Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the Logging data events, Logging network activity events, and Logging management events topics in the AWS CloudTrail User Guide.
You cannot apply both event selectors and advanced event selectors to a trail.
Supported CloudTrail event record fields for management events
-
eventCategory(required) -
eventSource -
readOnly
The following additional fields are available for event data stores:
-
eventName -
eventType -
sessionCredentialFromConsole -
userIdentity.arn
Supported CloudTrail event record fields for data events
-
eventCategory(required) -
resources.type(required) -
readOnly -
eventName -
resources.ARN
The following additional fields are available for event data stores:
-
eventSource -
eventType -
sessionCredentialFromConsole -
userIdentity.arn
Supported CloudTrail event record fields for network activity events
-
eventCategory(required) -
eventSource(required) -
eventName -
errorCode- The only valid value forerrorCodeisVpceAccessDenied. -
vpcEndpointId
Note
For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS, the only supported field is
eventCategory.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"FieldSelectors" : [ AdvancedFieldSelector, ... ],
"Name" : String
}
YAML
FieldSelectors:
- AdvancedFieldSelector
Name: String
Properties
FieldSelectors-
Contains all selector statements in an advanced event selector.
Required: Yes
Type: Array of AdvancedFieldSelector
Minimum:
1Update requires: No interruption
Name-
An optional, descriptive name for an advanced event selector, such as "Log data events for only two S3 buckets".
Required: No
Type: String
Minimum:
1Maximum:
1000Update requires: No interruption
