AWS CloudTrail (IAM)

aws monitoring

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.

Common permissions

cloudtrail:DescribeTrailscloudtrail:GetTrailcloudtrail:GetTrailStatuscloudtrail:ListTrailscloudtrail:StartLoggingcloudtrail:StopLoggingcloudtrail:GetEventSelectorscloudtrail:PutEventSelectors

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrail",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTrails",
        "cloudtrail:StartLogging",
        "cloudtrail:StopLogging",
        "cloudtrail:GetEventSelectors",
        "cloudtrail:PutEventSelectors"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid cloudtrail:* — grants full control including trail deletion and configuration changes
Avoid cloudtrail:DeleteTrail and cloudtrail:StopLogging — can disable audit logging and break compliance

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/cloudtrail/cloudtrail.json ↗

API

full doc /v1/iam/cloudtrail