At 4 AM, the security team calls. "Some IAM account made a production S3 bucket public. Can we track who did it?" Whether CloudTrail is on or off, whether the Trail stores in S3 or not, and whether Log File Validation is enabled—these determine whether the incident can be solved. CloudTrail is the audit log of every API call that happens in AWS. From an operator's perspective, understanding the design principles of this service and practical patterns is today's goal.
The two most important properties of audit logs are Non-repudiation and Tamper-evidence.
Non-repudiation is a cryptographic term