CloudTrail Trails and Event History
Create management and data event trails, deliver logs to S3 and CloudWatch Logs, and search the 90-day event history in the console.
What Is AWS CloudTrail?
AWS CloudTrail is a service that records every API call made in your AWS account — whether from the console, CLI, SDK, or another AWS service. Each record is called a CloudTrail event and contains the API action, the requester's identity, the source IP, the request parameters, and the response. CloudTrail is the foundation of AWS security auditing, compliance, and operational investigation. For the SAA-C03 exam, it is the answer whenever a question asks 'who made this change?'
Event History: Free 90-Day Lookback
By default, every AWS account has access to CloudTrail Event History — a 90-day rolling record of management events viewable in the console or queryable via the CLI. You can filter by resource name, resource type, event name, or username. Event History is free, requires no configuration, and is available immediately. It is the quickest way to investigate recent changes, but for longer retention or more powerful queries you must create a Trail.
# Search event history for who deleted an S3 bucket in the last 7 days
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=DeleteBucket \
--start-time $(date -u -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ) \
--query 'Events[].{Time:EventTime,User:Username,Detail:CloudTrailEvent}' \
--output tableAll lessons in this course
- CloudTrail Trails and Event History
- CloudTrail Insights and Log File Integrity
- AWS Config Rules and Remediation
- Conformance Packs and Organisation Trails