====== CloudTrail ======

**What it is:** An AWS service that records API activity (who did what, when, from where).

**What it’s for:**
  * Security auditing and investigation.
  * Compliance reporting.
  * Detect unexpected changes (e.g., someone changed IAM policy).

**Key ideas:**
  * Logs management events and (optionally) data events.
  * Can deliver logs to S3 and CloudWatch Logs.
  * Useful for “root cause” investigations.

**Exam cues:**
  * “need to know who deleted an S3 bucket” → CloudTrail.
  * “audit API calls across the account” → CloudTrail.

**Hard words:**
  * *trail* /treɪl/: dấu vết
  * *audit* /ˈɔːdɪt/: kiểm toán/ghi nhận
  * *investigation* /ɪnˌvestɪˈɡeɪʃn/: điều tra
  * *compliance* /kəmˈplaɪəns/: tuân thủ

**Child pages:**
  * [[.:cloudtrail:iam-logging|CloudTrail for IAM Logging]]