fails.
Determine who made a specific API call and when
who did whatAPI call recordaudit
Expected AnswerAWS CloudTrail
| Distractor | Why it's wrong |
|---|
AWS Config | Records resource configuration STATE over time, not who made which API call |
VPC Flow Logs | Records network-layer traffic metadata, not API-level identity/action information |
Detect an unusual spike/burst in management API call rate
spikeunusual rateburst of IAM actions
Expected AnswerCloudTrail Insights
| Distractor | Why it's wrong |
|---|
GuardDuty | Broader ML/threat-intel-based behavioral detection across multiple log sources — Insights is the narrower, more precise tool specifically for rate/volume anomalies in API calls |
| Manual CloudWatch metric filter/alarm | Possible, but requires you to build and tune the anomaly logic yourself — Insights does this automatically via statistical baselining |
Detect denied access attempts or external credential use at a VPC endpoint
VPC endpointdenied accessdata perimeter
Expected AnswerCloudTrail Network Activity Events
| Distractor | Why it's wrong |
|---|
| Data events | Capture data-plane actions on the resource directly, not specifically API calls traversing a VPC endpoint, including denied ones |
| VPC Flow Logs | Show network-layer connection metadata, not the specific AWS API call and whether it was denied by endpoint policy |
Capture S3 object-level read/write activity for a specific sensitive bucket
object-levelGetObject / PutObject
Expected AnswerCloudTrail Data Events (scoped to that bucket)
| Distractor | Why it's wrong |
|---|
| Management events | Only capture control-plane actions (e.g. creating the bucket), not object-level reads/writes |
Run ad-hoc SQL analysis across a year of activity logs with natural-language queries
SQL querynatural languagedashboards
Expected AnswerCloudTrail Lake (existing customers) or CloudWatch (for new customers, per 2026 direction)
| Distractor | Why it's wrong |
|---|
| A trail delivering to S3 + manual Athena queries | Works, but requires building your own query/dashboard layer — Lake/CloudWatch are purpose-built for this |
Security Controls Mapping & Integrations
4 — Controls Mapping
Detective
The raw activity record itself, plus Insights' statistical anomaly findings on top of it
Compliance / Governance
Tamper-evident audit trail (log file validation, KMS encryption) satisfying audit and regulatory evidence requirements; organization trails enforce consistent logging across all accounts
Responsive (via integration, not native)
CloudWatch Logs metric filters/alarms, or EventBridge rules on specific API call patterns, trigger Lambda/SNS for real-time response
⚠️ CloudTrail records and stores — it does not analyze, judge, or block
Any anomaly scoring (Insights), broad threat detection (GuardDuty), or blocking action (SGs/NACLs/SCPs/IAM policies) is a separate layer built on top of or alongside CloudTrail's raw event record.
5 — Integrations
Amazon S3
WhatPrimary long-term storage destination for trail log files
Amazon CloudWatch Logs
WhatTrails can optionally stream events here for real-time monitoring
PatternMetric filter on a log pattern (e.g. root account usage, unauthorized API calls) → CloudWatch Alarm → SNS notification
DirectionAs CloudTrail Lake closes to new customers, CloudWatch is positioned as the forward path for log analytics
AWS KMS
WhatEncrypts trail log files at rest (SSE-KMS)
Amazon GuardDuty
WhatHas direct internal access to CloudTrail management events as one of its foundational data sources — no manual trail configuration required for GuardDuty's own analysis
AWS Organizations
WhatOrganization trails apply consistently across every member account from the management/delegated administrator account
Athena
WhatCan directly query trail log files stored in S3 for custom analysis outside of CloudTrail Lake
Costs, Limits & Quotas
Pricing Model
Management eventsFirst copy delivered to your first trail per region is free; additional copies/trails are billed
Data eventsBilled per event recorded — opt-in, scope deliberately to control cost
Network activity eventsAdditional charges apply, separate from data/management event pricing
InsightsPriced per analyzed event volume
CloudTrail LakeIngestion + query charges; retention priced as seven-year or one-year-extendable options
Common Cost Mistakes
- Enabling data events account-wide (all S3 buckets, all Lambda functions) instead of scoping to genuinely sensitive resources
- Forgetting Insights and network activity events both carry their own separate charges on top of base event logging
- Standing up new CloudTrail Lake event data stores as a new customer after May 31, 2026 — not possible; plan analytics around CloudWatch instead
Cost Optimization
- Scope data events and network activity events to specific high-value resources/services rather than enabling broadly
- Use a single organization trail rather than per-account trails to reduce redundant log delivery and management overhead
Limits & Quotas
Default Event History90 days of management events, no trail required, free
Log delivery latencyTypically around 15 minutes for trail-delivered events
Organization trailsOne per management/delegated administrator account, applied across all member accounts
Network activity event coverageLimited to specific supported services (S3, EC2, KMS, Secrets Manager, CloudTrail), expanding over time
⚠️ Exam trap
The 90-day Event History is NOT a substitute for a trail when you need cross-region delivery, S3 storage beyond 90 days, CloudWatch Logs integration, or any data/network activity events — those all require an actual trail (or event data store) to be configured.