An event in CloudTrail is the record of an activity in an AWS account. This activity can be an action taken by an IAM identity, or service that is monitorable by CloudTrail. CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.
There are four types of CloudTrail events:
By default, trails and event data stores log management events, but not data events, network activity events, or Insights events.
All event types use a CloudTrail JSON log format. The log contains information about requests for resources in your account, such as who made the request, the services used, the actions performed, and parameters for the action. The event data is enclosed in a Records array.
For information about CloudTrail event record fields for management, data, and network activity events, see CloudTrail record contents for management, data, and network activity events.
For information about CloudTrail event record fields for Insights events for trails, see CloudTrail record contents for Insights events for trails.
For information about CloudTrail event record fields for Insights events for event data stores, see CloudTrail record contents for Insights events for event data stores.
Management eventsManagement events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations.
Example management events include:
Configuring security (for example, AWS Identity and Access Management AttachRolePolicy API operations).
Registering devices (for example, Amazon EC2 CreateDefaultVpc API operations).
Configuring rules for routing data (for example, Amazon EC2 CreateSubnet API operations).
Setting up logging (for example, AWS CloudTrail CreateTrail API operations).
Management events can also include non-API events that occur in your account. For example, when a user signs in to your account, CloudTrail logs the ConsoleLogin event. For more information, see Non-API events captured by CloudTrail.
By default, CloudTrail trails and CloudTrail Lake event data stores log management events. For more information about logging management events, see Logging management events.
The following example shows a single log record of a management event. In this event, an IAM user named Mary_Major ran the aws cloudtrail start-logging command to call the CloudTrail StartLogging action to start the logging process on a trail named myTrail.
{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::123456789012:user/Mary_Major",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary_Major",
"sessionContext": {
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:33:41Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "StartLogging",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.start-logging",
"requestParameters": {
"name": "myTrail"
},
"responseElements": null,
"requestID": "9d478fc1-4f10-490f-a26b-EXAMPLE0e932",
"eventID": "eae87c48-d421-4626-94f5-EXAMPLEac994",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}In this next example, an IAM user user named Paulo_Santos ran the aws cloudtrail start-event-data-store-ingestion command to call the StartEventDataStoreIngestion action to start ingestion on an event data store.
{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLEPHCNW5EQV7NA54",
"arn": "arn:aws:iam::123456789012:user/Paulo_Santos",
"accountId": "123456789012",
"accessKeyId": "(AKIAIOSFODNN7EXAMPLE",
"userName": "Paulo_Santos",
"sessionContext": {
"attributes": {
"creationDate": "2023-07-21T21:55:30Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-21T21:57:28Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "StartEventDataStoreIngestion",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.1 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.start-event-data-store-ingestion",
"requestParameters": {
"eventDataStore": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/2a8f2138-0caa-46c8-a194-EXAMPLE87d41"
},
"responseElements": null,
"requestID": "f62a3494-ba4e-49ee-8e27-EXAMPLE4253f",
"eventID": "d97ca7e2-04fe-45b4-882d-EXAMPLEa9b2c",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities.
Example data events include:
The following table shows the resource types available for trails and event data stores. The Resource type (console) column shows the appropriate selection in the console. The resources.type value column shows the resources.type value that you would specify to include data events of that type in your trail or event data store using the AWS CLI or CloudTrail APIs.
For trails, you can use basic or advanced event selectors to log data events for Amazon S3 objects in general purpose buckets, Lambda functions, and DynamoDB tables (shown in the first three rows of the table). You can use only advanced event selectors to log the resource types shown in the remaining rows.
For event data stores, you can use only advanced event selectors to include data events.
Data events supported by AWS CloudTrail AWS service Description Resource type (console) resources.type value AWS BackupAWS Backup Search Data API activity on search jobs.
AWS Backup Search Data APIsAWS::Backup::SearchJob AWS IoT
AWS IoT API activity on certificates.
IoT certificateAWS::IoT::Certificate AWS IoT
AWS IoT API activity on things.
IoT thingAWS::IoT::Thing AWS Private CA
AWS Private CA Connector for Active Directory API activity.
AWS Private CA Connector for Active DirectoryAWS::PCAConnectorAD::Connector AWS Private CA
AWS Private CA Connector for SCEP API activity.
AWS Private CA Connector for SCEPAWS::PCAConnectorSCEP::Connector Amazon RDS
Amazon RDS API activity on a DB Cluster.
RDS Data API - DB ClusterAWS::RDS::DBCluster Amazon S3
Amazon S3 object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations) on objects in general purpose buckets.
AWS::S3::Object Amazon S3
Amazon S3 API activity on access points.
S3 Access PointAWS::S3::AccessPoint Amazon S3
Amazon S3 object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations) on objects in directory buckets.
AWS::S3Express::Object Amazon S3
Amazon S3 Object Lambda access points API activity, such as calls to CompleteMultipartUpload and GetObject.
AWS::S3ObjectLambda::AccessPoint Amazon S3
Amazon FSx API activity on volumes.
FSx VolumeAWS::FSx::Volume Amazon S3 Tables
Amazon S3 API activity on tables.
S3 tableAWS::S3Tables::Table Amazon S3 Tables
Amazon S3 API activity on table buckets.
S3 table bucketAWS::S3Tables::TableBucket Amazon S3 on Outposts
Amazon S3 on Outposts object-level API activity.
S3 OutpostsAWS::S3Outposts::Object Amazon SNS
Amazon SNS Publish API operations on platform endpoints.
AWS::SNS::PlatformEndpoint Amazon SNS
Amazon SNS Publish and PublishBatch API operations on topics.
AWS::SNS::Topic Amazon SQS
Amazon SQS API activity on messages.
SQSAWS::SQS::Queue AWS Supply Chain
AWS Supply Chain API activity on an instance.
Supply ChainAWS::SCN::Instance Amazon SWF
Amazon SWF API activity on domains.
SWF domainAWS::SWF::Domain AWS AppConfig
AWS AppConfig API activity for configuration operations such as calls to StartConfigurationSession and GetLatestConfiguration.
AWS::AppConfig::Configuration AWS AppSync
AWS AppSync API activity on AppSync GraphQL APIs.
AppSync GraphQLAWS::AppSync::GraphQLApi Amazon Aurora DSQL
Amazon Aurora DSQL API activity on cluster resources.
Amazon Aurora DSQLAWS::DSQL::Cluster AWS B2B Data Interchange
B2B Data Interchange API activity for Transformer operations such as calls to GetTransformerJob and StartTransformerJob.
AWS::B2BI::Transformer Amazon Bedrock Amazon Bedrock API activity on an agent alias. Bedrock agent alias AWS::Bedrock::AgentAlias Amazon Bedrock Amazon Bedrock API activity on async invocations. Bedrock async invoke AWS::Bedrock::AsyncInvoke Amazon Bedrock Amazon Bedrock API activity on a flow alias. Bedrock flow alias AWS::Bedrock::FlowAlias Amazon Bedrock Amazon Bedrock API activity on guardrails. Bedrock guardrail AWS::Bedrock::Guardrail Amazon Bedrock Amazon Bedrock API activity on inline agents. Bedrock Invoke Inline-Agent AWS::Bedrock::InlineAgent Amazon Bedrock Amazon Bedrock API activity on a knowledge base. Bedrock knowledge base AWS::Bedrock::KnowledgeBase Amazon Bedrock Amazon Bedrock API activity on models. Bedrock model AWS::Bedrock::Model Amazon Bedrock Amazon Bedrock API activity on prompts. Bedrock prompt AWS::Bedrock::PromptVersion Amazon Bedrock Amazon Bedrock API activity on sessions. Bedrock session AWS::Bedrock::Session Amazon Bedrock
Amazon Bedrock API activity on flow executions.
Bedrock flow executionAWS::Bedrock::FlowExecution Amazon Bedrock
Amazon Bedrock API activity on an automated reasoning policy.
Bedrock automated reasoning policyAWS::Bedrock::AutomatedReasoningPolicy Amazon Bedrock
Amazon Bedrock API activity on an automated reasoning policy version.
Bedrock automated reasoning policy versionAWS::Bedrock::AutomatedReasoningPolicyVersion AWS Cloud Map AWS Cloud Map API activity on a namespace. AWS Cloud Map namespace AWS::ServiceDiscovery::NamespaceAWS::ServiceDiscovery::ServiceCloudFront API activity on a KeyValueStore.
CloudFront KeyValueStoreAWS::CloudFront::KeyValueStore AWS CloudTrail
CloudTrail PutAuditEvents activity on a CloudTrail Lake channel that is used to log events from outside AWS.
AWS::CloudTrail::Channel Amazon CloudWatch
Amazon CloudWatch API activity on metrics.
CloudWatch metricAWS::CloudWatch::Metric Amazon CloudWatch Network Flow Monitor
Amazon CloudWatch Network Flow Monitor API activity on monitors.
Network Flow Monitor monitorAWS::NetworkFlowMonitor::Monitor Amazon CloudWatch Network Flow Monitor
Amazon CloudWatch Network Flow Monitor API activity on scopes.
Network Flow Monitor scopeAWS::NetworkFlowMonitor::Scope Amazon CloudWatch RUM
Amazon CloudWatch RUM API activity on app monitors.
RUM app monitorAWS::RUM::AppMonitor Amazon CodeGuru Profiler CodeGuru Profiler API activity on profiling groups. CodeGuru Profiler profiling group AWS::CodeGuruProfiler::ProfilingGroup Amazon CodeWhisperer Amazon CodeWhisperer API activity on a customization. CodeWhisperer customization AWS::CodeWhisperer::Customization Amazon CodeWhisperer Amazon CodeWhisperer API activity on a profile. CodeWhisperer AWS::CodeWhisperer::Profile Amazon Cognito
Amazon Cognito API activity on Amazon Cognito identity pools.
Cognito Identity PoolsAWS::Cognito::IdentityPool AWS Data Exchange
AWS Data Exchange API activity on assets.
Data Exchange asset
AWS::DataExchange::Asset
Deadline Cloud API activity on fleets.
Deadline Cloud fleet
AWS::Deadline::Fleet
Deadline Cloud API activity on jobs.
Deadline Cloud job
AWS::Deadline::Job
Deadline Cloud API activity on queues.
Deadline Cloud queue
AWS::Deadline::Queue
Deadline Cloud API activity on workers.
Deadline Cloud worker
AWS::Deadline::Worker
Amazon DynamoDB item-level API activity on tables (for example, PutItem, DeleteItem, and UpdateItem API operations).
For tables with streams enabled, the resources field in the data event contains both AWS::DynamoDB::Stream and AWS::DynamoDB::Table. If you specify AWS::DynamoDB::Table for the resources.type, it will log both DynamoDB table and DynamoDB streams events by default. To exclude streams events, add a filter on the eventName field.
AWS::DynamoDB::Table
Amazon DynamoDB API activity on streams.
DynamoDB StreamsAWS::DynamoDB::Stream Amazon Elastic Block Store
Amazon Elastic Block Store (EBS) direct APIs, such as PutSnapshotBlock, GetSnapshotBlock, and ListChangedBlocks on Amazon EBS snapshots.
AWS::EC2::Snapshot Amazon Elastic Kubernetes Service
Amazon Elastic Kubernetes Service API activity on dashboards.
Amazon Elastic Kubernetes Service dashboardAWS::EKS::Dashboard Amazon EMR Amazon EMR API activity on a write-ahead log workspace. EMR write-ahead log workspace AWS::EMRWAL::Workspace AWS End User Messaging SMS AWS End User Messaging SMS API activity on origination identities. SMS Voice origination identity AWS::SMSVoice::OriginationIdentity AWS End User Messaging SMS AWS End User Messaging SMS API activity on messages. SMS Voice message AWS::SMSVoice::Message AWS End User Messaging Social AWS End User Messaging Social API activity on phone number IDs. Social-Messaging Phone Number Id AWS::SocialMessaging::PhoneNumberId AWS End User Messaging Social AWS End User Messaging Social API activity on Waba IDs. Social-Messaging Waba ID AWS::SocialMessaging::WabaId Amazon FinSpace
Amazon FinSpace API activity on environments.
FinSpaceAWS::FinSpace::Environment Amazon GameLift Streams
Amazon GameLift Streams streaming API activity on applications.
GameLift Streams applicationAWS::GameLiftStreams::Application Amazon GameLift Streams
Amazon GameLift Streams streaming API activity on stream groups.
GameLift Streams stream groupAWS::GameLiftStreams::StreamGroup AWS Glue
AWS Glue API activity on tables that were created by Lake Formation.
Lake FormationAWS::Glue::Table Amazon GuardDuty
Amazon GuardDuty API activity for a detector.
GuardDuty detectorAWS::GuardDuty::Detector AWS HealthImaging
AWS HealthImaging API activity on data stores.
MedicalImaging data storeAWS::MedicalImaging::Datastore AWS IoT Greengrass Version 2
Greengrass API activity from a Greengrass core device on a component version.
NoteGreengrass doesn't log access denied events.
IoT Greengrass component versionAWS::GreengrassV2::ComponentVersion AWS IoT Greengrass Version 2
Greengrass API activity from a Greengrass core device on a deployment.
NoteGreengrass doesn't log access denied events.
IoT Greengrass deploymentAWS::GreengrassV2::Deployment AWS IoT SiteWise
IoT SiteWise API activity on assets.
IoT SiteWise assetAWS::IoTSiteWise::Asset AWS IoT SiteWise
IoT SiteWise API activity on time series.
IoT SiteWise time seriesAWS::IoTSiteWise::TimeSeries AWS IoT SiteWise Assistant
Sitewise Assistant API activity on conversations.
Sitewise Assistant conversationAWS::SitewiseAssistant::Conversation AWS IoT TwinMaker
IoT TwinMaker API activity on an entity.
IoT TwinMaker entityAWS::IoTTwinMaker::Entity AWS IoT TwinMaker
IoT TwinMaker API activity on a workspace.
IoT TwinMaker workspaceAWS::IoTTwinMaker::Workspace Amazon Kendra Intelligent Ranking
Amazon Kendra Intelligent Ranking API activity on rescore execution plans.
Kendra RankingAWS::KendraRanking::ExecutionPlan Amazon Keyspaces (for Apache Cassandra) Amazon Keyspaces API activity on a table. Cassandra table AWS::Cassandra::Table Amazon Keyspaces (for Apache Cassandra)
Amazon Keyspaces (for Apache Cassandra) API activity on Cassandra CDC streams.
Cassandra CDC streamsAWS::Cassandra::Stream Amazon Kinesis Data Streams Kinesis Data Streams API activity on streams. Kinesis stream AWS::Kinesis::Stream Amazon Kinesis Data Streams Kinesis Data Streams API activity on stream consumers. Kinesis stream consumer AWS::Kinesis::StreamConsumer Amazon Kinesis Video Streams Kinesis Video Streams API activity on video streams, such as calls to GetMedia and PutMedia. Kinesis video stream AWS::KinesisVideo::Stream AWS Lambda
AWS Lambda function execution activity (the Invoke API).
AWS::Lambda::Function Amazon Location Maps Amazon Location Maps API activity. Geo Maps AWS::GeoMaps::Provider Amazon Location Places Amazon Location Places API activity. Geo Places AWS::GeoPlaces::Provider Amazon Location Routes Amazon Location Routes API activity. Geo Routes AWS::GeoRoutes::Provider Amazon Machine Learning Machine Learning API activity on ML models. Maching Learning MlModel AWS::MachineLearning::MlModel Amazon Managed Blockchain
Amazon Managed Blockchain API activity on a network.
Managed Blockchain networkAWS::ManagedBlockchain::Network Amazon Managed Blockchain
Amazon Managed Blockchain JSON-RPC calls on Ethereum nodes, such as eth_getBalance or eth_getBlockByNumber.
AWS::ManagedBlockchain::Node Amazon Managed Blockchain Query
Amazon Managed Blockchain Query API activity.
Managed Blockchain QueryAWS::ManagedBlockchainQuery::QueryAPI Amazon Managed Workflows for Apache Airflow
Amazon MWAA API activity on environments.
Managed Apache AirflowAWS::MWAA::Environment Amazon Neptune Graph
Data API activities, for example queries, algorithms, or vector search, on a Neptune Graph.
Neptune GraphAWS::NeptuneGraph::Graph Amazon One Enterprise
Amazon One Enterprise API activity on a UKey.
Amazon One UKeyAWS::One::UKey Amazon One Enterprise
Amazon One Enterprise API activity on users.
Amazon One UserAWS::One::User AWS Payment Cryptography AWS Payment Cryptography API activity on aliases. Payment Cryptography Alias AWS::PaymentCryptography::Alias AWS Payment Cryptography AWS Payment Cryptography API activity on keys. Payment Cryptography Key AWS::PaymentCryptography::Key Amazon Pinpoint
Amazon Pinpoint API activity on mobile targeting applications.
Mobile Targeting ApplicationAWS::Pinpoint::App Amazon Q Apps
Data API activity on Amazon Q Apps.
Amazon Q AppsAWS::QApps::QApp Amazon Q Apps
Data API activity on Amazon Q App sessions.
Amazon Q App SessionAWS::QApps::QAppSession Amazon Q Business
Amazon Q Business API activity on an application.
Amazon Q Business applicationAWS::QBusiness::Application Amazon Q Business
Amazon Q Business API activity on a data source.
Amazon Q Business data sourceAWS::QBusiness::DataSource Amazon Q Business
Amazon Q Business API activity on an index.
Amazon Q Business indexAWS::QBusiness::Index Amazon Q Business
Amazon Q Business API activity on a web experience.
Amazon Q Business web experienceAWS::QBusiness::WebExperience Amazon Q Developer
Amazon Q Developer API activity on an integration.
Q Developer integrationAWS::QDeveloper::Integration Amazon Q Developer
Amazon Q Developer API activity on operational investigations.
AIOps Investigation GroupAWS::AIOps::InvestigationGroup Amazon SageMaker AI Amazon SageMaker AI InvokeEndpointWithResponseStream activity on endpoints. SageMaker AI endpoint AWS::SageMaker::Endpoint Amazon SageMaker AI
Amazon SageMaker AI API activity on feature stores.
SageMaker AI feature storeAWS::SageMaker::FeatureGroup Amazon SageMaker AI
Amazon SageMaker AI API activity on experiment trial components.
SageMaker AI metrics experiment trial componentAWS::SageMaker::ExperimentTrialComponent AWS Signer
Signer API activity on signing jobs.
Signer signing jobAWS::Signer::SigningJob AWS Signer
Signer API activity on signing profiles.
Signer signing profileAWS::Signer::SigningProfile Amazon Simple Email Service
Amazon Simple Email Service (Amazon SES) API activity on configuration sets.
SES configuration setAWS::SES::ConfigurationSet Amazon Simple Email Service
Amazon Simple Email Service (Amazon SES) API activity on email identities.
SES identityAWS::SES::EmailIdentity Amazon Simple Email Service
Amazon Simple Email Service (Amazon SES) API activity on templates.
SES templateAWS::SES::Template Amazon SimpleDB
Amazon SimpleDB API activity on domains.
SimpleDB domainAWS::SDB::Domain AWS Step Functions
Step Functions API activity on activities.
Step FunctionsAWS::StepFunctions::Activity AWS Step Functions
Step Functions API activity on state machines.
Step Functions state machineAWS::StepFunctions::StateMachine AWS Systems Manager Systems Manager API activity on control channels. Systems Manager AWS::SSMMessages::ControlChannel AWS Systems Manager Systems Manager API activity on impact assessments. SSM Impact Assessment AWS::SSM::ExecutionPreview AWS Systems Manager Systems Manager API activity on managed nodes. Systems Manager managed node AWS::SSM::ManagedNode Amazon Timestream Amazon Timestream Query API activity on databases. Timestream database AWS::Timestream::Database Amazon Timestream Amazon Timestream API activity on regional endpoints. Timestream regional endpoint AWS::Timestream::RegionalEndpoint Amazon Timestream Amazon Timestream Query API activity on tables. Timestream table AWS::Timestream::Table Amazon Verified Permissions
Amazon Verified Permissions API activity on a policy store.
Amazon Verified PermissionsAWS::VerifiedPermissions::PolicyStore Amazon WorkSpaces Thin Client WorkSpaces Thin Client API activity on a Device. Thin Client Device AWS::ThinClient::Device Amazon WorkSpaces Thin Client WorkSpaces Thin Client API activity on an Environment. Thin Client Environment AWS::ThinClient::Environment AWS X-Ray
X-Ray trace AWS::XRay::Trace
Data events are not logged by default when you create a trail or event data store. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity. For more information, see Creating a trail with the CloudTrail console and Create an event data store for CloudTrail events with the console.
Additional charges apply for logging data events. For CloudTrail pricing, see AWS CloudTrail Pricing.
The following example shows a single log record of a data event for the Amazon SNS Publish action.
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Bob",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "ExampleUser"
},
"attributes": {
"creationDate": "2023-08-21T16:44:05Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-08-21T16:48:37Z",
"eventSource": "sns.amazonaws.com",
"eventName": "Publish",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16",
"requestParameters": {
"topicArn": "arn:aws:sns:us-east-1:123456789012:ExampleSNSTopic",
"message": "HIDDEN_DUE_TO_SECURITY_REASONS",
"subject": "HIDDEN_DUE_TO_SECURITY_REASONS",
"messageStructure": "json",
"messageAttributes": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"responseElements": {
"messageId": "0787cd1e-d92b-521c-a8b4-90434e8ef840"
},
"requestID": "0a8ab208-11bf-5e01-bd2d-ef55861b545d",
"eventID": "bb3496d4-5252-4660-9c28-3c6aebdb21c0",
"readOnly": false,
"resources": [{
"accountId": "123456789012",
"type": "AWS::SNS::Topic",
"ARN": "arn:aws:sns:us-east-1:123456789012:ExampleSNSTopic"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "sns.us-east-1.amazonaws.com"
}
}The next example shows a single log record of a data event for the Amazon Cognito GetCredentialsForIdentity action.
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2023-01-19T16:55:08Z",
"eventSource": "cognito-identity.amazonaws.com",
"eventName": "GetCredentialsForIdentity",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.4",
"userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-credentials-for-identity",
"requestParameters": {
"logins": {
"cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE"
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionToken": "aAaAaAaAaAaAab1111111111EXAMPLE",
"expiration": "Jan 19, 2023 5:55:08 PM"
},
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE"
},
"requestID": "659dfc23-7c4e-4e7c-858a-1abce884d645",
"eventID": "6ad1c766-5a41-4b28-b5ca-e223ccb00f0d",
"readOnly": false,
"resources": [{
"accountId": "111122223333",
"type": "AWS::Cognito::IdentityPool",
"ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data"
}CloudTrail network activity events enable VPC endpoint owners to record AWS API calls made using their VPC endpoints from a private VPC to the AWS service. Network activity events provide visibility into the resource operations performed within a VPC.
You can log network activity events for the following services:
AWS AppConfig
AWS B2B Data Interchange
Billing and Cost Management
AWS Pricing Calculator
AWS Cost Explorer
AWS CloudHSM
Amazon Comprehend Medical
AWS CloudTrail
AWS Data Exports
Amazon DynamoDB
Amazon EC2
Amazon Elastic Container Service
Amazon EventBridge Scheduler
AWS Free Tier
Amazon FSx
AWS IoT FleetWise
AWS Invoicing
AWS KMS
AWS Lambda
Amazon Lookout for Equipment
Amazon Rekognition
Amazon S3
AWS Secrets Manager
AWS Systems Manager Incident Manager
Amazon Textract
Amazon WorkMail
Network activity events are not logged by default when you create a trail or event data store. To record CloudTrail network activity events, you must explicitly set the event source for which you want to collect activity. For more information, see Logging network activity events.
Additional charges apply for logging network activity events. For CloudTrail pricing, see AWS CloudTrail Pricing.
The following example shows a successful AWS KMS ListKeys event that traversed a VPC endpoint. The vpcEndpointId field shows the ID of the VPC endpoint. The vpcEndpointAccountId field shows the account ID of the VPC endpoint owner. In this example, the request was made by the VPC endpoint owner.
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ASIAIOSFODNN7EXAMPLE:role-name",
"arn": "arn:aws:sts::123456789012:assumed-role/Admin/role-name",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-06-04T23:10:46Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-06-04T23:12:50Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ListKeys",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"requestID": "16bcc089-ac49-43f1-9177-EXAMPLE23731",
"eventID": "228ca3c8-5f95-4a8a-9732-EXAMPLE60ed9",
"eventType": "AwsVpceEvent",
"recipientAccountId": "123456789012",
"sharedEventID": "a1f3720c-ef19-47e9-a5d5-EXAMPLE8099f",
"vpcEndpointId": "vpce-EXAMPLE08c1b6b9b7",
"vpcEndpointAccountId": "123456789012",
"eventCategory": "NetworkActivity"
}The next example shows an unsuccessful AWS KMS ListKeys event with a VPC endpoint policy violation. Because a VPC policy violation occurred, both the errorCode and errorMessage fields are present. The account ID in the recipientAccountId and vpcEndpointAccountId fields is the same, which indicates the event was sent to the VPC endpoint owner. The accountId in the userIdentity element is not the vpcEndpointAccountId, which indicates that the user making the request is not the VPC endpoint owner.
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AWSAccount",
"principalId": "AKIAIOSFODNN7EXAMPLE",
"accountId": "777788889999"
},
"eventTime": "2024-07-15T23:57:12Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ListKeys",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"errorCode": "VpceAccessDenied",
"errorMessage": "The request was denied due to a VPC endpoint policy",
"requestID": "899003b8-abc4-42bb-ad95-EXAMPLE0c374",
"eventID": "7c6e3d04-0c3b-42f2-8589-EXAMPLE826c0",
"eventType": "AwsVpceEvent",
"recipientAccountId": "123456789012",
"sharedEventID": "702f74c4-f692-4bfd-8491-EXAMPLEb1ac4",
"vpcEndpointId": "vpce-EXAMPLE08c1b6b9b7",
"vpcEndpointAccountId": "123456789012",
"eventCategory": "NetworkActivity"
}CloudTrail Insights events capture unusual API call rate or error rate activity in your AWS account by analyzing CloudTrail management activity. Insights events provide relevant information, such as the associated API, error code, incident time, and statistics, that help you understand and act on unusual activity. Unlike other types of events captured in a CloudTrail trail or event data store, Insights events are logged only when CloudTrail detects changes in your account's API usage or error rate logging that differ significantly from the account's typical usage patterns. For more information, see Working with CloudTrail Insights.
Examples of activity that might generate Insights events include:
Your account typically logs no more than 20 Amazon S3 deleteBucket API calls per minute, but your account starts to log an average of 100 deleteBucket API calls per minute. An Insights event is logged at the start of the unusual activity, and another Insights event is logged to mark the end of the unusual activity.
Your account typically logs 20 calls per minute to the Amazon EC2 AuthorizeSecurityGroupIngress API, but your account starts to log zero calls to AuthorizeSecurityGroupIngress. An Insights event is logged at the start of the unusual activity, and ten minutes later, when the unusual activity ends, another Insights event is logged to mark the end of the unusual activity.
Your account typically logs less than one AccessDeniedException error in a seven-day period on the AWS Identity and Access Management API, DeleteInstanceProfile. Your account starts to log an average of 12 AccessDeniedException errors per minute on the DeleteInstanceProfile API call. An Insights event is logged at the start of the unusual error rate activity, and another Insights event is logged to mark the end of the unusual activity.
These examples are provided for illustration purposes only. Your results may vary depending on your use case.
To log CloudTrail Insights events, you must explicitly enable Insights events on a new or existing trail or event data store. For more information about creating a trail, see Creating a trail with the CloudTrail console. For more information about creating an event data store, see Create an event data store for Insights events with the console.
Additional charges apply for Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see AWS CloudTrail Pricing.
There are two events logged to show unusual activity in CloudTrail Insights: a start event and an end event. The following example shows a single log record of a starting Insights event that occurred when the Application Auto Scaling API CompleteLifecycleAction was called an unusual number of times. For Insights events, the value of eventCategory is Insight. An insightDetails block identifies the event state, source, name, Insights type, and context, including statistics and attributions. For more information about the insightDetails block, see CloudTrail record contents for Insights events for trails.
{
"eventVersion": "1.08",
"eventTime": "2023-07-10T01:42:00Z",
"awsRegion": "us-east-1",
"eventID": "55ed45c5-0b0c-4228-9fe5-EXAMPLEc3f4d",
"eventType": "AwsCloudTrailInsight",
"recipientAccountId": "123456789012",
"sharedEventID": "979c82fe-14d4-4e4c-aa01-EXAMPLE3acee",
"insightDetails": {
"state": "Start",
"eventSource": "autoscaling.amazonaws.com",
"eventName": "CompleteLifecycleAction",
"insightType": "ApiCallRateInsight",
"insightContext": {
"statistics": {
"baseline": {
"average": 9.82222E-5
},
"insight": {
"average": 5.0
},
"insightDuration": 1,
"baselineDuration": 10181
},
"attributions": [{
"attribute": "userIdentityArn",
"insight": [{
"value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole1",
"average": 5.0
}, {
"value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole2",
"average": 5.0
}, {
"value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole3",
"average": 5.0
}],
"baseline": [{
"value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole1",
"average": 9.82222E-5
}]
}, {
"attribute": "userAgent",
"insight": [{
"value": "codedeploy.amazonaws.com",
"average": 5.0
}],
"baseline": [{
"value": "codedeploy.amazonaws.com",
"average": 9.82222E-5
}]
}, {
"attribute": "errorCode",
"insight": [{
"value": "null",
"average": 5.0
}],
"baseline": [{
"value": "null",
"average": 9.82222E-5
}]
}]
}
},
"eventCategory": "Insight"
}RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4