Menu
AWS CloudTrail
User Guide (Version 1.0)

Viewing Events with CloudTrail Event History

You can troubleshoot operational and security incidents over the past 90 days in the CloudTrail console by viewing Event history. You can look up events related to creation, modification, or deletion of resources (such as IAM users or Amazon EC2 instances) in your AWS account on a per-region basis. Events can be viewed and downloaded by using the AWS CloudTrail console. You can customize the view of event history in the console by selecting which columns are displayed and which are hidden. You can programmatically look up events by using the AWS SDKs or AWS Command Line Interface.

Note

CloudTrail began logging all CloudTrail management events in Event history on June 14, 2018, but these events are not logged retroactively. A full 90-day record of all management event activity in your AWS account will not be available in Event history until after 90 days have passed.

Over time, AWS services might add additional events. CloudTrail will record these events in Event history, but a full 90-day record of activity that includes added events will not be available until 90 days after the events are added.

This section describes how to look up events by using the CloudTrail console and the AWS CLI. It also describes how to download a file of events. For information on using the LookupEvents API to retrieve information from CloudTrail events, see the AWS CloudTrail API Reference.

For information on creating a trail so that you have a record of events that extends past 90 days, see Creating a Trail and Getting and Viewing Your CloudTrail Log Files.