CloudTrail
- Monitors AWS API calls for auditing purposes
- Enabled by default, but not stored forever, not all event types are logged, and you have few customization options
- Multi-region
- Management, data (high-volume), and insight events (unusual operational activities in accounts, e.g., spikes in resource provisioning, bursts of IAM actions, etc.)
- Log file validation uses SHA-256 and RSA for integrity checking and digital signing. Use CLI to validate logs.