What it is: An AWS service that records API activity (who did what, when, from where).

What it’s for:

• Security auditing and investigation.
• Compliance reporting.
• Detect unexpected changes (e.g., someone changed IAM policy).

Key ideas:

• Logs management events and (optionally) data events.
• Can deliver logs to S3 and CloudWatch Logs.
• Useful for “root cause” investigations.

Exam cues:

• “need to know who deleted an S3 bucket” → CloudTrail.
• “audit API calls across the account” → CloudTrail.

Hard words:

• *trail* /treɪl/: dấu vết
• *audit* /ˈɔːdɪt/: kiểm toán/ghi nhận
• *investigation* /ɪnˌvestɪˈɡeɪʃn/: điều tra
• *compliance* /kəmˈplaɪəns/: tuân thủ