Skip to main content

CloudTrail Architecture

Organization-wide CloudTrail logs centralized in the audit account S3 bucket with encryption at rest.

Problems this Architecture solves

Prevents audit logs from being scattered across accounts where they are harder to review and protect.
Reduces the risk of losing or tampering with API activity records needed for investigations and audits.
Improves analysis by centralizing retention, querying, and alerting on control-plane activity.

What's Logged

Management Events: Control plane operations (CreateBucket, RunInstances, etc.)
Data Events: Data plane operations (S3 GetObject, Lambda Invoke, etc.)
Insights Events: Unusual API activity detection
Global Services: IAM, STS, CloudFront logged in us-east-1

Retention & Analysis

S3 Lifecycle: Transition to Glacier after 90 days, delete after 7 years
Athena Queries: Ad-hoc analysis of API activity
CloudWatch Logs: Real-time monitoring with metric filters
Security Hub: Automated findings for suspicious activity

Problems this Architecture solves
What's Logged
Retention & Analysis