Logging Amazon SQS API calls using
AWS CloudTrail
Amazon SQS is integrated with AWS CloudTrail to record the Amazon SQS calls from a user, role, or
AWS service. CloudTrail captures API calls related to Amazon SQS standard and FIFO queues as
events, including interactions initiated through the Amazon SQS
console as well as programmatically via calls to the Amazon SQS APIs.
CloudTrail is turned on by default when you create your AWS account. When a supported
Amazon SQS event activity occurs, it is recorded in a CloudTrail event, along with other AWS
service events, in the event history. You can view, search, and download recent
events for your AWS account. For more information, see Viewing Events with CloudTrail Event
History in the AWS CloudTrail User Guide.
Amazon SQS APIs that call queue management operations, such as
AddPermission
are categorized as management events and are logged
in CloudTrail by default. Amazon SQS APIs that are high volume operations performed on an
Amazon SQS queue, such as SendMessage
are categorized as data events and are
logged after you opt-in with CloudTrail.
Using the information that CloudTrail collects, you can identify a specific request to
an Amazon SQS API, the IP address or identity of the requester, and the date and time of
the request. If you configure a CloudTrail trail, you can
continuously deliver CloudTrail events to an Amazon S3 bucket with an optional delivery to
Amazon CloudWatch Logs and AWS EventBridge. If you do not configure a trail, you can only
view the event history of management events in events in the CloudTrail console. For more
information, see Overview for Creating a Trail in the AWS CloudTrail User Guide.
Management events in CloudTrail
Amazon SQS logs the following API actions as management events:
The following Amazon SQS APIs are not supported for CloudTrail
logging:
Data events in CloudTrail
Data events provide information about the resource operations
performed on or in a resource, such as sending or receiving an Amazon SQS message to and
from an Amazon SQS queue. Data events are high-volume activities that CloudTrail does not log
by default. You can enable data events API action logging for your SQS queue by
using CloudTrail APIs. For more information, see Logging data
events in the AWS CloudTrail User Guide.
With CloudTrail, you can use advanced event selectors to decide which Amazon SQS API
activities are logged and recorded. To log Amazon SQS data events, you must include the
resource type AWS::SQS::Queue
. Once this is set, you can refine your
logging preferences further by selecting specific data events for recording, such as
using the eventName
filter to track SendMessage
events.
For more information, see AdvancedEventSelector
in the
AWS CloudTrail API Reference.
Amazon SQS data events:
Additional charges apply for data events. For more information, see AWS CloudTrail
Pricing.
Examples: CloudTrail management
events for Amazon SQS
The following examples show CloudTrail log entries for supported APIs:
- AddPermission
-
The following example shows a CloudTrail log entry for an
AddPermission
API call.
{
"Records": [
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Alice"
},
"eventTime": "2018-06-28T22:23:46Z",
"eventSource": "sqs.amazonaws.com",
"eventName": "AddPermission",
"awsRegion": "us-east-2",
"sourceIPAddress": "203.0.113.0",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
"requestParameters": {
"actions": [
"SendMessage"
],
"AWSAccountIds": [
"123456789012"
],
"label": "MyLabel",
"queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue"
},
"responseElements": null,
"requestID": "123abcde-f4gh-50ij-klmn-60o789012p30",
"eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa"
}
]
}
- CreateQueue
-
The following example shows a CloudTrail log entry for a
CreateQueue
API call.
{
"Records": [
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Alejandro",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Alejandro"
},
"eventTime": "2018-06-28T22:23:46Z",
"eventSource": "sqs.amazonaws.com",
"eventName": "CreateQueue",
"awsRegion": "us-east-2",
"sourceIPAddress": "203.0.113.1",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
"requestParameters": {
"queueName": "MyQueue"
},
"responseElements": {
"queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue"
},
"requestID": "123abcde-f4gh-50ij-klmn-60o789012p30",
"eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa"
}
]
}
- DeleteQueue
-
The following example shows a CloudTrail log entry for a
DeleteQueue
API call.
{
"Records": [
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Carlos",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Carlos"
},
"eventTime": "2018-06-28T22:23:46Z",
"eventSource": "sqs.amazonaws.com",
"eventName": "DeleteQueue",
"awsRegion": "us-east-2",
"sourceIPAddress": "203.0.113.2",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
"requestParameters": {
"queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue"
},
"responseElements": null,
"requestID": "123abcde-f4gh-50ij-klmn-60o789012p30",
"eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa"
}
]
}
- RemovePermission
-
The following example shows a CloudTrail log entry for a
RemovePermission
API call.
{
"Records": [
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Jane",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Jane"
},
"eventTime": "2018-06-28T22:23:46Z",
"eventSource": "sqs.amazonaws.com",
"eventName": "RemovePermission",
"awsRegion": "us-east-2",
"sourceIPAddress": "203.0.113.3",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
"requestParameters": {
"label": "label",
"queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue"
},
"responseElements": null,
"requestID": "123abcde-f4gh-50ij-klmn-60o789012p30",
"eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa"
}
]
}
- SetQueueAttributes
-
The following example shows a CloudTrail log entry for
SetQueueAttributes
:
{
"Records": [
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Maria",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Maria"
},
"eventTime": "2018-06-28T22:23:46Z",
"eventSource": "sqs.amazonaws.com",
"eventName": "SetQueueAttributes",
"awsRegion": "us-east-2",
"sourceIPAddress": "203.0.113.4",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0",
"requestParameters": {
"attributes": {
"VisibilityTimeout": "100"
},
"queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue"
},
"responseElements": null,
"requestID": "123abcde-f4gh-50ij-klmn-60o789012p30",
"eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa"
}
]
}
Examples: CloudTrail data events for
Amazon SQS
The following are examples of CloudTrail events specific to Amazon SQS data event APIs:
- SendMessage
-
The following example shows a CloudTrail data event for
SendMessage
.
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLE_PRINCIPAL_ID",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/SessionName",
"accountId": "123456789012",
"accessKeyId": "ACCESS_KEY_ID",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed",
"accountId": "123456789012",
"userName": "RoleToBeAssumed"
},
"attributes": {
"creationDate": "2023-11-07T22:13:06Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-11-07T23:59:11Z",
"eventSource": "sqs.amazonaws.com",
"eventName": "SendMessage",
"awsRegion": "ap-southeast-4",
"sourceIPAddress": "10.0.118.80",
"userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16",
"requestParameters": {
"queueUrl": "https://sqs.ap-southeast-4.amazonaws.com/123456789012/MyQueue",
"messageBody": "HIDDEN_DUE_TO_SECURITY_REASONS",
"messageDeduplicationId": "MsgDedupIdSdk1ae1958f2-bbe8-4442-83e7-4916e3b035aa",
"messageGroupId": "MsgGroupIdSdk16"
},
"responseElements": {
"mD5OfMessageBody": "9a4e3f7a614d9dd9f8722092dbda17a2",
"mD5OfMessageSystemAttributes": "f88f0587f951b7f5551f18ae699c3a9d",
"messageId": "93bb6e2d-1090-416c-81b0-31eb1faa8cd8",
"sequenceNumber": "18881790870905840128"
},
"requestID": "c4584600-fe8a-5aa3-a5ba-1bc42f055fae",
"eventID": "98c735d8-70e0-4644-9432-b6ced4d791b1",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::SQS::Queue",
"ARN": "arn:aws:sqs:ap-southeast-4:123456789012:MyQueue"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "sqs.ap-southeast-4.amazonaws.com"
}
- ReceiveMessage
-
The following example shows a CloudTrail data event for
ReceiveMessage
.
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLE_PRINCIPAL_ID",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/SessionName",
"accountId": "123456789012",
"accessKeyId": "ACCESS_KEY_ID",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed",
"accountId": "123456789012",
"userName": "RoleToBeAssumed"
},
"attributes": {
"creationDate": "2023-11-07T22:13:06Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-11-07T23:59:24Z",
"eventSource": "sqs.amazonaws.com",
"eventName": "ReceiveMessage",
"awsRegion": "ap-southeast-4",
"sourceIPAddress": "10.0.118.80",
"userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16",
"requestParameters": {
"queueUrl": "https://sqs.ap-southeast-4.amazonaws.com/123456789012/MyQueue",
"maxNumberOfMessages": 10
},
"responseElements": null,
"requestID": "8b4d4643-8f49-52cd-a6e8-1b875ed54b99",
"eventID": "f3f23ab7-b0a4-4b71-afc0-141209c49206",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::SQS::Queue",
"ARN": "arn:aws:sqs:ap-southeast-4:123456789012:MyQueue"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "sqs.ap-southeast-4.amazonaws.com"
}
}
- DeleteMessageBatch
-
The following example shows a CloudTrail data event for
DeleteMessageBatch
.
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLE_PRINCIPAL_ID",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/SessionName",
"accountId": "123456789012",
"accessKeyId": "ACCESS_KEY_ID",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed",
"accountId": "123456789012",
"userName": "RoleToBeAssumed"
},
"attributes": {
"creationDate": "2023-11-07T22:13:06Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-11-07T23:59:24Z",
"eventSource": "sqs.amazonaws.com",
"eventName": "DeleteMessageBatch",
"awsRegion": "ap-southeast-4",
"sourceIPAddress": "10.0.118.80",
"userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16",
"requestParameters": {
"queueUrl": "https://sqs.ap-southeast-4.amazonaws.com/123456789012/MyQueue",
"entries": [
{
"id": "0",
"receiptHandle": "AQEBefxM1O4zyZGF87DehbRbmri91w2W7mMdD0GrBjQa8e/hpb4RbXHPZ9tLBVleECbChQIE5NtaDuoZhZPOkTy0eN46EyRR4jXDzE3AlkbPlX1mA9f2fUuTrXx8aeCoCA3I3woNg3fXXAoo5ctLgci0Z/hlLS94tjAZqV2krc4BaC2pYgjyHWcW019HwIV8T/bjNMIeZoQwOM5V+o9vHPfewz5QGr5SKpDo7uE7Umyk5n5CJZvcn1efp/mrwtaCIb9M7cCQUYcZm2ZmZDnIO9XpGTAi3m2dQ0M83pnNh0nvDfpkHpoa+hX1TrUmxCupCWHJwA8HFJ1O/CCJsodMNFthLBA9S57dkBZCsw41G8jAmgQ0MkvZ0UL5mg0OFQQd1Yrw0zvthjCgiwdzn0yXoMzxIZMBxkY14E4nVVZ7N5XEMtMmgxsI1XF/h8oRk2C7gByzg2kYJ0LnUvLJFT8DQE28JZppEC9klvrdR/BWiPT7asc="
}
]
},
"responseElements": {
"successful": [
{
"id": "0"
}
],
"failed": []
},
"requestID": "fe423091-5642-5ba5-9256-6d5587de52f1",
"eventID": "88c8020d-d769-4985-8ecb-ee0b59acc418",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::SQS::Queue",
"ARN": "arn:aws:sqs:ap-southeast-4:123456789012:MyQueue"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "sqs.ap-southeast-4.amazonaws.com"
}
}
- ChangeMessageVisibilityBatch
-
The following example shows a CloudTrail data event for
ChangeMessageVisibilityBatch
.
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLE_PRINCIPAL_ID",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/SessionName",
"accountId": "123456789012",
"accessKeyId": "ACCESS_KEY_ID",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAI44QH8DHBEXAMPLE",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed",
"accountId": "123456789012",
"userName": "RoleToBeAssumed"
},
"attributes": {
"creationDate": "2023-11-07T22:13:06Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-11-07T23:59:01Z",
"eventSource": "sqs.amazonaws.com",
"eventName": "ChangeMessageVisibilityBatch",
"awsRegion": "ap-southeast-4",
"sourceIPAddress": "10.0.118.80",
"userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16",
"requestParameters": {
"visibilityTimeout": 0,
"entries": [
{
"id": "0",
"receiptHandle": "AQEB2M5cVYg5gslhWME6537hdjcaPnOYPA5M0W460TTb0DzPle631yPWm8qxd4O1hDj/B4ntTMnsgBTa95t14tNx7Vn96jKJ5rIoZ7iI8TRmkT1caKodKIPs8w9yndZq50c2FPQxtyH+2L3UHf/abV3szqVWXOLZR4PwX8zZkWVQGNCNnY2q2lGCG586F8QwvrOFYoXNwB8ymd1t77e1PDPknq1Io3JFuzkEsndkkETy4fV1QqVCSTR1izaTKF44f/l5PHX17nXxaC+DURVlMPXOuSFACGmWqAoyk50HKwGOjLQgpySL/TcnQXClvFq8kNXGwyVzJsbwHpOHxI7oce69vaD6DaWFP75d3hx+PJeG9pauQCKzVP3skt3Hw/zDC7YfKcALD3aCwMmeNDwT3w0BUG6XZdG5lYhtFtTQYV7YuS3i/Jh3HShGbtm07JKOEFiPkxv2+XNaAX3gFEpbng6zamTanfyMXCJIiglAEqiyWHQ=",
"visibilityTimeout": 2271
}
],
"queueUrl": "https://sqs.ap-southeast-4.amazonaws.com/123456789012/MyQueue"
},
"responseElements": {
"successful": [
{
"id": "0"
}
]
},
"requestID": "d49ab65f-9dc7-54b8-875c-eb9b4c42988b",
"eventID": "ca16c8c2-c4ba-4eb5-a54c-e650a10266d4",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::SQS::Queue",
"ARN": "arn:aws:sqs:ap-southeast-4:123456789012:MyQueue"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "sqs.ap-southeast-4.amazonaws.com"
}
}