Logging AWS Secrets Manager events with AWS CloudTrail - AWS Secrets Manager

Logging AWS Secrets Manager events with AWS CloudTrail

AWS CloudTrail records all API calls for Secrets Manager as events, including calls from the Secrets Manager console. CloudTrail also captures the following events:

  • RotationAbandoned event - Secrets Manager removed the AWSPENDING label from an existing version of a secret. When you manually create a new version of a secret, you send a message signalling the abandonment of the current ongoing rotation in favor of the new secret version. As a result, Secrets Manager removes the AWSPENDING label to allow future rotations to succeed and publish a CloudTrail event to provide awareness of the change.

  • RotationStarted event - A secret started rotation.

  • RotationSucceeded event - A successful rotation event.

  • RotationFailed event - Secret rotation failed.

  • StartSecretVersionDelete event - a mechanism that notifies you of the start deletion for a secret version.

  • CancelSecretVersionDelete event - A delete cancellation for a secret version.

  • EndSecretVersionDelete event - An ending secret version deletion.

You can use the CloudTrail console to view the last 90 days of recorded events. For an ongoing record of events in your AWS account, including events for Secrets Manager, create a trail so that CloudTrail delivers log files to an Amazon S3 bucket. See Creating a trail for your AWS account. You can also configure CloudTrail to receive CloudTrail log files from multiple AWS accounts and AWS Regions.

You can configure other AWS services to further analyze and act upon the data collected in CloudTrail logs. See AWS service integrations with CloudTrail logs. You can also get notifications when CloudTrail publishes new log files to your Amazon S3 bucket. See Configuring Amazon SNS notifications for CloudTrail.

To retrieve Secrets Manager events from CloudTrail logs (console)

  1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Ensure that the console points to the region where your events occurred. The console shows only those events that occurred in the selected region. Choose the region from the drop-down list in the upper-right corner of the console.

  3. In the left-hand navigation pane, choose Event history.

  4. Choose Filter criteria and/or a Time range to help you find the event that you're looking for. For example, to see all Secrets Manager events, for Select attribute, choose Event source. Then, for Enter event source, choose secretsmanager.amazonaws.com.

  5. To see additional details, choose the expand arrow next to event. To see all of the information available, choose View event.


To retrieve Secrets Manager events from CloudTrail logs (AWS CLI or SDK)

  1. Open a command window to run AWS CLI commands.

  2. Run a command similar to the following example.

    $ aws cloudtrail lookup-events --region us-east-1 --lookup-attributes AttributeKey=EventSource,AttributeValue=secretsmanager.amazonaws.com { "Events": [ { "EventId": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE", "EventName": "CreateSecret", "EventTime": 1525106994.0, "Username": "Administrator", "Resources": [], "CloudTrailEvent": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AKIAIOSFODNN7EXAMPLE\", \"arn\":\"arn:aws:iam::123456789012:user/Administrator\",\"accountId\":\"123456789012\",\"accessKeyId\":\"AKIAIOSFODNN7EXAMPLE\", \"userName\":\"Administrator\"},\"eventTime\":\"2018-04-30T16:49:54Z\",\"eventSource\":\"secretsmanager.amazonaws.com\", \"eventName\":\"CreateSecret\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"\", \"userAgent\":\"<useragent string>\",\"requestParameters\":{\"name\":\"MyTestSecret\", \"clientRequestToken\":\"EXAMPLE2-90ab-cdef-fedc-ba987EXAMPLE\"},\"responseElements\":null, \"requestID\":\"EXAMPLE3-90ab-cdef-fedc-ba987EXAMPLE\",\"eventID\":\"EXAMPLE4-90ab-cdef-fedc-ba987EXAMPLE\", \"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}" } ] }

Examples of Secrets Manager log entries

The following example shows a CloudTrail log entry for a sample CreateSecret call:

{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "myusername", "sessionContext": {"attributes": { "mfaAuthenticated": "false", "creationDate": "2018-04-03T17:43:50Z" }} }, "eventTime": "2018-04-03T17:50:55Z", "eventSource": "secretsmanager.amazonaws.com", "eventName": "CreateSecret", "awsRegion": "us-east-2", "requestParameters": { "name": "MyDatabaseSecret", "clientRequestToken": "EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE" }, "responseElements": null, "requestID": "EXAMPLE2-90ab-cdef-fedc-ba987EXAMPLE", "eventID": "EXAMPLE3-90ab-cdef-fedc-ba987EXAMPLE", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }

The following example shows a CloudTrail log entry for a sample DeleteSecret call:

{ "eventVersion": "1.05", "userIdentity": { "type": "Root", "principalId": "123456789012", "arn": "arn:aws:iam::123456789012:root", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "myusername", "sessionContext": {"attributes": { "mfaAuthenticated": "false", "creationDate": "2018-04-03T17:43:50Z" }} }, "eventTime": "2018-04-03T17:51:02Z", "eventSource": "secretsmanager.amazonaws.com", "eventName": "DeleteSecret", "awsRegion": "us-east-2", "requestParameters": { "recoveryWindowInDays": 30, "secretId": "MyDatabaseSecret" }, "responseElements": { "name": "MyDatabaseSecret", "deletionDate": "May 3, 2018 5:51:02 PM", "aRN": "arn:aws:secretsmanager:us-east-2:123456789012:secret:MyDatabaseSecret-a1b2c3" }, "requestID": "EXAMPLE2-90ab-cdef-fedc-ba987EXAMPLE", "eventID": "EXAMPLE3-90ab-cdef-fedc-ba987EXAMPLE", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }