{"slug":"iam-aws-cloudtrail","cloud":"aws","service":"cloudtrail","title":"AWS CloudTrail (IAM)","description":"AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.","category":"monitoring","common_permissions":["cloudtrail:DescribeTrails","cloudtrail:GetTrail","cloudtrail:GetTrailStatus","cloudtrail:ListTrails","cloudtrail:StartLogging","cloudtrail:StopLogging","cloudtrail:GetEventSelectors","cloudtrail:PutEventSelectors"],"least_privilege_example":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"cloudtrail:DescribeTrails\",\n        \"cloudtrail:GetTrail\",\n        \"cloudtrail:GetTrailStatus\",\n        \"cloudtrail:ListTrails\",\n        \"cloudtrail:StartLogging\",\n        \"cloudtrail:StopLogging\",\n        \"cloudtrail:GetEventSelectors\",\n        \"cloudtrail:PutEventSelectors\"\n      ],\n      \"Resource\": \"*\"\n    }\n  ]\n}","warnings":["Avoid cloudtrail:* — grants full control including trail deletion and configuration changes","Avoid cloudtrail:DeleteTrail and cloudtrail:StopLogging — can disable audit logging and break compliance"],"docs":"https://servicereference.us-east-1.amazonaws.com/v1/cloudtrail/cloudtrail.json","tags":["iam","aws"],"last_verified":"2026-06-14T00:00:00.000Z","next_check":"2026-12-11T00:00:00.000Z","created_at":"2026-06-14T04:49:42.270Z","updated_at":"2026-06-14T04:49:42.270Z"}