AWS CloudTrail

The audit log of every API call in your account.

📖 Official AWS documentation ↗📰 Official AWS blog ↗

What is it?

A governance service recording who called which API, when, from where — management events by default, optional data events (e.g. S3 object reads, Bedrock model invocations) — into an immutable trail in S3.

💡 Why does it exist?

AI governance is unprovable without an audit trail: who accessed the training data, who invoked the model, who changed the guardrail. CloudTrail is that evidence.

⏱️ When should you use it?

Always on. For AI audits, enable data events for the buckets holding training data and for model invocation logging so usage is attributable.

🗺️ Where does it fit?

Account-wide observation layer: events flow to S3/CloudWatch Logs; Athena queries them; EventBridge rules alert on specific calls (e.g. DeleteModel).

🔌 How do you integrate it?

Create an organisation trail to a locked S3 bucket, enable log file validation, add data-event selectors for sensitive resources, and query with Athena when investigating.

🧩 Commonly integrated with

Amazon S3Amazon CloudWatchAmazon AthenaAmazon EventBridge

🎯 Exam angle (AIF-C01)

📚 Study it in a learning path

SCS-C03Security Engineering on AWSFlashcards, notes & quizzes covering this service →CLF-C02AWS Cloud PractitionerFlashcards, notes & quizzes covering this service →AIF-C01AWS AI PractitionerFlashcards, notes & quizzes covering this service →

More in Security & Governance

AWS IAMAWS KMSAmazon MacieAmazon CloudWatch