Log API Calls using AWS CloudTrail

Enhanced governance, compliance, operational and risk auditing of your AWS account can be achieved with the aid of AWS CloudTrail.
A user, role, or AWS service's actions are referred to as events in CloudTrail. AWS Management Console, AWS CLI, and AWS SDKs and APIs are sources where events can occur.

CloudTrail stores API calls and activities on the accounts, which include;

Management events: include activities on the control plane such as creating IAM, EC2 instance, and interacting with AWS services on the management level
Data events: include data events such as Lambda invocation, SNS and SQS, and interaction between AWS services.

Detailed steps in creating CloudTrail for your AWS account:

Hover to the search bar on the AWS Console, type CloudTrail then click on the **create a trail **as shown below;

Input the relevant parameters, including the trail name and storage bucket

The JSON Policy for IAMRole for the CloudTrail to access CloudWatch logs
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailCreateLogStream2014110", "Effect": "Allow", "Action": [ "logs:CreateLogStream" ], "Resource": [ "arn:aws:logs:us-east-1:014285054687:log-group:CloudTrailRoleForCloudWatchLogs-Douxtech:log-stream:014285054687_CloudTrail_us-east-1*", "arn:aws:logs:us-east-1:014285054687:log-group:CloudTrailRoleForCloudWatchLogs-Douxtech:log-stream:o-je4worq6xn_*" ] }, { "Sid": "AWSCloudTrailPutLogEvents20141101", "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:014285054687:log-group:CloudTrailRoleForCloudWatchLogs-Douxtech:log-stream:014285054687_CloudTrail_us-east-1*", "arn:aws:logs:us-east-1:014285054687:log-group:CloudTrailRoleForCloudWatchLogs-Douxtech:log-stream:o-je4worq6xn_*" ] } ] }
Choose the respective events desired for the cloud trail, either management or data events with the corresponding aws service.