CloudTrail
CloudTrail logs API calls for an account. Every entry is a CloudTrail Event.
It defaults to 90 days activity, but can be customized by creating a trail: in fact, when you create a trail you specify an S3 Bucket to store data into as compressed JSON log files.
It’s a regional service.
CloudTrail is NOT real-time: it can take up to 15 minutes for an event to show up.
Regional vs Multi-Regional Trails
It’s possible to create a Trail for ALL regions: under the hood many regional trails will be created but visualized as one.
Global services such as IAM or STS or CloudFront always log their events to us-east-1, and a trail needs to have this enabled in order to log these events.
Trails created from the Console UI will be multi-regional, use the APIs or the CLI if you want to create regional trails.
Multi-regional trails have the advantage of automatically incorporating new AWS regions.
Event Types
Only Management events are logged by default.
Management Events
Those are "Control plane events", like creating and deleting resources.
AWS KMS events and RDS Data Api events can be excluded.
Integration with CloudWatch Logs
In addition to being stored in S3, logs can be sent to CloudWatch Logs to leveradge all the features of the latter, like creating metrics from logs.
A Role is required for this integration that can logs:CreateLogStream and logs:PutLogEvents.