AWS CloudTrail
The audit log of every API call in your account.
❓ What is it?
A governance service recording who called which API, when, from where — management events by default, optional data events (e.g. S3 object reads, Bedrock model invocations) — into an immutable trail in S3.
💡 Why does it exist?
AI governance is unprovable without an audit trail: who accessed the training data, who invoked the model, who changed the guardrail. CloudTrail is that evidence.
⏱️ When should you use it?
Always on. For AI audits, enable data events for the buckets holding training data and for model invocation logging so usage is attributable.
🗺️ Where does it fit?
Account-wide observation layer: events flow to S3/CloudWatch Logs; Athena queries them; EventBridge rules alert on specific calls (e.g. DeleteModel).
🔌 How do you integrate it?
Create an organisation trail to a locked S3 bucket, enable log file validation, add data-event selectors for sensitive resources, and query with Athena when investigating.
🧩 Commonly integrated with
🎯 Exam angle (AIF-C01)
- CloudTrail = WHO did WHAT (API audit); CloudWatch = HOW the system is performing (metrics/logs). Classic contrast question.
- "Prove who accessed the model/training data" → CloudTrail.