CloudTrail supported services and integrations
CloudTrail supports logging events for many AWS services. You can find the specifics for each supported service in that service's guide. For a list of service-specific topics, see AWS service topics for CloudTrail. In addition, some AWS services can be used to analyze and act upon data collected in CloudTrail logs.
Note
To see the list of supported Regions for each service, see Service endpoints and quotas in the Amazon Web Services General Reference.
Topics
AWS service integrations with CloudTrail logs
Note
You can also use CloudTrail Lake to query and analyze your events. CloudTrail Lake queries offer a
deeper and more customizable view of events than simple key and value lookups in Event history,
or running LookupEvents. CloudTrail Lake users can run complex Standard Query Language (SQL) queries across multiple fields in a CloudTrail event. For more information, see
Working with AWS CloudTrail Lake and Copying trail events to CloudTrail
Lake.
CloudTrail Lake event data stores and queries incur CloudTrail charges. For more information about
CloudTrail Lake pricing, see AWS CloudTrail
Pricing
You can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following topics.
| AWS Service | Topic | Description |
|---|---|---|
| Amazon Athena | Querying AWS CloudTrail Logs | Using Athena with CloudTrail logs is a powerful way to enhance your analysis of AWS service activity. For example, you can use queries to identify trends and further isolate activity by attribute, such as source IP address or user. You can automatically create tables for querying logs directly from the CloudTrail console, and use those tables to run queries in Athena. For more information, see Creating a Table for CloudTrail Logs in the CloudTrail Console in the Amazon Athena User Guide. NoteRunning queries in Amazon Athena incurs additional costs. For more
information, see Amazon Athena Pricing. |
| Amazon CloudWatch Logs | Monitoring CloudTrail Log Files with Amazon CloudWatch Logs | You can configure CloudTrail with CloudWatch Logs to monitor your trail logs and be notified when specific activity occurs. For example, you can define CloudWatch Logs metric filters that will trigger CloudWatch alarms and send notifications to you when those alarms are triggered. NoteStandard pricing for Amazon CloudWatch and Amazon CloudWatch Logs
applies. For more information, see Amazon
CloudWatch Pricing |
CloudTrail integration with Amazon EventBridge
Amazon EventBridge is an AWS service that delivers a near real-time stream of system events that describe changes in AWS resources. In EventBridge, you can create rules that responds to events recorded by CloudTrail. For more information, see Create a rule in Amazon EventBridge.
You can deliver events that you are subscribed to on your trail to EventBridge by creating a rule with the EventBridge console.
From the EventBridge console:
-
Choose the
AWS API Call via CloudTraildetail-type to deliver CloudTrail data and management events with aneventTypeofAwsApiCall. To record events with a detail-type value ofAWS API Call via CloudTrail, you must have a trail that is currently logging management or data events. -
Choose the
AWS Console Sign In via CloudTraildetail-type to deliver AWS Management Console sign-in events. To record events with a detail-type ofAWS Console Sign In via CloudTrail, you must have a trail that is currently logging management events. -
Choose the
AWS Insight via CloudTraildetail-type to deliver Insights events. To record events with a detail-type value ofAWS Insight via CloudTrail, you must have a trail that is currently logging Insights events. For information about logging Insights events, see Working with CloudTrail Insights.
For more information about how to create a trail, see Creating a trail with the CloudTrail console.
CloudTrail integration with AWS Organizations
The management account for an AWS Organizations organization can add a delegated administrator to manage the organization's CloudTrail resources. You can create an organization trail or organization event data store in the management account or delegated administrator account for an organization that collects all event data for all AWS accounts in an organization in AWS Organizations. Creating an organization trail or organization event data store helps you define a uniform event logging strategy for your organization.
CloudTrail integration with AWS Control Tower
AWS Control Tower sets up a new CloudTrail organization trail logging management events when you set up a landing zone. When you enroll an account into AWS Control Tower, your account is governed by the organization trail for the AWS Control Tower organization. If you have an existing organization trail in that account, you may see duplicate charges unless you delete the existing trail for the account before you enroll it in AWS Control Tower. You can view the Trails page on the CloudTrail console to see whether any organization trails have been created. For more information about AWS Control Tower, see About logging in AWS Control Tower in the AWS CloudTrail User Guide.
CloudTrail integration with Amazon Security Lake
Security Lake can collect logs associated with CloudTrail management events and CloudTrail data events for S3 and Lambda. For more information, see CloudTrail event logs in the Amazon Security Lake User Guide.
To collect CloudTrail management events in Security Lake, you must have at least one CloudTrail multi-Region organization trail that collects read and write CloudTrail management events.
CloudTrail Lake integration with Amazon Athena
You can federate an event data store to see the metadata associated with the event data store in the AWS Glue Data Catalog and run SQL queries on the event data using Amazon Athena. The table metadata stored in the AWS Glue Data Catalog lets the Athena query engine know how to find, read, and process the data that you want to query. For more information, see Federate an event data store.
CloudTrail Lake integration with AWS Config
You can create an event data store to include AWS Config configuration items, and use the event data store to investigate non-compliant changes to your production environments. For more information, see Create an event data store for configuration items with the console.
CloudTrail Lake integration with AWS Audit Manager
You can create an event data store for AWS Audit Manager evidence by using the Audit Manager console. For more information about aggregating evidence in CloudTrail Lake using Audit Manager, see Understanding how evidence finder works with CloudTrail Lake in the AWS Audit Manager User Guide.
AWS service topics for CloudTrail
You can learn more about how the events for individual AWS services are recorded in CloudTrail logs, including example events for that service in log files. For more information about how specific AWS services integrate with CloudTrail, see the topic about integration in the individual guide for that service.
Services that are still in preview, or not yet released for general availability (GA), or which don't have public APIs, are not considered supported.
Note
To see the list of supported Regions for each service, see Service endpoints and quotas in the Amazon Web Services General Reference.
For information about which services log data events, see Data events.
CloudTrail unsupported services
Services that are still in preview, or not yet released for general availability (GA), or which don't have public APIs, are not considered supported.
Additionally, the following AWS services and events are not supported:
-
AWS Import/Export
For a list of supported AWS services, see AWS service topics for CloudTrail.
