Logging Amazon SQS API calls using AWS CloudTrail - Amazon Simple Queue Service

Logging Amazon SQS API calls using AWS CloudTrail

Amazon SQS is integrated with AWS CloudTrail to record the Amazon SQS calls from a user, role, or AWS service. CloudTrail captures API calls related to Amazon SQS standard and FIFO queues as events, including interactions initiated through the Amazon SQS console as well as programmatically via calls to the Amazon SQS APIs.

Amazon SQS information in CloudTrail

CloudTrail is turned on by default when you create your AWS account. When a supported Amazon SQS event activity occurs, it is recorded in a CloudTrail event, along with other AWS service events, in the event history. You can view, search, and download recent events for your AWS account. For more information, see Viewing Events with CloudTrail Event History in the AWS CloudTrail User Guide.

Amazon SQS APIs that call queue management operations, such as AddPermission are categorized as management events and are logged in CloudTrail by default. Amazon SQS APIs that are high volume operations performed on an Amazon SQS queue, such as SendMessage are categorized as data events and are logged after you opt-in with CloudTrail.

Using the information that CloudTrail collects, you can identify a specific request to an Amazon SQS API, the IP address or identity of the requester, and the date and time of the request. If you configure a CloudTrail trail, you can continuously deliver CloudTrail events to an Amazon S3 bucket with an optional delivery to Amazon CloudWatch Logs and AWS EventBridge. If you do not configure a trail, you can only view the event history of management events in events in the CloudTrail console. For more information, see Overview for Creating a Trail in the AWS CloudTrail User Guide.

Management events in CloudTrail

Amazon SQS logs the following API actions as management events:

The following Amazon SQS APIs are not supported for CloudTrail logging:

Data events in CloudTrail

Data events provide information about the resource operations performed on or in a resource, such as sending or receiving an Amazon SQS message to and from an Amazon SQS queue. Data events are high-volume activities that CloudTrail does not log by default. You can enable data events API action logging for your SQS queue by using CloudTrail APIs. For more information, see Logging data events in the AWS CloudTrail User Guide.

With CloudTrail, you can use advanced event selectors to decide which Amazon SQS API activities are logged and recorded. To log Amazon SQS data events, you must include the resource type AWS::SQS::Queue. Once this is set, you can refine your logging preferences further by selecting specific data events for recording, such as using the eventName filter to track SendMessage events. For more information, see AdvancedEventSelector in the AWS CloudTrail API Reference.

Amazon SQS data events:

Additional charges apply for data events. For more information, see AWS CloudTrail Pricing.

Examples: CloudTrail management events for Amazon SQS

The following examples show CloudTrail log entries for supported APIs:

AddPermission

The following example shows a CloudTrail log entry for an AddPermission API call.

{ "Records": [ { "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice" }, "eventTime": "2018-06-28T22:23:46Z", "eventSource": "sqs.amazonaws.com", "eventName": "AddPermission", "awsRegion": "us-east-2", "sourceIPAddress": "203.0.113.0", "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0", "requestParameters": { "actions": [ "SendMessage" ], "AWSAccountIds": [ "123456789012" ], "label": "MyLabel", "queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue" }, "responseElements": null, "requestID": "123abcde-f4gh-50ij-klmn-60o789012p30", "eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa" } ] }
CreateQueue

The following example shows a CloudTrail log entry for a CreateQueue API call.

{ "Records": [ { "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alejandro", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alejandro" }, "eventTime": "2018-06-28T22:23:46Z", "eventSource": "sqs.amazonaws.com", "eventName": "CreateQueue", "awsRegion": "us-east-2", "sourceIPAddress": "203.0.113.1", "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0", "requestParameters": { "queueName": "MyQueue" }, "responseElements": { "queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue" }, "requestID": "123abcde-f4gh-50ij-klmn-60o789012p30", "eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa" } ] }
DeleteQueue

The following example shows a CloudTrail log entry for a DeleteQueue API call.

{ "Records": [ { "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::123456789012:user/Carlos", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Carlos" }, "eventTime": "2018-06-28T22:23:46Z", "eventSource": "sqs.amazonaws.com", "eventName": "DeleteQueue", "awsRegion": "us-east-2", "sourceIPAddress": "203.0.113.2", "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0", "requestParameters": { "queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue" }, "responseElements": null, "requestID": "123abcde-f4gh-50ij-klmn-60o789012p30", "eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa" } ] }
RemovePermission

The following example shows a CloudTrail log entry for a RemovePermission API call.

{ "Records": [ { "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::123456789012:user/Jane", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Jane" }, "eventTime": "2018-06-28T22:23:46Z", "eventSource": "sqs.amazonaws.com", "eventName": "RemovePermission", "awsRegion": "us-east-2", "sourceIPAddress": "203.0.113.3", "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0", "requestParameters": { "label": "label", "queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue" }, "responseElements": null, "requestID": "123abcde-f4gh-50ij-klmn-60o789012p30", "eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa" } ] }
SetQueueAttributes

The following example shows a CloudTrail log entry for SetQueueAttributes:

{ "Records": [ { "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::123456789012:user/Maria", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Maria" }, "eventTime": "2018-06-28T22:23:46Z", "eventSource": "sqs.amazonaws.com", "eventName": "SetQueueAttributes", "awsRegion": "us-east-2", "sourceIPAddress": "203.0.113.4", "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0", "requestParameters": { "attributes": { "VisibilityTimeout": "100" }, "queueUrl": "https://sqs.us-east-2.amazon.com/123456789012/MyQueue" }, "responseElements": null, "requestID": "123abcde-f4gh-50ij-klmn-60o789012p30", "eventID": "0987g654-32f1-09e8-d765-c4f3fb2109fa" } ] }

Examples: CloudTrail data events for Amazon SQS

The following are examples of CloudTrail events specific to Amazon SQS data event APIs:

SendMessage

The following example shows a CloudTrail data event for SendMessage.

{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/SessionName", "accountId": "123456789012", "accessKeyId": "ACCESS_KEY_ID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed", "accountId": "123456789012", "userName": "RoleToBeAssumed" }, "attributes": { "creationDate": "2023-11-07T22:13:06Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-11-07T23:59:11Z", "eventSource": "sqs.amazonaws.com", "eventName": "SendMessage", "awsRegion": "ap-southeast-4", "sourceIPAddress": "10.0.118.80", "userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16", "requestParameters": { "queueUrl": "https://sqs.ap-southeast-4.amazonaws.com/123456789012/MyQueue", "messageBody": "HIDDEN_DUE_TO_SECURITY_REASONS", "messageDeduplicationId": "MsgDedupIdSdk1ae1958f2-bbe8-4442-83e7-4916e3b035aa", "messageGroupId": "MsgGroupIdSdk16" }, "responseElements": { "mD5OfMessageBody": "9a4e3f7a614d9dd9f8722092dbda17a2", "mD5OfMessageSystemAttributes": "f88f0587f951b7f5551f18ae699c3a9d", "messageId": "93bb6e2d-1090-416c-81b0-31eb1faa8cd8", "sequenceNumber": "18881790870905840128" }, "requestID": "c4584600-fe8a-5aa3-a5ba-1bc42f055fae", "eventID": "98c735d8-70e0-4644-9432-b6ced4d791b1", "readOnly": false, "resources": [ { "accountId": "123456789012", "type": "AWS::SQS::Queue", "ARN": "arn:aws:sqs:ap-southeast-4:123456789012:MyQueue" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "123456789012", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "sqs.ap-southeast-4.amazonaws.com" }
ReceiveMessage

The following example shows a CloudTrail data event for ReceiveMessage.

{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/SessionName", "accountId": "123456789012", "accessKeyId": "ACCESS_KEY_ID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed", "accountId": "123456789012", "userName": "RoleToBeAssumed" }, "attributes": { "creationDate": "2023-11-07T22:13:06Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-11-07T23:59:24Z", "eventSource": "sqs.amazonaws.com", "eventName": "ReceiveMessage", "awsRegion": "ap-southeast-4", "sourceIPAddress": "10.0.118.80", "userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16", "requestParameters": { "queueUrl": "https://sqs.ap-southeast-4.amazonaws.com/123456789012/MyQueue", "maxNumberOfMessages": 10 }, "responseElements": null, "requestID": "8b4d4643-8f49-52cd-a6e8-1b875ed54b99", "eventID": "f3f23ab7-b0a4-4b71-afc0-141209c49206", "readOnly": true, "resources": [ { "accountId": "123456789012", "type": "AWS::SQS::Queue", "ARN": "arn:aws:sqs:ap-southeast-4:123456789012:MyQueue" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "123456789012", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "sqs.ap-southeast-4.amazonaws.com" } }
DeleteMessageBatch

The following example shows a CloudTrail data event for DeleteMessageBatch.

{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/SessionName", "accountId": "123456789012", "accessKeyId": "ACCESS_KEY_ID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed", "accountId": "123456789012", "userName": "RoleToBeAssumed" }, "attributes": { "creationDate": "2023-11-07T22:13:06Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-11-07T23:59:24Z", "eventSource": "sqs.amazonaws.com", "eventName": "DeleteMessageBatch", "awsRegion": "ap-southeast-4", "sourceIPAddress": "10.0.118.80", "userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16", "requestParameters": { "queueUrl": "https://sqs.ap-southeast-4.amazonaws.com/123456789012/MyQueue", "entries": [ { "id": "0", "receiptHandle": "AQEBefxM1O4zyZGF87DehbRbmri91w2W7mMdD0GrBjQa8e/hpb4RbXHPZ9tLBVleECbChQIE5NtaDuoZhZPOkTy0eN46EyRR4jXDzE3AlkbPlX1mA9f2fUuTrXx8aeCoCA3I3woNg3fXXAoo5ctLgci0Z/hlLS94tjAZqV2krc4BaC2pYgjyHWcW019HwIV8T/bjNMIeZoQwOM5V+o9vHPfewz5QGr5SKpDo7uE7Umyk5n5CJZvcn1efp/mrwtaCIb9M7cCQUYcZm2ZmZDnIO9XpGTAi3m2dQ0M83pnNh0nvDfpkHpoa+hX1TrUmxCupCWHJwA8HFJ1O/CCJsodMNFthLBA9S57dkBZCsw41G8jAmgQ0MkvZ0UL5mg0OFQQd1Yrw0zvthjCgiwdzn0yXoMzxIZMBxkY14E4nVVZ7N5XEMtMmgxsI1XF/h8oRk2C7gByzg2kYJ0LnUvLJFT8DQE28JZppEC9klvrdR/BWiPT7asc=" } ] }, "responseElements": { "successful": [ { "id": "0" } ], "failed": [] }, "requestID": "fe423091-5642-5ba5-9256-6d5587de52f1", "eventID": "88c8020d-d769-4985-8ecb-ee0b59acc418", "readOnly": false, "resources": [ { "accountId": "123456789012", "type": "AWS::SQS::Queue", "ARN": "arn:aws:sqs:ap-southeast-4:123456789012:MyQueue" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "123456789012", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "sqs.ap-southeast-4.amazonaws.com" } }
ChangeMessageVisibilityBatch

The following example shows a CloudTrail data event for ChangeMessageVisibilityBatch.

{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EXAMPLE_PRINCIPAL_ID", "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/SessionName", "accountId": "123456789012", "accessKeyId": "ACCESS_KEY_ID", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed", "accountId": "123456789012", "userName": "RoleToBeAssumed" }, "attributes": { "creationDate": "2023-11-07T22:13:06Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-11-07T23:59:01Z", "eventSource": "sqs.amazonaws.com", "eventName": "ChangeMessageVisibilityBatch", "awsRegion": "ap-southeast-4", "sourceIPAddress": "10.0.118.80", "userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16", "requestParameters": { "visibilityTimeout": 0, "entries": [ { "id": "0", "receiptHandle": "AQEB2M5cVYg5gslhWME6537hdjcaPnOYPA5M0W460TTb0DzPle631yPWm8qxd4O1hDj/B4ntTMnsgBTa95t14tNx7Vn96jKJ5rIoZ7iI8TRmkT1caKodKIPs8w9yndZq50c2FPQxtyH+2L3UHf/abV3szqVWXOLZR4PwX8zZkWVQGNCNnY2q2lGCG586F8QwvrOFYoXNwB8ymd1t77e1PDPknq1Io3JFuzkEsndkkETy4fV1QqVCSTR1izaTKF44f/l5PHX17nXxaC+DURVlMPXOuSFACGmWqAoyk50HKwGOjLQgpySL/TcnQXClvFq8kNXGwyVzJsbwHpOHxI7oce69vaD6DaWFP75d3hx+PJeG9pauQCKzVP3skt3Hw/zDC7YfKcALD3aCwMmeNDwT3w0BUG6XZdG5lYhtFtTQYV7YuS3i/Jh3HShGbtm07JKOEFiPkxv2+XNaAX3gFEpbng6zamTanfyMXCJIiglAEqiyWHQ=", "visibilityTimeout": 2271 } ], "queueUrl": "https://sqs.ap-southeast-4.amazonaws.com/123456789012/MyQueue" }, "responseElements": { "successful": [ { "id": "0" } ] }, "requestID": "d49ab65f-9dc7-54b8-875c-eb9b4c42988b", "eventID": "ca16c8c2-c4ba-4eb5-a54c-e650a10266d4", "readOnly": false, "resources": [ { "accountId": "123456789012", "type": "AWS::SQS::Queue", "ARN": "arn:aws:sqs:ap-southeast-4:123456789012:MyQueue" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "123456789012", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "sqs.ap-southeast-4.amazonaws.com" } }