CloudTrail is great for auditing and governance purposes. It is a set of logs that show a history of API calls and events within AWS. For example if someone deletes an S3 bucket object, that will be in CloudTrail logs. These logs can be uploaded to S3 or CloudWatch Logs for further analysis as well. The logs can be on a trail as well. For example, you could have CloudTrail logs from all regions sent to one S3 bucket. The default retention time for CloudTrail logs is 90 days, but as I mentioned the information can be stored in S3 or CloudWatch Logs for further analysis / archival.
The three events types of CloudTrail are management, data, and CloudTrail Insights. First off management events are events such as configuration changes to perhaps and IAM role, configuring a subnet, creating an EC2 instance. Essentially any management or configuration tasks and these are logged by default in CloudTrail. Data events are not logged, by default, due to how often they occur. Such as creating, deleting, modifying an S3 object, invoking Lambda functions, etc. These Data Events will occur nonstop in most AWS infrastructures so are turned off by default in CloudTrail logs.
The last of the event types is CloudTrail Insights. CloudTrail Insights is a paid service that allows you to analyze unusual activity from WRITE management events that alter your infrastructure by creating a functional baseline based on normal activity for your AWS account. For example, if there’s an unusual of IAM permission changes that may trigger an anomaly and CloudTrail Insights will detect that. The event is then viewable in the CloudTrail console, logged in S3, and then automation for a response can be created with EventBridge.
Here is a quick example of how you could have an email be sent to you if an IAM role is updated by utilizing CloudTrail and EventBridge. The IAM role change API call would be logged in CloudTrail which is then sent as an event in EventBridge, which could then utilize a rule to use SNS to send an email upon detecting that the specific API call to update an IAM role is detected in EventBridge. In short CloudTrail is great for having a record of all that goes on within your AWS account.