View CloudTrail Lake dashboards

This walkthrough shows you how to view CloudTrail Lake dashboards. CloudTrail Lake dashboards let you visualize the events in your event data store and see trends, such as top users and top errors.

Each dashboard consists of multiple widgets and each widget represents a SQL query. To populate the dashboard, CloudTrail runs systems-generated queries. Queries incur charges based upon the amount of data scanned.

Note

Currently, dashboards are only available for event data stores that collect CloudTrail management events, Amazon S3 data events, and Insights events.

To view Lake dashboards

1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

2. From the navigation pane, under Lake, choose Dashboard.

3. The first time you view the Dashboards page, CloudTrail asks you to acknowledge the costs associated with running queries. Choose I agree to acknowledge the cost of running queries. This is a one time confirmation. For more information about CloudTrail pricing, see CloudTrail Pricing.

4. Choose your event data store from the list and then choose the dashboard type you want to view.

   The following are the possible dashboard types.

   • Overview dashboard - Shows the most active users, AWS Regions, and AWS services by event count. You can also view information about read and write management event activity, most throttled events, and the top errors. This dashboard is available for event data stores that collect management events.

   • Management Events dashboard - Shows console sign-in events, access denied events, destructive actions, and top errors by user. You can also view information about TLS versions and outdated TLS calls by user. This dashboard is available for event data stores that collect management events.

   • S3 Data Events dashboard - Shows S3 account activity, most accessed S3 objects, top S3 users, and top S3 actions. This dashboard is available for event data stores that collect Amazon S3 data events.

   • Insights Events dashboard - Shows the overall proportion of Insights events by Insights type, the proportion of Insights events by Insights type for the top users and services, and the number of Insights events per day. The dashboard also includes a widget that lists up to 30 days of Insights events. This dashboard is only available for event data stores that collect Insights events.

     Note

     • After you enable CloudTrail Insights for the first time on the source event data store, it can take up to 7 days for CloudTrail to deliver the first Insights event, if unusual activity is detected. For more information, see Understanding Insights events delivery.

     • The Insights Events dashboard only displays information about the Insights events collected by the selected event data store, which is determined by the configuration of the source event data store. For example, if you configure the source event data store to enable Insights events on ApiCallRateInsight but not ApiErrorRateInsight, you won't see information about Insights events on ApiErrorRateInsight.

   In this example, we've chosen the Overview dashboard.

   

5. Choose the date field to filter on a time range and then choose Apply. Choose Absolute range to select a specific date and time range. Choose Relative range to select a predefined time range or a custom range. By default, the dashboard displays event data for the past 24 hours.

   Note

   Because CloudTrail queries are charged based on the amount of data scanned, you can reduce costs by filtering on a narrower time range.

   

6. Choose Run queries to populate the dashboard. Each widget individually displays the status of its associated query and presents data when its query completes.

   You can perform additional filtering on some widgets, such as Account activity, which lets you filter on read and write event activity.

   

7. To view the query for a widget, choose View and analyze in query editor.

   

   Choosing View and analyze in query editor opens the query in CloudTrail Lake's query editor, which lets you further analyze the query results outside of the dashboard. For more information about editing a query, see Create or edit a query with the CloudTrail console. For more information about running a query and saving query results, see Run a query and save query results with the console.

   

   For more information about dashboards, see View CloudTrail Lake dashboards with the CloudTrail console.