AWS audit log of every API call made in the account.
AWS CloudTrail records every management-plane and (optionally) data-plane API call made against an AWS account. Every event includes the calling identity (IAM user, role, or service), source IP, user agent, request parameters, response code and timestamp.
CloudTrail is the foundational data source for cloud-detection engineering on AWS. Most cloud-relevant ATT&CK techniques (T1078 Valid Accounts, T1530 Cloud Storage, T1562 Impair Defenses) are detected via CloudTrail-derived signals. DCV pulls finding inventories that map back to the underlying CloudTrail events.