Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

Logging AWS CloudFormation API Calls in AWS CloudTrail

AWS CloudFormation is integrated with AWS CloudTrail, a service that captures API calls made by or on behalf of your AWS account. This information is collected and written to log files that are stored in an Amazon S3 bucket that you specify. API calls are logged when you use the AWS CloudFormation API, the AWS CloudFormation console, a back-end console, or the AWS CLI. Using the information collected by CloudTrail, you can determine what request was made to AWS CloudFormation, the source IP address the request was made from, who made the request, when it was made, and so on.

To learn more about CloudTrail, including how to configure and enable it, see the AWS CloudTrail User Guide.

AWS CloudFormation Information in CloudTrail

If CloudTrail logging is turned on, calls made to all AWS CloudFormation actions are captured in log files. All the AWS CloudFormation actions are documented in the AWS CloudFormation API Reference. For example, calls to the CreateStack, DeleteStack, and ListStacks actions generate entries in CloudTrail log files.

Every log entry contains information about who generated the request. For example, if a request is made to list AWS CloudFormation stacks (ListStacks), CloudTrail logs the user identity of the person or service that made the request. The user identity information helps you determine whether the request was made with root or IAM user credentials, with temporary security credentials for a role or federated user, or by another AWS service. For more information about CloudTrail fields, see CloudTrail Event Reference in the AWS CloudTrail User Guide.

You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files automatically. By default, your log files are encrypted by using Amazon S3 server-side encryption (SSE).

Understanding AWS CloudFormation Log File Entries

CloudTrail log files can contain one or more log entries composed of multiple JSON-formatted events. A log entry represents a single request from any source and includes information about the requested action, any input parameters, the date and time of the action, and so on. The log entries do not appear in any particular order. That is, they do not represent an ordered stack trace of the public API calls.

The following example record shows a CloudTrail log entry for the CreateStack action. The action was made by an IAM user named Alice.

Note

Only the input parameter key names are logged; no parameter values are logged.

Copy
{ "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", "principalId": "AIDAABCDEFGHIJKLNMOPQ", "arn": "arn:aws:iam::012345678910:user/Alice", "accountId": "012345678910", "accessKeyId": "AKIDEXAMPLE", "userName": "Alice" }, "eventTime": "2014-03-24T21:02:43Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "CreateStack", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5", "requestParameters": { "templateURL": "https://s3.amazonaws.com/Alice-dev/create_stack", "tags": [ { "key": "test", "value": "tag" } ], "stackName": "my-test-stack", "disableRollback": true, "parameters": [ { "parameterKey": "password" }, { "parameterKey": "securitygroup" } ] }, "responseElements": { "stackId": "arn:aws:cloudformation:us-east-1:012345678910:stack/my-test-stack/a38e6a60-b397-11e3-b0fc-08002755629e" }, "requestID": "9f960720-b397-11e3-bb75-a5b75389b02d", "eventID": "9bf6cfb8-83e1-4589-9a70-b971e727099b" }

The following sample record shows that Alice called the UpdateStack action on the my-test-stack stack:

Copy
{ "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", "principalId": "AIDAABCDEFGHIJKLNMOPQ", "arn": "arn:aws:iam::012345678910:user/Alice", "accountId": "012345678910", "accessKeyId": "AKIDEXAMPLE", "userName": "Alice" }, "eventTime": "2014-03-24T21:04:29Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "UpdateStack", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5", "requestParameters": { "templateURL": "https://s3.amazonaws.com/Alice-dev/create_stack", "parameters": [ { "parameterKey": "password" }, { "parameterKey": "securitygroup" } ], "stackName": "my-test-stack" }, "responseElements": { "stackId": "arn:aws:cloudformation:us-east-1:012345678910:stack/my-test-stack/a38e6a60-b397-11e3-b0fc-08002755629e" }, "requestID": "def0bf5a-b397-11e3-bb75-a5b75389b02d", "eventID": "637707ce-e4a3-4af1-8edc-16e37e851b17" }

The following sample record shows that Alice called the ListStacks action.

Copy
{ "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", "principalId": "AIDAABCDEFGHIJKLNMOPQ", "arn": "arn:aws:iam::012345678910:user/Alice", "accountId": "012345678910", "accessKeyId": "AKIDEXAMPLE", "userName": "Alice" }, "eventTime": "2014-03-24T21:03:16Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "ListStacks", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5", "requestParameters": null, "responseElements": null, "requestID": "b7d351d7-b397-11e3-bb75-a5b75389b02d", "eventID": "918206d0-7281-4629-b778-b91eb0d83ce5" }

The following sample record shows that Alice called the DescribeStacks action on the my-test-stack stack.

Copy
{ "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", "principalId": "AIDAABCDEFGHIJKLNMOPQ", "arn": "arn:aws:iam::012345678910:user/Alice", "accountId": "012345678910", "accessKeyId": "AKIDEXAMPLE", "userName": "Alice" }, "eventTime": "2014-03-24T21:06:15Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "DescribeStacks", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5", "requestParameters": { "stackName": "my-test-stack" }, "responseElements": null, "requestID": "224f2586-b398-11e3-bb75-a5b75389b02d", "eventID": "9e5b2fc9-1ba8-409b-9c13-587c2ea940e2" }

The following sample record shows that Alice called the DeleteStack action on the my-test-stack stack.

Copy
{ "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", "principalId": "AIDAABCDEFGHIJKLNMOPQ", "arn": "arn:aws:iam::012345678910:user/Alice", "accountId": "012345678910", "accessKeyId": "AKIDEXAMPLE", "userName": "Alice" }, "eventTime": "2014-03-24T21:07:15Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "DeleteStack", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.2.11 Python/2.7.4 Linux/2.6.18-164.el5", "requestParameters": { "stackName": "my-test-stack" }, "responseElements": null, "requestID": "42dae739-b398-11e3-bb75-a5b75389b02d", "eventID": "4965eb38-5705-4942-bb7f-20ebe79aa9aa" }