Enabling CloudTrail Data Event Logging for Gateway

You can use CloudTrail data events to get information about Gateway requests. To enable CloudTrail data events for Gateway, you must create a trail manually in CloudTrail backed by an Amazon S3 bucket.

Note

Data event logging incurs additional charges. You must explicitly enable data events as they are not captured by default. Check to ensure that you have data events enabled for your account.
With a Gateway that is generating a high workload, you could quickly generate thousands of logs in a short amount of time. Be mindful of how long you choose to enable CloudTrail data events for a busy Gateway.

CloudTrail stores Gateway data event logs in an Amazon S3 bucket of your choosing. Consider using a bucket in a separate AWS account to better organize events from multiple resources into a central place for easier querying and analysis.

When you log data events for a trail in CloudTrail, you must use advanced event selectors to log data events for Gateway operations.

AWS CLI

To enable CloudTrail data events for Gateway using the AWS CLI, you can use the following command:



aws cloudtrail put-event-selectors \
  --trail-name brac-gateway-canary-trail-prod-us-east-1 \
  --region us-east-1 \
  --advanced-event-selectors '[
    {            
      "Name": "GatewayDataEvents",
      "FieldSelectors": [
        {
          "Field": "eventCategory",
          "Equals": ["Data"]
        },
        {
          "Field": "resources.type",
          "Equals": ["AWS::BedrockAgentCore::Gateway"]
        }
      ]
    }
  ]'

AWS CDK

Here's an example of how to create a CloudTrail trail with Gateway data events using AWS CDK:



import { Construct } from 'constructs';
import { Trail, CfnTrail } from 'aws-cdk-lib/aws-cloudtrail';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { Effect, PolicyStatement, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
import { RemovalPolicy } from 'aws-cdk-lib';

export interface DataEventTrailProps {
  /**
   * Whether to enable multi-region trail
   */
  isMultiRegionTrail?: boolean;
  
  /**
   * Whether to include global service events
   */
  includeGlobalServiceEvents?: boolean;
  
  /**
   * AWS region
   */
  region: string;
  
  /**
   * Environment account ID
   */
  account: string;
}

/**
 * Creates a CloudTrail trail configured to capture data events for Bedrock Agent Core Gateway
 */
export class BedrockAgentCoreDataEventTrail extends Construct {
  /**
   * The CloudTrail trail
   */
  public readonly trail: Trail;
  
  /**
   * The S3 bucket for CloudTrail logs
   */
  public readonly logsBucket: Bucket;
  
  constructor(scope: Construct, id: string, props: DataEventTrailProps) {
    super(scope, id);
    
    // Create S3 bucket for CloudTrail logs
    const bucketName = `brac-gateway-cloudtrail-logs-${props.account}-${props.region}`;
    this.logsBucket = new Bucket(this, 'CloudTrailLogsBucket', {
      bucketName,
      removalPolicy: RemovalPolicy.RETAIN,
    });
    
    // Create trail name (suffixing region since regional trail)
    const trailName = `brac-gateway-trail-${props.region}`;
    
    // Add CloudTrail bucket policy
    this.logsBucket.addToResourcePolicy(
      new PolicyStatement({
        sid: 'AWSCloudTrailAclCheck',
        effect: Effect.ALLOW,
        principals: [new ServicePrincipal('cloudtrail.amazonaws.com')],
        actions: ['s3:GetBucketAcl'],
        resources: [this.logsBucket.bucketArn],
        conditions: {
          StringEquals: {
            'aws:SourceArn': `arn:aws:cloudtrail:${props.region}:${props.account}:trail/${trailName}`,
          },
        },
      }),
    );
    
    this.logsBucket.addToResourcePolicy(
      new PolicyStatement({
        sid: 'AWSCloudTrailWrite',
        effect: Effect.ALLOW,
        principals: [new ServicePrincipal('cloudtrail.amazonaws.com')],
        actions: ['s3:PutObject'],
        resources: [this.logsBucket.arnForObjects(`AWSLogs/${props.account}/*`)],
        conditions: {
          StringEquals: {
            's3:x-amz-acl': 'bucket-owner-full-control',
            'aws:SourceArn': `arn:aws:cloudtrail:${props.region}:${props.account}:trail/${trailName}`,
          },
        },
      }),
    );
    
    // Create CloudTrail trail
    this.trail = new Trail(this, 'GatewayDataEventTrail', {
      trailName,
      bucket: this.logsBucket,
      isMultiRegionTrail: props.isMultiRegionTrail ?? false,
      includeGlobalServiceEvents: props.includeGlobalServiceEvents ?? true,
      enableFileValidation: true,
    });
    
    // Add advanced event selectors for Bedrock Agent Core Gateway data events
    const cfnTrail = this.trail.node.defaultChild as CfnTrail;
    
    // Define the advanced event selectors
    const advancedEventSelectors = [
      {
        // Log Bedrock Agent Core Gateway Data Events only
        fieldSelectors: [
          {
            field: 'eventCategory',
            equalTo: ['Data'],
          },
          {
            field: 'resources.type',
            equalTo: ['AWS::BedrockAgentCore::Gateway'],
          },
        ],
      },
    ];
    
    // Clear any existing event selectors and set advanced event selectors
    cfnTrail.eventSelectors = undefined;
    cfnTrail.advancedEventSelectors = advancedEventSelectors;
  }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Gateway Event Types

Understanding Gateway CloudTrail Events