CloudTrail

AWS CloudTrail records API calls made to AWS services, capturing the caller identity, timestamp, source IP, request parameters, and response elements for every action. It provides an immutable audit trail for detecting unauthorized access, investigating incidents, and demonstrating compliance.

CloudTrail logs should be centralized in a dedicated logging account, protected with S3 Object Lock, and streamed to a SIEM for real-time threat detection.