• Log files are encrypted using server side encryption in S3. This encryption is transparent to you, but you can opt to encrypt these files with your own customer master key (CMK) if you wish.
• API calls are logged by CloudTrail in under 15 minutes.
• Logs are shipping to your S3 bucket every five minutes.
• It's possible to aggregate CloudTrail events across many accounts into a single bucket. This is a pattern often used to log AWS activity into a SecOps or similar account for auditing.
• Logging aside, CloudTrail keeps your API activity for seven days.
• You can create more than one trail. You might consider creating a trail for your developers that is separate from the trail consumed by security.
• If a CloudFormation stack creates an S3 bucket and that S3 bucket has objects in it the delete operation will fail if and when you choose to delete the stack. You can manually delete the S3 bucket in the S3 web console if you wish to work around this.