AWS CloudTrail event names supported by AWS Audit Manager

You can capture AWS CloudTrail management events and global service events as evidence in Audit Manager. To do this, you specify the CloudTrail event name as a data source mapping keyword when you create a custom control.

Note

Audit Manager captures management events and global service events only. Data events and insights events are not available as evidence. For more information about the different types of CloudTrail events, see CloudTrail concepts in the AWS CloudTrail User Guide.

As an exception to the above, the following CloudTrail events aren't supported by Audit Manager:

kms_GenerateDataKey
kms_Decrypt
sts_AssumeRole
kinesisvideo_GetDataEndpoint
kinesisvideo_GetSignalingChannelEndpoint
kinesisvideo_DescribeSignalingChannel
kinesisvideo_DescribeStream

As of May 11, 2023, Audit Manager no longer supports read-only CloudTrail events as keywords for evidence collection. We removed a total of 3,135 read-only keywords. Because customers and AWS services both make read calls to APIs, read-only events are noisy. As a result, read-only keywords collect a lot of evidence that isn't reliable or relevant for audits. Read-only keywords include List, Describe, and Get API calls (for example, GetObject and ListBuckets for Amazon S3). If you were using one of these keywords for evidence collection, you don't need to do anything. The keywords were automatically removed from the Audit Manager console and from your assessments, and evidence is no longer collected for these keywords.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS API calls

Settings