Here's a concise summary and organization of the key points about AWS CloudTrail, formatted for better understanding and reference:

AWS CloudTrail Key Aspects for Exam Preparation

Log File Integrity Validation

• Purpose: Ensures the integrity of API call logs stored in S3.
• Mechanism: Utilizes a digest file that references and hashes each log file from the past hour, stored in a separate folder within the same S3 bucket.
• Benefits: Helps in verifying that a log file has not been tampered with, ensuring its integrity for compliance purposes.
• Hash Algorithm: SHA-256.

S3 Bucket Protection

• Strategies:
  • Bucket policy
  • Versioning
  • MFA Delete protection
  • Encryption
  • Object lock
• Objective: To safeguard CloudTrail logs and digest files within S3 buckets.

IAM Protection for CloudTrail

• Purpose: Ensures that CloudTrail continues delivering log files to Amazon S3 securely.

Integration with AWS EventBridge

• Functionality: Allows CloudTrail to trigger EventBridge for any API calls made within AWS accounts, facilitating further actions via Lambda, SNS, SQS, etc.
• Timing: Not real-time. Events may be delivered within 15 minutes of an API call.

Organization Trails

• Scope: Set up at the organization level to log API calls across all member accounts into a centralized S3 bucket.
• Features:
  • Applies to both management and member accounts.
  • The trail name is consistent across accounts.
  • Member accounts can view but cannot modify or remove the organization trail, enhancing compliance.