CloudTrail log file examples
CloudTrail monitors events for your account. If you create a trail, it delivers those events as log files to your Amazon S3 bucket. If you create an event data store in CloudTrail Lake, events are logged to your event data store. Event data stores do not use S3 buckets.
CloudTrail log file name format
CloudTrail uses the following file name format for the log file objects that it delivers to your Amazon S3 bucket:
AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat
-
The
YYYY
,MM
,DD
,HH
, andmm
are the digits of the year, month, day, hour, and minute when the log file was delivered. Hours are in 24-hour format. TheZ
indicates that the time is in UTC.Note
A log file delivered at a specific time can contain records written at any point before that time.
-
The 16-character
UniqueString
component of the log file name is there to prevent overwriting of files. It has no meaning, and log processing software should ignore it. -
FileNameFormat
is the encoding of the file. Currently, this isjson.gz
, which is a JSON text file in compressed gzip format.
Example CloudTrail Log File Name
111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz
Log file examples
A log file contains one or more records. The following examples are snippets of logs that show the records for an action that started the creation of a log file.
For information about CloudTrail event record fields, see CloudTrail record contents.
Contents
Amazon EC2 log examples
Amazon Elastic Compute Cloud (Amazon EC2) provides resizeable computing capacity in the AWS Cloud. You can launch virtual servers, configure security and networking, and manage storage. Amazon EC2 can also scale up or down quickly to handle changes in requirements or spikes in popularity, thereby reducing your need to forecast server traffic. For more information, see the Amazon EC2 User Guide.
The following example shows that an IAM user named Mateo
ran the aws ec2 start-instances command to call
the Amazon EC2 StartInstances
action for instances
i-EXAMPLE56126103cb
and i-EXAMPLEaff4840c22
.
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::123456789012:user/Mateo", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Mateo", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:17:28Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.start-instances", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-EXAMPLE56126103cb" }, { "instanceId": "i-EXAMPLEaff4840c22" } ] } }, "responseElements": { "requestId": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16", "instancesSet": { "items": [ { "instanceId": "i-EXAMPLEaff4840c22", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } }, { "instanceId": "i-EXAMPLE56126103cb", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } } ] } }, "requestID": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16", "eventID": "e755e09c-42f9-4c5c-9064-EXAMPLE228c7", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
The following example shows that an IAM user named Nikki
ran the aws ec2 stop-instances command to call
the Amazon EC2 StopInstances
action to stop two instances.
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::777788889999:user/Nikki", "accountId": "777788889999", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "userName": "Nikki", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:14:20Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.stop-instances", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-EXAMPLE56126103cb" }, { "instanceId": "i-EXAMPLEaff4840c22" } ] }, "force": false }, "responseElements": { "requestId": "c308a950-e43e-444e-afc1-EXAMPLE73e49", "instancesSet": { "items": [ { "instanceId": "i-EXAMPLE56126103cb", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } }, { "instanceId": "i-EXAMPLEaff4840c22", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } } ] } }, "requestID": "c308a950-e43e-444e-afc1-EXAMPLE73e49", "eventID": "9357a8cc-a0eb-46a1-b67e-EXAMPLE19b14", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "777788889999", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
The following example shows that an IAM user named Arnav
ran the aws ec2 create-key-pair command to call the
CreateKeyPair
action. Note that the responseElements
contain a hash of the
key pair and that AWS removed the key material.
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGIEXAMPLE", "arn": "arn:aws:iam::444455556666:user/Arnav", "accountId": "444455556666", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "userName": "Arnav", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:19:22Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateKeyPair", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.create-key-pair", "requestParameters": { "keyName": "my-key", "keyType": "rsa", "keyFormat": "pem" }, "responseElements": { "requestId": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196", "keyName": "my-key", "keyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f", "keyPairId": "key-abcd12345eEXAMPLE", "keyMaterial": "<sensitiveDataRemoved>" }, "requestID": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196", "eventID": "2ae450ff-e72b-4de1-87b0-EXAMPLE5227cb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "444455556666", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
IAM log examples
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. For more information, see the IAM User Guide.
The following example shows that the IAM user named Mary
ran the aws iam create-user command to call the
CreateUser
action to create a new user named Richard
.
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGITEXAMPLE", "arn": "arn:aws:iam::888888888888:user/Mary", "accountId": "888888888888", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Mary", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:25:09Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-user", "requestParameters": { "userName": "Richard" }, "responseElements": { "user": { "path": "/", "arn": "arn:aws:iam::888888888888:user/Richard", "userId": "AIDA6ON6E4XEP7EXAMPLE", "createDate": "Jul 19, 2023 9:25:09 PM", "userName": "Richard" } }, "requestID": "2d528c76-329e-410b-9516-EXAMPLE565dc", "eventID": "ba0801a1-87ec-4d26-be87-EXAMPLE75bbb", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "888888888888", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
The following example shows that the IAM user named Paulo
ran the aws iam add-user-to-group command to call
the AddUserToGroup
action to add a user named Jane
to the Admin
group.
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGIEXAMPLE", "arn": "arn:aws:iam::555555555555:user/Paulo", "accountId": "555555555555", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Paulo", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:25:09Z", "eventSource": "iam.amazonaws.com", "eventName": "AddUserToGroup", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.add-user-to-group", "requestParameters": { "groupName": "Admin", "userName": "Jane" }, "responseElements": null, "requestID": "ecd94349-b36f-44bf-b6f5-EXAMPLE9c463", "eventID": "2939ba50-1d26-4a5a-83bd-EXAMPLE85850", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555555555555", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
The following example shows that the IAM user named Saanvi
ran the aws iam create-role command to call
the CreateRole
action to create a role.
{"Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGITEXAMPLE", "arn": "arn:aws:iam::777777777777:user/Saanvi", "accountId": "777777777777", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Saanvi", "sessionContext": { "sessionIssuer": {}, "webIdFederationData": {}, "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:29:12Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateRole", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-role", "requestParameters": { "roleName": "TestRole", "description": "Allows EC2 instances to call AWS services on your behalf.", "assumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"sts:AssumeRole\"],\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]}}]}" }, "responseElements": { "role": { "assumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22sts%3AAssumeRole%22%5D%2C%22Principal%22%3A%7B%22Service%22%3A%5B%22ec2.amazonaws.com%22%5D%7D%7D%5D%7D", "arn": "arn:aws:iam::777777777777:role/TestRole", "roleId": "AROA6ON6E4XEFFEXAMPLE", "createDate": "Jul 19, 2023 9:29:12 PM", "roleName": "TestRole", "path": "/" } }, "requestID": "ff38f36e-ebd3-425b-9939-EXAMPLE1bbe", "eventID": "9da77cd0-493f-4c89-8852-EXAMPLEa887c", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "777777777777", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
Error code and message log example
The following example shows that the IAM user named Terry
ran the aws cloudtrail update-trail command to call the
UpdateTrail
action to update a trail named myTrail2
,
but the trail name was not found. The log shows this error in the
errorCode
and errorMessage
elements.
{"Records": [{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDA6ON6E4XEGIEXAMPLE", "arn": "arn:aws:iam::111122223333:user/Terry", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Terry", "sessionContext": { "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:35:03Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "UpdateTrail", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.0 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.update-trail", "errorCode": "TrailNotFoundException", "errorMessage": "Unknown trail: arn:aws:cloudtrail:us-east-1:111122223333:trail/myTrail2 for the user: 111122223333", "requestParameters": { "name": "myTrail2", "isMultiRegionTrail": true }, "responseElements": null, "requestID": "28d2faaf-3319-4649-998d-EXAMPLE72818", "eventID": "694d604a-d190-4470-8dd1-EXAMPLEe20c1", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }]}
CloudTrail Insights event log example
The following example shows a CloudTrail Insights event log. An Insights event is actually a
pair of events that mark the start and end of a period of unusual write management
API activity or error response activity. The state
field shows whether
the event was logged at the start or end of the period of unusual activity. The
event name, UpdateInstanceInformation
, is the same name as the
AWS Systems Manager API for which CloudTrail analyzed management events to determine that unusual
activity occurred. Although the start and end events have unique
eventID
values, they also have a sharedEventID
value
that is used by the pair. The Insights event shows the baseline
, or the
normal pattern of activity, the insight
, or average unusual activity
that triggered the start Insights event, and in the end event, the
insight
value for the average unusual activity over the duration of
the Insights event. For more information about CloudTrail Insights, see Logging Insights events.
{ "Records": [{ "eventVersion": "1.08", "eventTime": "2023-01-02T02:51:00Z", "awsRegion": "us-east-1", "eventID": "654a30ff-b0f3-4527-81b6-EXAMPLEf2393", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "bcbfc274-8559-4a56-beb0-EXAMPLEa6c34", "insightDetails": { "state": "Start", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 84.410596421 }, "insight": { "average": 669 } } } }, "eventCategory": "Insight" }, { "eventVersion": "1.08", "eventTime": "2023-01-02T00:22:00Z", "awsRegion": "us-east-1", "eventID": "258de2fb-e2a9-4fb5-aeb2-EXAMPLE449a4", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "8b74a7bc-d5d3-4d19-9d60-EXAMPLE08b51", "insightDetails": { "state": "End", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 74.156423842 }, "insight": { "average": 657 }, "insightDuration": 1 } } }, "eventCategory": "Insight" }] }