Cloud security best practices, as well as most compliance programs, require that logging be enabled for all in-scope services. However, that simple requirement — “enable logging” — comes with many followup questions. Is CloudTrail enough? How do I turn on logging for all these services? Aren’t logs collected by default? What. even. is. a. log?