Menu
AWS CloudTrail
User Guide (Version 1.0)

CloudTrail Record Contents

The body of the record contains fields that help you determine the requested action as well as when and where the request was made.

eventTime

The date and time the request was made, in coordinated universal time (UTC).

eventVersion

The version of the log event format. The current version is 1.05.

userIdentity

Information about the user that made a request. For more information, see CloudTrail userIdentity Element.

eventSource

The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com. For example:

  • AWS CloudFormation is cloudformation.amazonaws.com.

  • Amazon EC2 is ec2.amazonaws.com.

  • Amazon Simple Workflow Service is swf.amazonaws.com.

This convention has some exceptions. For example, the eventSource for Amazon CloudWatch is monitoring.amazonaws.com.

eventName

The requested action, which is one of the actions in the API for that service.

awsRegion

The AWS region that the request was made to, such as us-east-1. See CloudTrail Supported Regions.

sourceIPAddress

The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed.

userAgent

The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI. The following are example values:

  • signin.amazonaws.com – The request was made by an IAM user with the AWS Management Console.

  • console.amazonaws.com – The request was made by a root user with the AWS Management Console.

  • lambda.amazonaws.com – The request was made with AWS Lambda.

  • aws-sdk-java – The request was made with the AWS SDK for Java.

  • aws-sdk-ruby – The request was made with the AWS SDK for Ruby.

  • aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5 – The request was made with the AWS CLI installed on Linux.

Note

For events originated by AWS, this field is usually aws-internal/# where # is a number used for internal purposes.

errorCode

The AWS service error if the request returns an error.

errorMessage

If the request returns an error, the description of the error. This message includes messages for authorization failures. CloudTrail captures the message logged by the service in its exception handling. For an example, see Error Code and Message Log Example.

Note

Some AWS services provide the errorCode and errorMessage as top-level fields in the event. Other AWS services provide error information as part of responseElements.

requestParameters

The parameters, if any, that were sent with the request. These parameters are documented in the API reference documentation for the appropriate AWS service.

responseElements

The response element for actions that make changes (create, update, or delete actions). If an action does not change state (for example, a request to get or list objects), this element is omitted. These actions are documented in the API reference documentation for the appropriate AWS service.

additionalEventData

Additional data about the event that was not part of the request or response.

Support for this field begins with eventVersion 1.00.

requestID

The value that identifies the request. The service being called generates this value.

Support for this field begins with eventVersion 1.01.

eventID

GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database.

Support for this field begins with eventVersion 1.01.

eventType

Identifies the type of event that generated the event record. This can be the one of the following values:

  • AwsApiCall – An API was called.

  • AwsServiceEvent – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own.

  • ConsoleSignin – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.

Support for this field begins with eventVersion 1.02.

apiVersion

Identifies the API version associated with the AwsApiCall eventType value.

Support for this field begins with eventVersion 1.02.

readOnly

Identifies whether this operation is a read-only operation. This can be one of the following values:

  • true – The operation is read-only (for example, DescribeTrails).

  • false – The operation is write-only (for example, DeleteTrail).

Support for this field begins with eventVersion 1.01.

resources

A list of resources accessed in the event. The field can contain the following information:

  • Resource ARNs

  • Account ID of the resource owner

  • Resource type identifier in the format: AWS::aws-service-name::data-type-name

For example, when an AssumeRole event is logged, the resources field can appear like the following:

  • ARN: arn:aws:iam::123456789012:role/myRole

  • Account ID: 123456789012

  • Resource type identifier: AWS::IAM::Role

For example logs with the resources field, see AWS STS API Event in CloudTrail Log File in the IAM User Guide or Logging AWS KMS API Calls in the AWS Key Management Service Developer Guide .

Support for this field begins with eventVersion 1.01.

recipientAccountID

Represents the account ID that received this event. The recipientAccountID may be different from the CloudTrail userIdentity Element accountId. This can occur in cross-account resource access. For example, if a KMS key, also known as a customer master key (CMK), was used by a separate account to call the Encrypt API, the accountId and recipientAccountID values will be the same for the event delivered to the account that made the call, but the values will be different for the event that is delivered to the account that owns the CMK.

Support for this field begins with eventVersion 1.02.

serviceEventDetails

Identifies the service event, including what triggered the event and the result. For more information, see AWS Service Events.

Support for this field begins with eventVersion 1.05.

sharedEventID

GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.

For example, when an account uses a KMS key, also known as a customer master key (CMK), that belongs to another account, the account that used the CMK and the account that owns the CMK receive separate CloudTrail events for the same action. Each CloudTrail event delivered for this AWS action shares the same sharedEventID, but also has a unique eventID and recipientAccountID.

For more information, see sharedEventID Example.

Note

The sharedEventID field is present only when CloudTrail events are delivered to multiple accounts. If the caller and owner are the same AWS account, CloudTrail sends only one event, and the sharedEventID field is not present.

Support for this field begins with eventVersion 1.03.

vpcEndpointId

Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.

Support for this field begins with eventVersion 1.04.