Management, Data, and Insight Events

CloudTrail captures three categories of events, and knowing the difference is exam-critical: management events, data events, and Insights events.

They differ in what they record, whether they are on by default, and how much they cost — distinctions that shape every logging strategy.

Management events record control-plane operations — actions that manage resources, like creating an instance, attaching a policy, or changing a security group.

They are logged by default and are usually free for the first copy. These are the events most security investigations rely on to see configuration and access changes.