最後更新: 2022-09-06

收費

Event history (Free)

• You can view, search, and download the most recent 90-day history of your account’s control plane activity

Lake(pay for ingestion and storage)

• First 5 TB: $2.5 per GB
• $0.005 per GB of data scanned

Usage

查看 Trails 放在那 S3 bBucket

CloudTrail > Trails

Encryption

By default, CloudTrail log files are encrypted using Amazon S3 Server Side Encryption (SSE) and placed into your S3 bucket.

If you are using an existing S3 bucket with an S3 Bucket Key,

CloudTrail must be allowed permission in the key policy to use the AWS KMS actions GenerateDataKey and DescribeKey.

If cloudtrail.amazonaws.com is not granted those permissions in the key policy, you cannot create or update a trail.

Allow CloudTrail use KMS key policy:

{
    "Sid": "Enable CloudTrail Actions",
    "Effect": "Allow",
    "Principal": {
        "Service": "cloudtrail.amazonaws.com"
    },
    "Action": [
        "kms:Encrypt*",
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}