Set Up CloudTrail

Audit logging.

Overview

Setting up CloudTrail is the discipline of recording every AWS API call across every account in the org. The trail produces the audit substrate compliance, security investigation, and operational forensics all rely on. Five primitives carry the work: comprehensive API logging, an org-wide trail, S3 storage with lifecycle policies, log-file integrity validation, EventBridge for detection automation.

• Audit logging. Every management-event API call captured with caller, source IP, parameters, response. Forensic capability available years later.
• Org-wide trail. AWS Organizations integration creates a single trail covering every member account. New accounts inherit logging at create time.
• S3 storage with integrity. Long-term retention in object storage; log-file digest validation prevents tampering. Forensic-grade evidence.
• EventBridge integration. Trigger automated detection on specific events (root login, IAM policy change, KMS key delete). Real-time response, not just retrospective audit.

The approach

Org-wide trail, dedicated audit account, log-file integrity validation enabled, S3 lifecycle policies for cost, documented configuration per account. The discipline is treating CloudTrail as the source of truth for "who did what" and protecting that source from tampering.

• Org-wide trail via AWS Organizations. Single trail covers every account, including future ones. Coverage stays complete by construction.
• Dedicated audit account. Trail logs to a separate, locked-down account. Tampering risk drops because the principals who could tamper do not have write access.
• Log-file validation enabled. Digest files signed by AWS allow integrity verification. Auditors and incident responders can prove logs are unaltered.
• S3 lifecycle policies plus documented configuration. Tier old logs to Glacier for cost-efficient retention; per-account configuration documented so auditors can verify the design.

Why this compounds

Each year of logs grows the forensic substrate. Compliance audits get faster because the evidence is already there. Security investigations reach further back because the data was captured before anyone knew it would matter. By year two, "what happened in account X on date Y" is a query, not an investigation.

• Better compliance evidence. Auditors see complete API history. Certifications proceed faster.
• Better security investigation. Forensic data for breach analysis. Incident response has the breadcrumbs it needs.
• Operational forensics. "Who did what when" becomes a tractable question. Operations rely on the trail.
• Year-one investment, year-two habit. First trail is the investment; subsequent accounts inherit logging automatically.