The essence of auditing is the ability to reconstruct "who, when, what, where, and how" after the fact. The primary evidence answering this question in AWS is CloudTrail. CloudTrail records nearly every API call occurring within an account as JSON events. From a security exam perspective, the core question is "what does CloudTrail record and not record" and "how do we prove that recording has not been tampered with."
CloudTrail exists in two modes