13. Monitoring, Logging & Auditing

Explore

AWS CloudTrail

CloudTrail events

An event in CloudTrail is the record of an activity in an AWS account. This activity can be an action taken by an IAM identity, or service that is monitorable by CloudTrail.

CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.

CloudTrail logs three types of events:

⁠

Management events⁠

⁠

Data events⁠

⁠

Insights events⁠

⁠

All event types use a CloudTrail JSON log format.

By default, trails and event data stores log management events, but not data or Insights events.

Management events

Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations.

Example management events include:

Configuring security (for example, AWS Identity and Access Management AttachRolePolicy API operations).

Registering devices (for example, Amazon EC2 CreateDefaultVpc API operations).

Configuring rules for routing data (for example, Amazon EC2 CreateSubnet API operations).

Setting up logging (for example, AWS CloudTrail CreateTrail API operations).

Management events can also include non-API events that occur in your account. For example, when a user signs in to your account, CloudTrail logs the ConsoleLogin event. For more information, see

Non-API events captured by CloudTrail⁠

By default, CloudTrail trails and CloudTrail Lake event data stores log management events. For more information about logging management events, see

Logging management events⁠

Data events

Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities.

Example data events include:

⁠

Amazon S3 object-level API activity⁠

(for example, GetObject, DeleteObject, and PutObject API operations) on objects in S3 buckets.

AWS Lambda function execution activity (the Invoke API).

CloudTrail

PutAuditEvents⁠

activity on a

CloudTrail Lake channel⁠

that is used to log events from outside AWS.

Amazon SNS

Publish⁠

and

PublishBatch⁠

API operations on topics.

The following table shows the data event types available for trails and event data stores. The Data event type (console) column shows the appropriate selection in the console. The resources.type value column shows the resources.type value that you would specify to include data events of that type in your trail or event data store using the AWS CLI or CloudTrail APIs.

For trails, you can use basic or advanced event selectors to log data events for Amazon S3 objects, Lambda functions, and DynamoDB tables (shown in the first three rows of the table). You can use only advanced event selectors to log the data event types shown in the remaining rows.

For event data stores, you can use only advanced event selectors to include data events.

Data events are not logged by default when you create a trail or event data store. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity. For more information about logging data events, see

Logging data events⁠

Additional charges apply for logging data events.

Insights events

CloudTrail Insights events capture unusual API call rate or error rate activity in your AWS account by analyzing CloudTrail management activity. Insights events provide relevant information, such as the associated API, error code, incident time, and statistics, that help you understand and act on unusual activity. Unlike other types of events captured in a CloudTrail trail or event data store, Insights events are logged only when CloudTrail detects changes in your account's API usage or error rate logging that differ significantly from the account's typical usage patterns.

Examples of activity that might generate Insights events include:

Your account typically logs no more than 20 Amazon S3 DeleteBucket API calls per minute, but your account starts to log an average of 100 DeleteBucket API calls per minute. An Insights event is logged at the start of the unusual activity, and another Insights event is logged to mark the end of the unusual activity.

Your account typically logs 20 calls per minute to the Amazon EC2 AuthorizeSecurityGroupIngress API, but your account starts to log zero calls to AuthorizeSecurityGroupIngress. An Insights event is logged at the start of the unusual activity, and ten minutes later, when the unusual activity ends, another Insights event is logged to mark the end of the unusual activity.

Your account typically logs less than one AccessDeniedException error in a seven-day period on the AWS Identity and Access Management API, DeleteInstanceProfile. Your account starts to log an average of 12 AccessDeniedException errors per minute on the DeleteInstanceProfile API call. An Insights event is logged at the start of the unusual error rate activity, and another Insights event is logged to mark the end of the unusual activity.

These examples are provided for illustration purposes only. Your results may vary depending on your use case.

To log CloudTrail Insights events, you must explicitly enable Insights events on a new or existing trail or event data store. For more information about logging Insights events, see

Logging Insights events⁠

Additional charges apply for Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see

AWS CloudTrail Pricing⁠

Management events

Data events

Insights events

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.