What CloudTrail Records

Every action in AWS is an API call, whether made from the console, the CLI, an SDK, or another service. AWS CloudTrail records those calls.

It is the audit trail that answers the essential security question: who did what, when, from where, and to which resource — the foundation of accountability in your account.

Each CloudTrail event records rich detail: the identity that made the call, the action (event name), the time, the source IP, the parameters, and the response.

This is enough to reconstruct exactly what happened during an incident and to attribute every change to a specific principal.