Logging provides us with insight into the availability and integrity of our clouds.
CloudTrail captures and records account activity:
resource "aws_cloudtrail" "example" { name = "tf-trail-foobar" s3_bucket_name = "${aws_s3_bucket.mybookbucket.id}" s3_key_prefix = "prefix" include_global_service_events = false kms_key_id : "${aws_kms_key.book_key.id}" event_selector { read_write_type = "All" include_management_events = true data_resource { type = "AWS::S3::Object" values = ["arn:aws:s3:::"] } } }
CloudWatch is primarily used for monitoring your cloud. It should be used to capture metrics and has nice dashboarding features available in the console. Streaming the events to logs is a good idea. Events can also be based on flow logs and CloudTrail logs:
resource "aws_cloudwatch_log_group" "book_log_group" { name = "book_log_group" } resource "aws_cloudwatch_log_stream" "foo" { name = "SampleLogStream1234" log_group_name...