Menu
AWS CloudTrail
User Guide (Version 1.0)

Viewing CloudTrail Events in the CloudTrail Console

Use the CloudTrail console to review API activity for a region during the last seven days.

To view CloudTrail events

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/home/.

  2. In the navigation pane, choose API Activity History.

A list of events appears in the content pane with the latest event first. Scroll down to see more events. Events that have not been logged will not appear.

For a list of supported services and regions, see Services Supported by CloudTrail API Activity History and Regions Supported by CloudTrail API Activity History.

Filtering CloudTrail Events

You can filter events by the following attributes. You can filter by time range and one other attribute.

Event ID

The CloudTrail ID of the event.

Event name

The name of the event.

Event source

The AWS service to which the request was made.

Resource name

The name or ID of the resource referenced by the event. For example, the resource name might be "auto-scaling-test-group" for an Auto Scaling group or "i-1234567" for an EC2 instance.

Resource type

The type of resource referenced by the event. For example, a resource type can be Instance for EC2 or DBInstance for RDS. For more information, see Resource Types Supported by CloudTrail API Activity History.

Time range

The time range in which you want to filter events. You can filter events for the last seven days.

User name

The name of the user referenced by the event. For example, this can be an IAM user.

If there are no events logged for the attribute or time that you choose, the results list is empty. You can apply only one attribute filter in addition to the time range. Choosing a second attribute filter replaces the first attribute filter while preserving your specified time range.

The following steps describe how to filter by attribute.

To filter by attribute

  1. To filter the results by an attribute, choose Select attribute, and then type or choose a value in the Enter lookup value box.

  2. To remove an attribute filter, click the X on the right of the attribute filter box.

The following steps describe how to filter by a start and end date and time.

To filter by a start and end date and time

  1. To narrow the time range for the events that you want to see, choose Select time range.

  2. To remove a time range filter, click the calendar icon on the right of the Time range box, and then choose Remove.

Viewing Details for an Event

  1. Choose an event in the results list to show its details.

  2. If the event referenced more than one resource, the additional resources are listed at the bottom of the details pane.

  3. Some referenced resources have links. Click a referenced resource link to open the console for that resource.

  4. Choose View Event in the details pane to view the event in JSON format.

  5. Click the event again to close the details pane.

Viewing Resources Referenced with AWS Config

AWS Config records configuration details, relationships, and changes to your AWS resources.

On the Resources Referenced pane, click the 
                AWS Config timeline icon
            icon in the Config timeline column to view the resource in the AWS Config console.

If the 
                AWS Config timeline
            icon is gray, AWS Config is not turned on, or it's not recording the resource type. Click the icon to go to the AWS Config console to turn on the service or start recording that resource type. For more information, see Set Up AWS Config Using the Console in the AWS Config Developer Guide.

If Link not available appears in the column, the resource can't be viewed for one of the following reasons:

  • AWS Config doesn't support the resource type. For more information, see Supported Resources, Configuration Items, and Relationships in the AWS Config Developer Guide.

  • AWS Config recently added support for the resource type, but it's not yet available from the CloudTrail console. You can look up the resource in the AWS Config console to see the timeline for the resource.

  • The resource is owned by another AWS account.

  • The resource is owned by another AWS service, such as a managed IAM policy.

  • The resource was created and then deleted immediately.

  • The resource was recently created or updated.

Example

  1. You configure AWS Config to record IAM resources.

  2. You create an IAM user, Bob-user. The API activity history page shows the CreateUser event and Bob-user as an IAM resource. You can click the AWS Config icon to view this IAM resource in the AWS Config timeline.

  3. You update the user name to Bob-admin.

  4. The API activity history page shows the UpdateUser event and Bob-admin as the updated IAM resource.

  5. You can click the icon to view the Bob-admin IAM resource in the timeline. However, you can't click the icon for Bob-user, because the resource name changed. AWS Config is now recording the updated resource.

To grant users read-only permission to view resources in the AWS Config console, see Granting Permission to View AWS Config Information on the CloudTrail Console.

For more information about AWS Config, see the AWS Config Developer Guide.