Logging Amazon CloudWatch API calls with AWS CloudTrail - Amazon CloudWatch

Logging Amazon CloudWatch API calls with AWS CloudTrail

Amazon CloudWatch and CloudWatch Synthetics are integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service. CloudTrail captures API calls made by or on behalf of your AWS account. The captured calls include calls from the console and code calls to API operations.

If you create a trail, you can enable continuous delivery of CloudTrail events to an S3 bucket, including events for CloudWatch. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that was made to CloudWatch, the IP address from which the request was made, who made the request, when it was made, and other details.

To learn more about CloudTrail, including how to configure and enable it, see the AWS CloudTrail User Guide.

Every event or log entry contains information about who generated the request. The identity information helps you determine the following:

  • Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.

  • Whether the request was made with temporary security credentials for a role or federated user.

  • Whether the request was made by another AWS service.

For more information, see the CloudTrail userIdentity Element.

For an ongoing record of events in your AWS account, including events for CloudWatch and CloudWatch Synthetics, create a trail. A trail enables CloudTrail to deliver log files to an S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the S3 bucket that you specify. You can configure other AWS services to further analyze and act on the event data collected in CloudTrail logs. For more information, see the following:

Note

For information about CloudWatch Logs API calls that are logged in CloudTrail, see CloudWatch Logs information in CloudTrail.

CloudWatch information in CloudTrail

CloudWatch supports logging the following actions as events in CloudTrail log files:

Example: CloudWatch log file entries

The following example shows a CloudTrail log entry that demonstrates the PutMetricAlarm action.

{ "Records": [{ "eventVersion": "1.01", "userIdentity": { "type": "Root", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID" }, "eventTime": "2014-03-23T21:50:34Z", "eventSource": "monitoring.amazonaws.com", "eventName": "PutMetricAlarm", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-sdk-ruby2/2.0.0.rc4 ruby/1.9.3 x86_64-linux Seahorse/0.1.0", "requestParameters": { "threshold": 50.0, "period": 60, "metricName": "CloudTrail Test", "evaluationPeriods": 3, "comparisonOperator": "GreaterThanThreshold", "namespace": "AWS/CloudWatch", "alarmName": "CloudTrail Test Alarm", "statistic": "Sum" }, "responseElements": null, "requestID": "29184022-b2d5-11e3-a63d-9b463e6d0ff0", "eventID": "b096d5b7-dcf2-4399-998b-5a53eca76a27" }, ..additional entries ] }

The following log file entry shows that a user called the CloudWatch Events PutRule action.

{ "eventVersion":"1.03", "userIdentity":{ "type":"Root", "principalId":"123456789012", "arn":"arn:aws:iam::123456789012:root", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2015-11-17T23:56:15Z" } } }, "eventTime":"2015-11-18T00:11:28Z", "eventSource":"events.amazonaws.com", "eventName":"PutRule", "awsRegion":"us-east-1", "sourceIPAddress":"AWS Internal", "userAgent":"AWS CloudWatch Console", "requestParameters":{ "description":"", "name":"cttest2", "state":"ENABLED", "eventPattern":"{\"source\":[\"aws.ec2\"],\"detail-type\":[\"EC2 Instance State-change Notification\"]}", "scheduleExpression":"" }, "responseElements":{ "ruleArn":"arn:aws:events:us-east-1:123456789012:rule/cttest2" }, "requestID":"e9caf887-8d88-11e5-a331-3332aa445952", "eventID":"49d14f36-6450-44a5-a501-b0fdcdfaeb98", "eventType":"AwsApiCall", "apiVersion":"2015-10-07", "recipientAccountId":"123456789012" }

The following log file entry shows that a user called the CloudWatch Logs CreateExportTask action.

{ "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/someuser", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "someuser" }, "eventTime": "2016-02-08T06:35:14Z", "eventSource": "logs.amazonaws.com", "eventName": "CreateExportTask", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-sdk-ruby2/2.0.0.rc4 ruby/1.9.3 x86_64-linux Seahorse/0.1.0", "requestParameters": { "destination": "yourdestination", "logGroupName": "yourloggroup", "to": 123456789012, "from": 0, "taskName": "yourtask" }, "responseElements": { "taskId": "15e5e534-9548-44ab-a221-64d9d2b27b9b" }, "requestID": "1cd74c1c-ce2e-12e6-99a9-8dbb26bd06c9", "eventID": "fd072859-bd7c-4865-9e76-8e364e89307c", "eventType": "AwsApiCall", "apiVersion": "20140328", "recipientAccountId": "123456789012" }

CloudWatch Internet Monitor in CloudTrail

CloudWatch Internet Monitor supports logging the following actions as events in CloudTrail log files.

Example: CloudWatch Internet Monitor log file entries

The following example shows a CloudTrail Internet Monitor log entry that demonstrates the ListMonitors action.

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:role/Admin", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-10-11T17:25:41Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-10-11T17:30:18Z", "eventSource": "internetmonitor.amazonaws.com", "eventName": "ListMonitors", "awsRegion": "us-east-2", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)", "requestParameters": null, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }

The following example shows a CloudTrail Internet Monitor log entry that demonstrates the CreateMonitor action.

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::000000000000:role/Admin", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-10-11T17:25:41Z", "mfaAuthenticated": "false" } } }, "eventTime": "2022-10-11T17:30:08Z", "eventSource": "internetmonitor.amazonaws.com", "eventName": "CreateMonitor", "awsRegion": "us-east-2", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)", "requestParameters": { "MonitorName": "TestMonitor", "Resources": ["arn:aws:ec2:us-east-2:444455556666:vpc/vpc-febc0b95"], "ClientToken": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" }, "responseElements": { "Arn": "arn:aws:internetmonitor:us-east-2:444455556666:monitor/ct-onboarding-test", "Status": "PENDING" }, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLEbbbbb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }

CloudWatch Synthetics information in CloudTrail

CloudWatch Synthetics supports logging the following actions as events in CloudTrail log files:

Example: CloudWatch Synthetics log file entries

The following example shows a CloudTrail Synthetics log entry that demonstrates the DescribeCanaries action.

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111222333444:role/Administrator", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-04-08T21:43:24Z" } } }, "eventTime": "2020-04-08T23:06:47Z", "eventSource": "synthetics.amazonaws.com", "eventName": "DescribeCanaries", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", "requestParameters": null, "responseElements": null, "requestID": "201ed5f3-15db-4f87-94a4-123456789", "eventID": "73ddbd81-3dd0-4ada-b246-123456789", "readOnly": true, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }

The following example shows a CloudTrail Synthetics log entry that demonstrates the UpdateCanary action.

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111222333444:role/Administrator", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-04-08T21:43:24Z" } } }, "eventTime": "2020-04-08T23:06:47Z", "eventSource": "synthetics.amazonaws.com", "eventName": "UpdateCanary", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", "requestParameters": { "Schedule": { "Expression": "rate(1 minute)" }, "name": "sample_canary_name", "Code": { "Handler": "myOwnScript.handler", "ZipFile": "SAMPLE_ZIP_FILE" } }, "responseElements": null, "requestID": "fe4759b0-0849-4e0e-be71-1234567890", "eventID": "9dc60c83-c3c8-4fa5-bd02-1234567890", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }

The following example shows a CloudTrail Synthetics log entry that demonstrates the GetCanaryRuns action.

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:assumed-role/role_name", "accountId":"123456789012", "accessKeyId":"AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111222333444:role/Administrator", "accountId":"123456789012", "userName": "SAMPLE_NAME" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-04-08T21:43:24Z" } } }, "eventTime": "2020-04-08T23:06:30Z", "eventSource": "synthetics.amazonaws.com", "eventName": "GetCanaryRuns", "awsRegion": "us-east-1", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", "requestParameters": { "Filter": "TIME_RANGE", "name": "sample_canary_name", "FilterValues": [ "2020-04-08T23:00:00.000Z", "2020-04-08T23:10:00.000Z" ] }, "responseElements": null, "requestID": "2f56318c-cfbd-4b60-9d93-1234567890", "eventID": "52723fd9-4a54-478c-ac55-1234567890", "readOnly": true, "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }