AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
CloudTrail records every API call made in your account—whether through the Console, CLI, or an SDK. This includes 'Who called it', 'When', 'From which IP', and 'What parameters'. This is your 'Black Box' flight recorder.
If you suspect a breach, CloudTrail is the first place you look. You can see if an unauthorized user tried to change a Security Group or delete an S3 bucket. You can also set up **CloudWatch Alarms** to notify you instantly if someone calls a sensitive API (like DeleteVpc).
Q: "Should I keep CloudTrail logs forever?"
Architect Answer: "Enable a **Trail** and store the logs in an **S3 bucket** with a **Lifecycle Policy**. Archive them to Glacier after 90 days for cost savings, but keep them for at least 1-7 years depending on your industry regulations. Audit logs are useless if you don't have them when the regulators come knocking."