Understanding CloudTrail events
An event in CloudTrail is the record of an activity in an AWS account. This activity can be an action taken by an IAM identity, or service that is monitorable by CloudTrail. CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.
There are four types of CloudTrail events:
-
Note
Network activity events is in preview release for CloudTrail and is subject to change.
By default, trails and event data stores log management events, but not data events, network activity events, or Insights events.
All event types use a CloudTrail JSON log format. The log contains information about requests for
resources in your account, such as who made the request, the services used, the actions
performed, and parameters for the action. The event data is enclosed in a Records
array.
For information about CloudTrail event record fields, see CloudTrail record contents.
Management events
Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations.
Example management events include:
-
Configuring security (for example, AWS Identity and Access Management
AttachRolePolicy
API operations). -
Registering devices (for example, Amazon EC2
CreateDefaultVpc
API operations). -
Configuring rules for routing data (for example, Amazon EC2
CreateSubnet
API operations). -
Setting up logging (for example, AWS CloudTrail
CreateTrail
API operations).
Management events can also include non-API events that occur in your account. For
example, when a user signs in to your account, CloudTrail logs the
ConsoleLogin
event. For more information, see Non-API events captured by CloudTrail.
By default, CloudTrail trails and CloudTrail Lake event data stores log management events. For more information about logging management events, see Logging management events.
The following example shows a single log record of a management event. In this event, an IAM user
named Mary_Major
ran the aws cloudtrail start-logging command to call the CloudTrail StartLogging
action
to start the logging process on a trail named myTrail
.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::123456789012:user/Mary_Major", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Mary_Major", "sessionContext": { "attributes": { "creationDate": "2023-07-19T21:11:57Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-19T21:33:41Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StartLogging", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.start-logging", "requestParameters": { "name": "myTrail" }, "responseElements": null, "requestID": "9d478fc1-4f10-490f-a26b-EXAMPLE0e932", "eventID": "eae87c48-d421-4626-94f5-EXAMPLEac994", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }
In this next example, an IAM user user named Paulo_Santos
ran the aws cloudtrail start-event-data-store-ingestion command to call the StartEventDataStoreIngestion
action
to start ingestion on an event data store.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLEPHCNW5EQV7NA54", "arn": "arn:aws:iam::123456789012:user/Paulo_Santos", "accountId": "123456789012", "accessKeyId": "(AKIAIOSFODNN7EXAMPLE", "userName": "Paulo_Santos", "sessionContext": { "attributes": { "creationDate": "2023-07-21T21:55:30Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-07-21T21:57:28Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StartEventDataStoreIngestion", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/2.13.1 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.start-event-data-store-ingestion", "requestParameters": { "eventDataStore": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/2a8f2138-0caa-46c8-a194-EXAMPLE87d41" }, "responseElements": null, "requestID": "f62a3494-ba4e-49ee-8e27-EXAMPLE4253f", "eventID": "d97ca7e2-04fe-45b4-882d-EXAMPLEa9b2c", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }
Data events
Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities.
Example data events include:
-
Amazon S3 object-level API activity (for example,
GetObject
,DeleteObject
, andPutObject
API operations) on objects in S3 buckets. -
AWS Lambda function execution activity (the
Invoke
API). -
CloudTrail
PutAuditEvents
activity on a CloudTrail Lake channel that is used to log events from outside AWS. -
Amazon SNS
Publish
andPublishBatch
API operations on topics.
The following table shows the resource types available for trails and event
data stores. The Resource type (console) column shows the appropriate selection in the console.
The resources.type value column shows the
resources.type
value that you would specify to include data
events of that type in your trail or event data store using the AWS CLI or CloudTrail APIs.
For trails, you can use basic or advanced event selectors to log data events for Amazon S3 objects in general purpose buckets, Lambda functions, and DynamoDB tables (shown in the first three rows of the table). You can use only advanced event selectors to log the resource types shown in the remaining rows.
For event data stores, you can use only advanced event selectors to include data events.
AWS service | Description | Resource type (console) | resources.type value |
---|---|---|---|
Amazon DynamoDB | Amazon DynamoDB item-level API activity on tables (for example,
NoteFor tables with streams enabled, the |
DynamoDB |
|
AWS Lambda | AWS Lambda function execution activity (the |
Lambda | AWS::Lambda::Function |
Amazon S3 | Amazon S3 object-level API activity (for example, |
S3 | AWS::S3::Object |
AWS AppConfig | AWS AppConfig API activity for configuration operations such as calls to |
AWS AppConfig | AWS::AppConfig::Configuration |
AWS B2B Data Interchange | B2B Data Interchange API activity for Transformer operations such as calls to |
B2B Data Interchange | AWS::B2BI::Transformer |
Amazon Bedrock | Amazon Bedrock API activity on an agent alias. | Bedrock agent alias | AWS::Bedrock::AgentAlias |
Amazon Bedrock | Amazon Bedrock API activity on a flow alias. | Bedrock flow alias | AWS::Bedrock::FlowAlias |
Amazon Bedrock | Amazon Bedrock API activity on guardrails. | Bedrock guardrail | AWS::Bedrock::Guardrail |
Amazon Bedrock | Amazon Bedrock API activity on a knowledge base. | Bedrock knowledge base | AWS::Bedrock::KnowledgeBase |
Amazon Bedrock | Amazon Bedrock API activity on models. | Bedrock model | AWS::Bedrock::Model |
Amazon CloudFront | CloudFront API activity on a KeyValueStore. |
CloudFront KeyValueStore | AWS::CloudFront::KeyValueStore |
AWS Cloud Map | AWS Cloud Map API activity on a namespace. | AWS Cloud Map namespace |
|
AWS Cloud Map | AWS Cloud Map API activity on a service. | AWS Cloud Map service |
|
AWS CloudTrail | CloudTrail |
CloudTrail channel | AWS::CloudTrail::Channel |
Amazon CloudWatch | Amazon CloudWatch API activity on metrics. |
CloudWatch metric | AWS::CloudWatch::Metric |
Amazon CloudWatch RUM | Amazon CloudWatch RUM API activity on app monitors. |
RUM app monitor | AWS::RUM::AppMonitor |
Amazon CodeGuru Profiler | CodeGuru Profiler API activity on profiling groups. | CodeGuru Profiler profiling group | AWS::CodeGuruProfiler::ProfilingGroup |
Amazon CodeWhisperer | Amazon CodeWhisperer API activity on a customization. | CodeWhisperer customization | AWS::CodeWhisperer::Customization |
Amazon CodeWhisperer | Amazon CodeWhisperer API activity on a profile. | CodeWhisperer | AWS::CodeWhisperer::Profile |
Amazon Cognito | Amazon Cognito API activity on Amazon Cognito identity pools. |
Cognito Identity Pools | AWS::Cognito::IdentityPool |
AWS Data Exchange | AWS Data Exchange API activity on assets. |
Data Exchange asset |
|
AWS Deadline Cloud | Deadline Cloud API activity on fleets. |
Deadline Cloud fleet |
|
AWS Deadline Cloud | Deadline Cloud API activity on jobs. |
Deadline Cloud job |
|
AWS Deadline Cloud | Deadline Cloud API activity on queues. |
Deadline Cloud queue |
|
AWS Deadline Cloud | Deadline Cloud API activity on workers. |
Deadline Cloud worker |
|
Amazon DynamoDB | Amazon DynamoDB API activity on streams. |
DynamoDB Streams | AWS::DynamoDB::Stream |
AWS End User Messaging SMS | AWS End User Messaging SMS API activity on origination identities. | SMS Voice origination identity | AWS::SMSVoice::OriginationIdentity |
AWS End User Messaging SMS | AWS End User Messaging SMS API activity on messages. | SMS Voice message | AWS::SMSVoice::Message |
AWS End User Messaging Social | AWS End User Messaging Social API activity on phone number IDs. | Social-Messaging Phone Number Id | AWS::SocialMessaging::PhoneNumberId |
AWS End User Messaging Social | AWS End User Messaging Social API activity on Waba IDs. | Social-Messaging Waba ID | AWS::SocialMessaging::WabaId |
Amazon Elastic Block Store | Amazon Elastic Block Store (EBS) direct APIs, such as
|
Amazon EBS direct APIs | AWS::EC2::Snapshot |
Amazon EMR | Amazon EMR API activity on a write-ahead log workspace. | EMR write-ahead log workspace | AWS::EMRWAL::Workspace |
Amazon FinSpace | Amazon FinSpace API activity on environments. |
FinSpace | AWS::FinSpace::Environment |
AWS Glue | AWS Glue API activity on tables that were created by Lake Formation. |
Lake Formation | AWS::Glue::Table |
Amazon GuardDuty | Amazon GuardDuty API activity for a detector. |
GuardDuty detector | AWS::GuardDuty::Detector |
AWS HealthImaging | AWS HealthImaging API activity on data stores. |
MedicalImaging data store | AWS::MedicalImaging::Datastore |
AWS IoT | IoT certificate | AWS::IoT::Certificate |
|
AWS IoT | IoT thing | AWS::IoT::Thing |
|
AWS IoT Greengrass Version 2 | Greengrass API activity from a Greengrass core device on a component version. NoteGreengrass doesn't log access denied events. |
IoT Greengrass component version | AWS::GreengrassV2::ComponentVersion |
AWS IoT Greengrass Version 2 | Greengrass API activity from a Greengrass core device on a deployment. NoteGreengrass doesn't log access denied events. |
IoT Greengrass deployment | AWS::GreengrassV2::Deployment |
AWS IoT SiteWise | IoT SiteWise asset | AWS::IoTSiteWise::Asset |
|
AWS IoT SiteWise | IoT SiteWise time series | AWS::IoTSiteWise::TimeSeries |
|
AWS IoT SiteWise Assistant | Sitewise Assistant API activity on conversations. |
Sitewise Assistant conversation | AWS::SitewiseAssistant::Conversation |
AWS IoT TwinMaker | IoT TwinMaker API activity on an entity. |
IoT TwinMaker entity | AWS::IoTTwinMaker::Entity |
AWS IoT TwinMaker | IoT TwinMaker API activity on a workspace. |
IoT TwinMaker workspace | AWS::IoTTwinMaker::Workspace |
Amazon Kendra Intelligent Ranking | Amazon Kendra Intelligent Ranking API activity on rescore execution plans. |
Kendra Ranking | AWS::KendraRanking::ExecutionPlan |
Amazon Keyspaces (for Apache Cassandra) | Amazon Keyspaces API activity on a table. | Cassandra table | AWS::Cassandra::Table |
Amazon Kinesis Data Streams | Kinesis Data Streams API activity on streams. | Kinesis stream | AWS::Kinesis::Stream |
Amazon Kinesis Data Streams | Kinesis Data Streams API activity on stream consumers. | Kinesis stream consumer | AWS::Kinesis::StreamConsumer |
Amazon Kinesis Video Streams | Kinesis Video Streams API activity on video streams, such as calls to GetMedia and PutMedia . |
Kinesis video stream | AWS::KinesisVideo::Stream |
Amazon Location Maps | Amazon Location Maps API activity. | Geo Maps | AWS::GeoMaps::Provider |
Amazon Location Places | Amazon Location Places API activity. | Geo Places | AWS::GeoPlaces::Provider |
Amazon Location Routes | Amazon Location Routes API activity. | Geo Routes | AWS::GeoRoutes::Provider |
Amazon Machine Learning | Machine Learning API activity on ML models. | Maching Learning MlModel | AWS::MachineLearning::MlModel |
Amazon Managed Blockchain | Amazon Managed Blockchain API activity on a network. |
Managed Blockchain network | AWS::ManagedBlockchain::Network |
Amazon Managed Blockchain | Amazon Managed Blockchain JSON-RPC calls on Ethereum nodes, such as
|
Managed Blockchain | AWS::ManagedBlockchain::Node |
Amazon Managed Workflows for Apache Airflow | Amazon MWAA API activity on environments. |
Managed Apache Airflow | AWS::MWAA::Environment |
Amazon Neptune Graph | Data API activities, for example queries, algorithms, or vector search, on a Neptune Graph. |
Neptune Graph | AWS::NeptuneGraph::Graph |
Amazon One Enterprise | Amazon One Enterprise API activity on a UKey. |
Amazon One UKey | AWS::One::UKey |
Amazon One Enterprise | Amazon One Enterprise API activity on users. |
Amazon One User | AWS::One::User |
AWS Payment Cryptography | AWS Payment Cryptography API activity on aliases. | Payment Cryptography Alias | AWS::PaymentCryptography::Alias |
AWS Payment Cryptography | AWS Payment Cryptography API activity on keys. | Payment Cryptography Key | AWS::PaymentCryptography::Key |
AWS Private CA | AWS Private CA Connector for Active Directory API activity. |
AWS Private CA Connector for Active Directory | AWS::PCAConnectorAD::Connector |
AWS Private CA | AWS Private CA Connector for SCEP API activity. |
AWS Private CA Connector for SCEP | AWS::PCAConnectorSCEP::Connector |
Amazon Q Apps | Data API activity on Amazon Q Apps. |
Amazon Q Apps | AWS::QApps:QApp |
Amazon Q Business | Amazon Q Business API activity on an application. |
Amazon Q Business application | AWS::QBusiness::Application |
Amazon Q Business | Amazon Q Business API activity on a data source. |
Amazon Q Business data source | AWS::QBusiness::DataSource |
Amazon Q Business | Amazon Q Business API activity on an index. |
Amazon Q Business index | AWS::QBusiness::Index |
Amazon Q Business | Amazon Q Business API activity on a web experience. |
Amazon Q Business web experience | AWS::QBusiness::WebExperience |
Amazon RDS | Amazon RDS API activity on a DB Cluster. |
RDS Data API - DB Cluster | AWS::RDS::DBCluster |
AWS Resource Explorer | Resource Explorer API activity on managed views. |
AWS Resource Explorer managed-view | AWS::ResourceExplorer2::ManagedView |
AWS Resource Explorer | Resource Explorer API activity on views. |
AWS Resource Explorer view | AWS::ResourceExplorer2::View |
Amazon S3 | Amazon S3 API activity on access points. |
S3 Access Point | AWS::S3::AccessPoint |
Amazon S3 | Amazon S3 object-level API activity (for example, |
S3 Express | AWS::S3Express::Object |
Amazon S3 | Amazon S3 Object Lambda access points API activity, such as calls to
|
S3 Object Lambda | AWS::S3ObjectLambda::AccessPoint |
Amazon S3 on Outposts | S3 Outposts | AWS::S3Outposts::Object |
|
Amazon SageMaker |
Amazon SageMaker InvokeEndpointWithResponseStream activity on endpoints. |
SageMaker endpoint | AWS::SageMaker::Endpoint |
Amazon SageMaker | Amazon SageMaker API activity on feature stores. |
SageMaker feature store | AWS::SageMaker::FeatureGroup |
Amazon SageMaker | Amazon SageMaker API activity on experiment trial components. |
SageMaker metrics experiment trial component | AWS::SageMaker::ExperimentTrialComponent |
Amazon SNS | Amazon SNS |
SNS platform endpoint | AWS::SNS::PlatformEndpoint |
Amazon SNS | Amazon SNS |
SNS topic | AWS::SNS::Topic |
Amazon SQS | Amazon SQS API activity on messages. |
SQS | AWS::SQS::Queue |
AWS Step Functions | Step Functions API activity on a state machine. |
Step Functions state machine | AWS::StepFunctions::StateMachine |
AWS Supply Chain | AWS Supply Chain API activity on an instance. |
Supply Chain | AWS::SCN::Instance |
Amazon SWF | SWF domain | AWS::SWF::Domain |
|
AWS Systems Manager | Systems Manager API activity on control channels. | Systems Manager | AWS::SSMMessages::ControlChannel |
AWS Systems Manager | Systems Manager API activity on managed nodes. | Systems Manager managed node | AWS::SSM::ManagedNode |
Amazon Timestream | Amazon Timestream Query API activity on databases. |
Timestream database | AWS::Timestream::Database |
Amazon Timestream | Amazon Timestream Query API activity on tables. |
Timestream table | AWS::Timestream::Table |
Amazon Verified Permissions | Amazon Verified Permissions API activity on a policy store. |
Amazon Verified Permissions | AWS::VerifiedPermissions::PolicyStore |
Amazon WorkSpaces Thin Client | WorkSpaces Thin Client API activity on a Device. | Thin Client Device | AWS::ThinClient::Device |
Amazon WorkSpaces Thin Client | WorkSpaces Thin Client API activity on an Environment. | Thin Client Environment | AWS::ThinClient::Environment |
AWS X-Ray | X-Ray trace | AWS::XRay::Trace |
Data events are not logged by default when you create a trail or event data store. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity. For more information, see Creating a trail with the CloudTrail console and Create an event data store for CloudTrail events with the console.
Additional charges apply for logging data events. For CloudTrail pricing, see AWS CloudTrail Pricing
The following example shows a single log record of a data event for the Amazon SNS
Publish
action.
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Bob", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "ExampleUser" }, "attributes": { "creationDate": "2023-08-21T16:44:05Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-08-21T16:48:37Z", "eventSource": "sns.amazonaws.com", "eventName": "Publish", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16", "requestParameters": { "topicArn": "arn:aws:sns:us-east-1:123456789012:ExampleSNSTopic", "message": "HIDDEN_DUE_TO_SECURITY_REASONS", "subject": "HIDDEN_DUE_TO_SECURITY_REASONS", "messageStructure": "json", "messageAttributes": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "responseElements": { "messageId": "0787cd1e-d92b-521c-a8b4-90434e8ef840" }, "requestID": "0a8ab208-11bf-5e01-bd2d-ef55861b545d", "eventID": "bb3496d4-5252-4660-9c28-3c6aebdb21c0", "readOnly": false, "resources": [{ "accountId": "123456789012", "type": "AWS::SNS::Topic", "ARN": "arn:aws:sns:us-east-1:123456789012:ExampleSNSTopic" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "123456789012", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "sns.us-east-1.amazonaws.com" } }
The next example shows a single log record of a data event for the Amazon Cognito
GetCredentialsForIdentity
action.
{ "eventVersion": "1.08", "userIdentity": { "type": "Unknown" }, "eventTime": "2023-01-19T16:55:08Z", "eventSource": "cognito-identity.amazonaws.com", "eventName": "GetCredentialsForIdentity", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.4", "userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-credentials-for-identity", "requestParameters": { "logins": { "cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "responseElements": { "credentials": { "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionToken": "aAaAaAaAaAaAab1111111111EXAMPLE", "expiration": "Jan 19, 2023 5:55:08 PM" }, "identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE" }, "requestID": "659dfc23-7c4e-4e7c-858a-1abce884d645", "eventID": "6ad1c766-5a41-4b28-b5ca-e223ccb00f0d", "readOnly": false, "resources": [{ "accountId": "111122223333", "type": "AWS::Cognito::IdentityPool", "ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data" }
Network activity events
Note
Network activity events is in preview release for CloudTrail and is subject to change.
CloudTrail network activity events enable VPC endpoint owners to record AWS API calls made using their VPC endpoints from a private VPC to the AWS service. Network activity events provide visibility into the resource operations performed within a VPC.
You can log network activity events for the following services:
-
AWS CloudTrail
-
Amazon EC2
-
AWS KMS
-
AWS Secrets Manager
Network activity events are not logged by default when you create a trail or event data store. To record CloudTrail network activity events, you must explicitly set the event source for which you want to collect activity. For more information, see Logging network activity events.
Additional charges apply for logging network activity events. For CloudTrail pricing, see AWS CloudTrail Pricing
The following example shows a successful AWS KMS ListKeys
event that traversed a VPC endpoint. The vpcEndpointId
field shows the ID of the VPC endpoint. The
vpcEndpointAccountId
field shows the account ID of the VPC endpoint owner. In this example, the request was made by the VPC endpoint owner.
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "ASIAIOSFODNN7EXAMPLE:role-name", "arn": "arn:aws:sts::123456789012:assumed-role/Admin/role-name", "accountId": "123456789012", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "ASIAIOSFODNN7EXAMPLE", "arn": "arn:aws:iam::123456789012:role/Admin", "accountId": "123456789012", "userName": "Admin" }, "attributes": { "creationDate": "2024-06-04T23:10:46Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-06-04T23:12:50Z", "eventSource": "kms.amazonaws.com", "eventName": "ListKeys", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "requestID": "16bcc089-ac49-43f1-9177-EXAMPLE23731", "eventID": "228ca3c8-5f95-4a8a-9732-EXAMPLE60ed9", "eventType": "AwsVpceEvent", "recipientAccountId": "123456789012", "sharedEventID": "a1f3720c-ef19-47e9-a5d5-EXAMPLE8099f", "vpcEndpointId": "vpce-EXAMPLE08c1b6b9b7", "vpcEndpointAccountId": "123456789012", "eventCategory": "NetworkActivity" }
The next example shows an unsuccessful AWS KMS ListKeys
event with a VPC endpoint policy violation. Because a VPC policy violation occurred, both the
errorCode
and errorMessage
fields are present. The account ID in the recipientAccountId
and vpcEndpointAccountId
fields is the same, which indicates the event was sent to the VPC endpoint owner. The accountId
in the userIdentity
element is not the vpcEndpointAccountId
, which indicates that the user making the request is not the VPC endpoint owner.
{ "eventVersion": "1.09", "userIdentity": { "type": "AWSAccount", "principalId": "AKIAIOSFODNN7EXAMPLE", "accountId": "777788889999" }, "eventTime": "2024-07-15T23:57:12Z", "eventSource": "kms.amazonaws.com", "eventName": "ListKeys", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "errorCode": "VpceAccessDenied", "errorMessage": "The request was denied due to a VPC endpoint policy", "requestID": "899003b8-abc4-42bb-ad95-EXAMPLE0c374", "eventID": "7c6e3d04-0c3b-42f2-8589-EXAMPLE826c0", "eventType": "AwsVpceEvent", "recipientAccountId": "123456789012", "sharedEventID": "702f74c4-f692-4bfd-8491-EXAMPLEb1ac4", "vpcEndpointId": "vpce-EXAMPLE08c1b6b9b7", "vpcEndpointAccountId": "123456789012", "eventCategory": "NetworkActivity" }
Insights events
CloudTrail Insights events capture unusual API call rate or error rate activity in your AWS account by analyzing CloudTrail management activity. Insights events provide relevant information, such as the associated API, error code, incident time, and statistics, that help you understand and act on unusual activity. Unlike other types of events captured in a CloudTrail trail or event data store, Insights events are logged only when CloudTrail detects changes in your account's API usage or error rate logging that differ significantly from the account's typical usage patterns.
Examples of activity that might generate Insights events include:
-
Your account typically logs no more than 20 Amazon S3
deleteBucket
API calls per minute, but your account starts to log an average of 100deleteBucket
API calls per minute. An Insights event is logged at the start of the unusual activity, and another Insights event is logged to mark the end of the unusual activity. -
Your account typically logs 20 calls per minute to the Amazon EC2
AuthorizeSecurityGroupIngress
API, but your account starts to log zero calls toAuthorizeSecurityGroupIngress
. An Insights event is logged at the start of the unusual activity, and ten minutes later, when the unusual activity ends, another Insights event is logged to mark the end of the unusual activity. -
Your account typically logs less than one
AccessDeniedException
error in a seven-day period on the AWS Identity and Access Management API,DeleteInstanceProfile
. Your account starts to log an average of 12AccessDeniedException
errors per minute on theDeleteInstanceProfile
API call. An Insights event is logged at the start of the unusual error rate activity, and another Insights event is logged to mark the end of the unusual activity.
These examples are provided for illustration purposes only. Your results may vary depending on your use case.
To log CloudTrail Insights events, you must explicitly enable Insights events on a new or existing trail or event data store. For more information about creating a trail, see Creating a trail with the CloudTrail console. For more information about creating an event data store, see Create an event data store for Insights events with the console.
Additional charges apply for Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see AWS CloudTrail Pricing
There are two events logged to show unusual activity in CloudTrail Insights: a start event and
an end event. The following example shows a single log record of a starting Insights event that
occurred when the Application Auto Scaling API CompleteLifecycleAction
was called an unusual number
of times. For Insights events, the value of eventCategory
is Insight
.
An insightDetails
block identifies the event state, source, name, Insights type,
and context, including statistics and attributions. For more information about the
insightDetails
block, see CloudTrail Insights insightDetails element.
{ "eventVersion": "1.08", "eventTime": "2023-07-10T01:42:00Z", "awsRegion": "us-east-1", "eventID": "55ed45c5-0b0c-4228-9fe5-EXAMPLEc3f4d", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "979c82fe-14d4-4e4c-aa01-EXAMPLE3acee", "insightDetails": { "state": "Start", "eventSource": "autoscaling.amazonaws.com", "eventName": "CompleteLifecycleAction", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 9.82222E-5 }, "insight": { "average": 5.0 }, "insightDuration": 1, "baselineDuration": 10181 }, "attributions": [{ "attribute": "userIdentityArn", "insight": [{ "value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole1", "average": 5.0 }, { "value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole2", "average": 5.0 }, { "value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole3", "average": 5.0 }], "baseline": [{ "value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole1", "average": 9.82222E-5 }] }, { "attribute": "userAgent", "insight": [{ "value": "codedeploy.amazonaws.com", "average": 5.0 }], "baseline": [{ "value": "codedeploy.amazonaws.com", "average": 9.82222E-5 }] }, { "attribute": "errorCode", "insight": [{ "value": "null", "average": 5.0 }], "baseline": [{ "value": "null", "average": 9.82222E-5 }] }] } }, "eventCategory": "Insight" }