# Understanding CloudTrail events
An event in CloudTrail is the record of an activity in an AWS account. This activity can be an action taken by an IAM identity, or service that is monitorable by CloudTrail. CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.
There are four types of CloudTrail events:
+ [Management events](#cloudtrail-management-events)
+ [Data events](#cloudtrail-data-events)
+ [Network activity events](#cloudtrail-network-events)
+ [Insights events](#cloudtrail-insights-events)
By default, trails and event data stores log management events, but not data events, network activity events, or Insights events.
All event types use a CloudTrail JSON log format. The log contains information about requests for resources in your account, such as who made the request, the services used, the actions performed, and parameters for the action. The event data is enclosed in a `Records` array.
For information about CloudTrail event record fields for management, data, and network activity events, see [CloudTrail record contents for management, data, and network activity events](cloudtrail-event-reference-record-contents.md).
For information about CloudTrail event record fields for Insights events for trails, see [CloudTrail record contents for Insights events for trails](cloudtrail-insights-fields-trails.md).
For information about CloudTrail event record fields for Insights events for event data stores, see [CloudTrail record contents for Insights events for event data stores](cloudtrail-insights-fields-lake.md).
## Management events
Management events provide information about management operations that are performed on resources in your AWS account. These are also known as *control plane operations*.
Example management events include:
+ Configuring security (for example, AWS Identity and Access Management `AttachRolePolicy` API operations).
+ Registering devices (for example, Amazon EC2 `CreateDefaultVpc` API operations).
+ Configuring rules for routing data (for example, Amazon EC2 `CreateSubnet` API operations).
+ Setting up logging (for example, AWS CloudTrail `CreateTrail` API operations).
Management events can also include non-API events that occur in your account. For example, when a user signs in to your account, CloudTrail logs the `ConsoleLogin` event. For more information, see [Non-API events captured by CloudTrail](cloudtrail-non-api-events.md).
By default, CloudTrail trails and CloudTrail Lake event data stores log management events. For more information about logging management events, see [Logging management events](logging-management-events-with-cloudtrail.md).
The following example shows a single log record of a management event. In this event, an IAM user named `Mary_Major` ran the **aws cloudtrail start-logging** command to call the CloudTrail [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartLogging.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartLogging.html) action to start the logging process on a trail named `myTrail`.
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::123456789012:user/Mary_Major",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary_Major",
"sessionContext": {
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:33:41Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "StartLogging",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.start-logging",
"requestParameters": {
"name": "myTrail"
},
"responseElements": null,
"requestID": "9d478fc1-4f10-490f-a26b-EXAMPLE0e932",
"eventID": "eae87c48-d421-4626-94f5-EXAMPLEac994",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
```
In this next example, an IAM user user named `Paulo_Santos` ran the **aws cloudtrail start-event-data-store-ingestion** command to call the [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartEventDataStoreIngestion.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StartEventDataStoreIngestion.html) action to start ingestion on an event data store.
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLEPHCNW5EQV7NA54",
"arn": "arn:aws:iam::123456789012:user/Paulo_Santos",
"accountId": "123456789012",
"accessKeyId": "(AKIAIOSFODNN7EXAMPLE",
"userName": "Paulo_Santos",
"sessionContext": {
"attributes": {
"creationDate": "2023-07-21T21:55:30Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-21T21:57:28Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "StartEventDataStoreIngestion",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.1 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.start-event-data-store-ingestion",
"requestParameters": {
"eventDataStore": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/2a8f2138-0caa-46c8-a194-EXAMPLE87d41"
},
"responseElements": null,
"requestID": "f62a3494-ba4e-49ee-8e27-EXAMPLE4253f",
"eventID": "d97ca7e2-04fe-45b4-882d-EXAMPLEa9b2c",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
```
## Data events
Data events provide information about the resource operations performed on or in a resource. These are also known as *data plane operations*. Data events are often high-volume activities.
Example data events include:
+ [Amazon S3 object-level API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events) (for example, `GetObject`, `DeleteObject`, and `PutObject` API operations) on objects in S3 buckets.
+ AWS Lambda function execution activity (the `Invoke` API).
+ CloudTrail [https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html](https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html) activity on a [CloudTrail Lake channel](query-event-data-store-integration.md) that is used to log events from outside AWS.
+ Amazon SNS [https://docs.aws.amazon.com/sns/latest/api/API_Publish.html](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) and [https://docs.aws.amazon.com/sns/latest/api/API_PublishBatch.html](https://docs.aws.amazon.com/sns/latest/api/API_PublishBatch.html) API operations on topics.
The following table shows the resource types available for trails and event data stores. The **Resource type (console)** column shows the appropriate selection in the console. The **resources.type value** column shows the `resources.type` value that you would specify to include data events of that type in your trail or event data store using the AWS CLI or CloudTrail APIs.
For trails, you can use basic or advanced event selectors to log data events for Amazon S3 objects in general purpose buckets, Lambda functions, and DynamoDB tables (shown in the first three rows of the table). You can use only advanced event selectors to log the resource types shown in the remaining rows.
For event data stores, you can use only advanced event selectors to include data events.
### Data events supported by AWS CloudTrail
****
| AWS service | Description | Resource type (console) | resources.type value |
| --- | --- | --- | --- |
| Amazon RDS | [Amazon RDS API activity](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/logging-using-cloudtrail-data-api.html#logging-using-cloudtrail-data-api.including-excluding-cloudtrail-events) on a DB Cluster. | RDS Data API - DB Cluster | AWS::RDS::DBCluster |
| Amazon S3 | [Amazon S3 object-level API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events) (for example, `GetObject`, `DeleteObject`, and `PutObject` API operations) on objects in general purpose buckets. | S3 | AWS::S3::Object |
| Amazon S3 | [Amazon S3 API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events) on access points. | S3 Access Point | AWS::S3::AccessPoint |
| Amazon S3 | [Amazon S3 object-level API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events) (for example, `GetObject`, `DeleteObject`, and `PutObject` API operations) on objects in directory buckets. | S3 Express | AWS::S3Express::Object |
| Amazon S3 | [Amazon S3 Object Lambda access points API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events), such as calls to `CompleteMultipartUpload` and `GetObject`. | S3 Object Lambda | AWS::S3ObjectLambda::AccessPoint |
| Amazon S3 | Amazon FSx API activity on volumes. | FSx Volume | AWS::FSx::Volume |
| Amazon S3 Tables | Amazon S3 API activity on [tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-create.html). | S3 table | AWS::S3Tables::Table |
| Amazon S3 Tables | Amazon S3 API activity on [table buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets.html). | S3 table bucket | AWS::S3Tables::TableBucket |
| Amazon S3 Vectors | Amazon S3 API activity on [vector buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-buckets.html). | S3 vector bucket | AWS::S3Vectors::VectorBucket |
| Amazon S3 Vectors | Amazon S3 API activity on [vector indexes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-indexes.html). | S3 vector index | AWS::S3Vectors::Index |
| Amazon S3 on Outposts | [Amazon S3 on Outposts object-level API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events). | S3 Outposts | AWS::S3Outposts::Object |
| Amazon SNS | Amazon SNS [https://docs.aws.amazon.com/sns/latest/api/API_Publish.html](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) API operations on platform endpoints. | SNS platform endpoint | AWS::SNS::PlatformEndpoint |
| Amazon SNS | Amazon SNS [https://docs.aws.amazon.com/sns/latest/api/API_Publish.html](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) and [https://docs.aws.amazon.com/sns/latest/api/API_PublishBatch.html](https://docs.aws.amazon.com/sns/latest/api/API_PublishBatch.html) API operations on topics. | SNS topic | AWS::SNS::Topic |
| Amazon SQS | [Amazon SQS API activity](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-logging-using-cloudtrail.html#sqs-data-events-in-cloud-trail) on messages. | SQS | AWS::SQS::Queue |
| AWS Supply Chain | AWS Supply Chain API activity on an instance. | Supply Chain | AWS::SCN::Instance |
| Amazon SWF | [Amazon SWF API activity](https://docs.aws.amazon.com/amazonswf/latest/developerguide/ct-logging.html#cloudtrail-data-events) on [domains](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-domains.html). | SWF domain | AWS::SWF::Domain |
| AWS AppConfig | [AWS AppConfig API activity](https://docs.aws.amazon.com/appconfig/latest/userguide/logging-using-cloudtrail.html#appconfig-data-events-cloudtrail) for configuration operations such as calls to `StartConfigurationSession` and `GetLatestConfiguration`. | AWS AppConfig | AWS::AppConfig::Configuration |
| AWS AppSync | [AWS AppSync API activity](https://docs.aws.amazon.com/appsync/latest/devguide/cloudtrail-logging.html#cloudtrail-data-events) on AppSync GraphQL APIs. | AppSync GraphQL | AWS::AppSync::GraphQLApi |
| Amazon Aurora DSQL | Amazon Aurora DSQL API activity on cluster resources. | Amazon Aurora DSQL | AWS::DSQL::Cluster |
| AWS B2B Data Interchange | B2B Data Interchange API activity for Transformer operations such as calls to `GetTransformerJob` and `StartTransformerJob`. | B2B Data Interchange | AWS::B2BI::Transformer |
| AWS Backup | AWS Backup Search Data API activity on search jobs. | AWS Backup Search Data APIs | AWS::Backup::SearchJob |
| Amazon Bedrock | [Amazon Bedrock API activity](https://docs.aws.amazon.com/bedrock/latest/userguide/logging-using-cloudtrail.html#service-name-data-events-cloudtrail) on an agent alias. | Bedrock agent alias | AWS::Bedrock::AgentAlias |
| Amazon Bedrock | Amazon Bedrock API activity on async invocations. | Bedrock async invoke | AWS::Bedrock::AsyncInvoke |
| Amazon Bedrock | Amazon Bedrock API activity on a flow alias. | Bedrock flow alias | AWS::Bedrock::FlowAlias |
| Amazon Bedrock | Amazon Bedrock API activity on guardrails. | Bedrock guardrail | AWS::Bedrock::Guardrail |
| Amazon Bedrock | Amazon Bedrock API activity on inline agents. | Bedrock Invoke Inline-Agent | AWS::Bedrock::InlineAgent |
| Amazon Bedrock | [Amazon Bedrock API activity](https://docs.aws.amazon.com/bedrock/latest/userguide/logging-using-cloudtrail.html#service-name-data-events-cloudtrail) on a knowledge base. | Bedrock knowledge base | AWS::Bedrock::KnowledgeBase |
| Amazon Bedrock | Amazon Bedrock API activity on models. | Bedrock model | AWS::Bedrock::Model |
| Amazon Bedrock | Amazon Bedrock API activity on prompts. | Bedrock prompt | AWS::Bedrock::PromptVersion |
| Amazon Bedrock | Amazon Bedrock API activity on sessions. | Bedrock session | AWS::Bedrock::Session |
| Amazon Bedrock | Amazon Bedrock API activity on flow executions. | Bedrock flow execution | AWS::Bedrock::FlowExecution |
| Amazon Bedrock | Amazon Bedrock API activity on an automated reasoning policy. | Bedrock automated reasoning policy | AWS::Bedrock::AutomatedReasoningPolicy |
| Amazon Bedrock | Amazon Bedrock API activity on an automated reasoning policy version. | Bedrock automated reasoning policy version | AWS::Bedrock::AutomatedReasoningPolicyVersion |
| Amazon Bedrock | Amazon Bedrock data automation project API activity. | **Bedrock Data Automation project** | `AWS::Bedrock::DataAutomationProject` |
| Amazon Bedrock | Bedrock data automation invocation API activity. | **Bedrock Data Automation invocation** | `AWS::Bedrock::DataAutomationInvocation` |
| Amazon Bedrock | Amazon Bedrock data automation profile API activity. | **Bedrock Data Automation profile** | `AWS::Bedrock::DataAutomationProfile` |
| Amazon Bedrock | Amazon Bedrock blueprint API activity. | **Bedrock blueprint** | `AWS::Bedrock::Blueprint` |
| Amazon Bedrock | Amazon Bedrock Code-Interpreter API activity. | **Bedrock-AgentCore Code-Interpreter** | `AWS::BedrockAgentCore::CodeInterpreter` |
| Amazon Bedrock | Amazon Bedrock Browser API activity. | **Bedrock-AgentCore Browser** | `AWS::BedrockAgentCore::Browser` |
| Amazon Bedrock | Amazon Bedrock Workload Identity API activity. | **Bedrock-AgentCore Workload Identity** | `AWS::BedrockAgentCore::WorkloadIdentity` |
| Amazon Bedrock | Amazon Bedrock Workload Identity Directory API activity. | **Bedrock-AgentCore Workload Identity Directory** | `AWS::BedrockAgentCore::WorkloadIdentityDirectory` |
| Amazon Bedrock | Amazon Bedrock Token Vault API activity. | **Bedrock-AgentCore Token Vault** | `AWS::BedrockAgentCore::TokenVault` |
| Amazon Bedrock | Amazon Bedrock APIKey CredentialProvider API activity. | **Bedrock-AgentCore APIKey CredentialProvider** | `AWS::BedrockAgentCore::APIKeyCredentialProvider` |
| Amazon Bedrock | Amazon Bedrock Runtime API activity. | **Bedrock-AgentCore Runtime** | `AWS::BedrockAgentCore::Runtime` |
| Amazon Bedrock | Amazon Bedrock Runtime-Endpoint API activity. | **Bedrock-AgentCore Runtime-Endpoint** | `AWS::BedrockAgentCore::RuntimeEndpoint` |
| Amazon Bedrock | Amazon Bedrock Gateway API activity. | **Bedrock-AgentCore Gateway** | `AWS::BedrockAgentCore::Gateway` |
| Amazon Bedrock | Amazon Bedrock Memory API activity. | **Bedrock-AgentCore Memory** | `AWS::BedrockAgentCore::Memory` |
| Amazon Bedrock | Amazon Bedrock Oauth2 CredentialProvider API activity. | **Bedrock-AgentCore Oauth2 CredentialProvider** | `AWS::BedrockAgentCore::OAuth2CredentialProvider` |
| Amazon Bedrock | Amazon Bedrock Browser-Custom API activity. | **Bedrock-AgentCore Browser-Custom** | `AWS::BedrockAgentCore::BrowserCustom` |
| Amazon Bedrock | Amazon Bedrock Code-Interpreter-Custom API activity. | **Bedrock-AgentCore Code-Interpreter-Custom** | `AWS::BedrockAgentCore::CodeInterpreterCustom` |
| Amazon Bedrock | Amazon Bedrock Tool API activity. | Bedrock Tool | AWS::Bedrock::Tool |
| AWS Cloud Map | [AWS Cloud Map API activity](https://docs.aws.amazon.com/cloud-map/latest/dg/cloudtrail-data-events.html) on a [namespace](https://docs.aws.amazon.com/cloud-map/latest/api/API_Namespace.html). | AWS Cloud Map namespace | AWS::ServiceDiscovery::Namespace |
| AWS Cloud Map | [AWS Cloud Map API activity](https://docs.aws.amazon.com/cloud-map/latest/dg/cloudtrail-data-events.html) on a [service](https://docs.aws.amazon.com/cloud-map/latest/api/API_Service.html). | AWS Cloud Map service | AWS::ServiceDiscovery::Service |
| Amazon CloudFront | CloudFront API activity on a [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_KeyValueStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_KeyValueStore.html). | CloudFront KeyValueStore | AWS::CloudFront::KeyValueStore |
| AWS CloudTrail | CloudTrail [https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html](https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html) activity on a [CloudTrail Lake channel](query-event-data-store-integration.md) that is used to log events from outside AWS. | CloudTrail channel | AWS::CloudTrail::Channel |
| Amazon CloudWatch | [Amazon CloudWatch API activity](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/logging_cw_api_calls.html#CloudWatch-data-plane-events) on metrics. | CloudWatch metric | AWS::CloudWatch::Metric |
| Amazon CloudWatch Network Flow Monitor | Amazon CloudWatch Network Flow Monitor API activity on monitors. | Network Flow Monitor monitor | AWS::NetworkFlowMonitor::Monitor |
| Amazon CloudWatch Network Flow Monitor | Amazon CloudWatch Network Flow Monitor API activity on scopes. | Network Flow Monitor scope | AWS::NetworkFlowMonitor::Scope |
| Amazon CloudWatch RUM | Amazon CloudWatch RUM API activity on app monitors. | RUM app monitor | AWS::RUM::AppMonitor |
| Amazon CodeGuru Profiler | CodeGuru Profiler API activity on profiling groups. | CodeGuru Profiler profiling group | AWS::CodeGuruProfiler::ProfilingGroup |
| Amazon CodeWhisperer | Amazon CodeWhisperer API activity on a customization. | CodeWhisperer customization | AWS::CodeWhisperer::Customization |
| Amazon CodeWhisperer | Amazon CodeWhisperer API activity on a profile. | CodeWhisperer | AWS::CodeWhisperer::Profile |
| Amazon Cognito | Amazon Cognito API activity on Amazon Cognito [identity pools](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-info-in-cloudtrail.html#identity-pools-cloudtrail-events). | Cognito Identity Pools | AWS::Cognito::IdentityPool |
| AWS Data Exchange | AWS Data Exchange API activity on assets. | **Data Exchange asset** | `AWS::DataExchange::Asset` |
| Amazon Data Firehose | Amazon Data Firehose delivery stream API activity. | **Amazon Data Firehose** | `AWS::KinesisFirehose::DeliveryStream` |
| AWS Deadline Cloud | [Deadline Cloud](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on fleets. | **Deadline Cloud fleet** | `AWS::Deadline::Fleet` |
| AWS Deadline Cloud | [Deadline Cloud](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on jobs. | **Deadline Cloud job** | `AWS::Deadline::Job` |
| AWS Deadline Cloud | [Deadline Cloud](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on queues. | **Deadline Cloud queue** | `AWS::Deadline::Queue` |
| AWS Deadline Cloud | [Deadline Cloud](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on workers. | **Deadline Cloud worker** | `AWS::Deadline::Worker` |
| Amazon DynamoDB | [Amazon DynamoDB item-level API activity](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html#ddb-data-plane-events-in-cloudtrail) on tables (for example, `PutItem`, `DeleteItem`, and `UpdateItem` API operations). For tables with streams enabled, the `resources` field in the data event contains both `AWS::DynamoDB::Stream` and `AWS::DynamoDB::Table`. If you specify `AWS::DynamoDB::Table` for the `resources.type`, it will log both DynamoDB table and DynamoDB streams events by default. To exclude [streams events](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html#ddb-data-plane-events-in-cloudtrail), add a filter on the `eventName` field. | DynamoDB | `AWS::DynamoDB::Table` |
| Amazon DynamoDB | [Amazon DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html#ddb-data-plane-events-in-cloudtrail) API activity on streams. | DynamoDB Streams | AWS::DynamoDB::Stream |
| Amazon Elastic Block Store | [Amazon Elastic Block Store (EBS)](https://docs.aws.amazon.com/ebs/latest/userguide/logging-ebs-apis-using-cloudtrail.html) direct APIs, such as `PutSnapshotBlock`, `GetSnapshotBlock`, and `ListChangedBlocks` on Amazon EBS snapshots. | Amazon EBS direct APIs | AWS::EC2::Snapshot |
| Amazon Elastic Compute Cloud | Amazon EC2 instance connect endpoint API activity. | **EC2 instance connect endpoint** | `AWS::EC2::InstanceConnectEndpoint` |
| Amazon Elastic Container Service | Amazon Elastic Container Service API activity on a container instance. | ECS container instance | AWS::ECS::ContainerInstance |
| Amazon Elastic Kubernetes Service | Amazon Elastic Kubernetes Service API activity on dashboards. | Amazon Elastic Kubernetes Service dashboard | AWS::EKS::Dashboard |
| Amazon EMR | [Amazon EMR API activity](https://docs.aws.amazon.com/emr/latest/ManagementGuide/logging-using-cloudtrail.html#cloudtrail-data-events) on a write-ahead log workspace. | EMR write-ahead log workspace | AWS::EMRWAL::Workspace |
| AWS End User Messaging SMS | [AWS End User Messaging SMS](https://docs.aws.amazon.com/sms-voice/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on origination identities. | SMS Voice origination identity | AWS::SMSVoice::OriginationIdentity |
| AWS End User Messaging SMS | [AWS End User Messaging SMS](https://docs.aws.amazon.com/sms-voice/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on messages. | SMS Voice message | AWS::SMSVoice::Message |
| AWS End User Messaging Social | [AWS End User Messaging Social](https://docs.aws.amazon.com/social-messaging/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on phone number IDs. | Social-Messaging Phone Number Id | AWS::SocialMessaging::PhoneNumberId |
| AWS End User Messaging Social | AWS End User Messaging Social API activity on Waba IDs. | Social-Messaging Waba ID | AWS::SocialMessaging::WabaId |
| Amazon FinSpace | [Amazon FinSpace](https://docs.aws.amazon.com/finspace/latest/userguide/logging-cloudtrail-events.html#finspace-dataplane-events) API activity on environments. | FinSpace | AWS::FinSpace::Environment |
| Amazon GameLift Streams | Amazon GameLift Streams [streaming API activity](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/logging-using-cloudtrail.html#cloudtrail-data-events) on applications. | GameLift Streams application | AWS::GameLiftStreams::Application |
| Amazon GameLift Streams | Amazon GameLift Streams [streaming API activity](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/logging-using-cloudtrail.html#cloudtrail-data-events) on stream groups. | GameLift Streams stream group | AWS::GameLiftStreams::StreamGroup |
| AWS Glue | AWS Glue API activity on tables that were created by Lake Formation. | Lake Formation | AWS::Glue::Table |
| Amazon GuardDuty | Amazon GuardDuty API activity for a [detector](https://docs.aws.amazon.com/guardduty/latest/ug/logging-using-cloudtrail.html#guardduty-data-events-in-cloudtrail). | GuardDuty detector | AWS::GuardDuty::Detector |
| AWS HealthImaging | AWS HealthImaging API activity on data stores. | MedicalImaging data store | AWS::MedicalImaging::Datastore |
| AWS HealthImaging | AWS HealthImaging image set API activity. | **MedicalImaging image set** | `AWS::MedicalImaging::Imageset` |
| AWS IoT | [AWS IoT API activity](https://docs.aws.amazon.com/greengrass/v2/developerguide/logging-using-cloudtrail.html#greengrass-data-events-cloudtrail) on [certificates](https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html). | IoT certificate | AWS::IoT::Certificate |
| AWS IoT | [AWS IoT API activity](https://docs.aws.amazon.com/greengrass/v2/developerguide/logging-using-cloudtrail.html#greengrass-data-events-cloudtrail) on [things](https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html). | IoT thing | AWS::IoT::Thing |
| AWS IoT Greengrass Version 2 | [Greengrass API activity](https://docs.aws.amazon.com/greengrass/v2/developerguide/logging-using-cloudtrail.html#greengrass-data-events-cloudtrail) from a Greengrass core device on a component version. Greengrass doesn't log access denied events. | IoT Greengrass component version | AWS::GreengrassV2::ComponentVersion |
| AWS IoT Greengrass Version 2 | [Greengrass API activity](https://docs.aws.amazon.com/greengrass/v2/developerguide/logging-using-cloudtrail.html#greengrass-data-events-cloudtrail) from a Greengrass core device on a deployment. Greengrass doesn't log access denied events. | IoT Greengrass deployment | AWS::GreengrassV2::Deployment |
| AWS IoT SiteWise | [IoT SiteWise API activity](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/logging-using-cloudtrail.html#service-name-data-events-cloudtrail) on [assets](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateAsset.html). | IoT SiteWise asset | AWS::IoTSiteWise::Asset |
| AWS IoT SiteWise | [IoT SiteWise API activity](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/logging-using-cloudtrail.html#service-name-data-events-cloudtrail) on [time series](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribeTimeSeries.html). | IoT SiteWise time series | AWS::IoTSiteWise::TimeSeries |
| AWS IoT SiteWise Assistant | Sitewise Assistant API activity on conversations. | Sitewise Assistant conversation | AWS::SitewiseAssistant::Conversation |
| AWS IoT TwinMaker | IoT TwinMaker API activity on an [entity](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateEntity.html). | IoT TwinMaker entity | AWS::IoTTwinMaker::Entity |
| AWS IoT TwinMaker | IoT TwinMaker API activity on a [workspace](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateWorkspace.html). | IoT TwinMaker workspace | AWS::IoTTwinMaker::Workspace |
| Amazon Kendra Intelligent Ranking | Amazon Kendra Intelligent Ranking API activity on [rescore execution plans](https://docs.aws.amazon.com/kendra/latest/dg/cloudtrail-intelligent-ranking.html#cloud-trail-intelligent-ranking-log-entry). | Kendra Ranking | AWS::KendraRanking::ExecutionPlan |
| Amazon Keyspaces (for Apache Cassandra) | [Amazon Keyspaces API activity](https://docs.aws.amazon.com/keyspaces/latest/devguide/logging-using-cloudtrail.html#keyspaces-in-cloudtrail-dml) on a table. | Cassandra table | AWS::Cassandra::Table |
| Amazon Keyspaces (for Apache Cassandra) | Amazon Keyspaces (for Apache Cassandra) API activity on Cassandra CDC streams. | Cassandra CDC streams | AWS::Cassandra::Stream |
| Amazon Kinesis Data Streams | Kinesis Data Streams API activity on [streams](https://docs.aws.amazon.com/streams/latest/dev/working-with-streams.html). | Kinesis stream | AWS::Kinesis::Stream |
| Amazon Kinesis Data Streams | Kinesis Data Streams API activity on [stream consumers](https://docs.aws.amazon.com/streams/latest/dev/building-consumers.html). | Kinesis stream consumer | AWS::Kinesis::StreamConsumer |
| Amazon Kinesis Video Streams | Kinesis Video Streams API activity on video streams, such as calls to GetMedia and PutMedia. | Kinesis video stream | AWS::KinesisVideo::Stream |
| Amazon Kinesis Video Streams | Kinesis Video Streams video signaling channel API activity. | **Kinesis video signaling channel** | `AWS::KinesisVideo::SignalingChannel` |
| AWS Lambda | AWS Lambda function execution activity (the `Invoke` API). | Lambda | AWS::Lambda::Function |
| Amazon Location Maps | Amazon Location Maps API activity. | Geo Maps | AWS::GeoMaps::Provider |
| Amazon Location Places | Amazon Location Places API activity. | Geo Places | AWS::GeoPlaces::Provider |
| Amazon Location Routes | Amazon Location Routes API activity. | Geo Routes | AWS::GeoRoutes::Provider |
| Amazon Machine Learning | Machine Learning API activity on ML models. | Maching Learning MlModel | AWS::MachineLearning::MlModel |
| Amazon Managed Blockchain | Amazon Managed Blockchain API activity on a network. | Managed Blockchain network | AWS::ManagedBlockchain::Network |
| Amazon Managed Blockchain | [Amazon Managed Blockchain](https://docs.aws.amazon.com/managed-blockchain/latest/ethereum-dev/logging-using-cloudtrail.html#ethereum-jsonrpc-logging) JSON-RPC calls on Ethereum nodes, such as `eth_getBalance` or `eth_getBlockByNumber`. | Managed Blockchain | AWS::ManagedBlockchain::Node |
| Amazon Managed Blockchain Query | Amazon Managed Blockchain Query API activity. | Managed Blockchain Query | AWS::ManagedBlockchainQuery::QueryAPI |
| Amazon Managed Workflows for Apache Airflow | Amazon MWAA API activity on environments. | Managed Apache Airflow | AWS::MWAA::Environment |
| Amazon Neptune Graph | Data API activities, for example queries, algorithms, or vector search, on a Neptune Graph. | Neptune Graph | AWS::NeptuneGraph::Graph |
| Amazon One Enterprise | Amazon One Enterprise API activity on a UKey. | Amazon One UKey | AWS::One::UKey |
| Amazon One Enterprise | Amazon One Enterprise API activity on users. | Amazon One User | AWS::One::User |
| AWS Payment Cryptography | AWS Payment Cryptography API activity on aliases. | Payment Cryptography Alias | AWS::PaymentCryptography::Alias |
| AWS Payment Cryptography | AWS Payment Cryptography API activity on keys. | Payment Cryptography Key | AWS::PaymentCryptography::Key |
| Amazon Pinpoint | Amazon Pinpoint API activity on mobile targeting applications. | Mobile Targeting Application | AWS::Pinpoint::App |
| AWS Private CA | AWS Private CA Connector for Active Directory API activity. | AWS Private CA Connector for Active Directory | AWS::PCAConnectorAD::Connector |
| AWS Private CA | AWS Private CA Connector for SCEP API activity. | AWS Private CA Connector for SCEP | AWS::PCAConnectorSCEP::Connector |
| Amazon Q Apps | Data API activity on [Amazon Q Apps](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/purpose-built-qapps.html). | Amazon Q Apps | AWS::QApps::QApp |
| Amazon Q Apps | Data API activity on Amazon Q App sessions. | Amazon Q App Session | AWS::QApps::QAppSession |
| Amazon Q Business | [Amazon Q Business API activity](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/logging-using-cloudtrail.html#service-name-data-plane-events-cloudtrail) on an application. | Amazon Q Business application | AWS::QBusiness::Application |
| Amazon Q Business | [Amazon Q Business API activity](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/logging-using-cloudtrail.html#service-name-data-plane-events-cloudtrail) on a data source. | Amazon Q Business data source | AWS::QBusiness::DataSource |
| Amazon Q Business | [Amazon Q Business API activity](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/logging-using-cloudtrail.html#service-name-data-plane-events-cloudtrail) on an index. | Amazon Q Business index | AWS::QBusiness::Index |
| Amazon Q Business | [Amazon Q Business API activity](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/logging-using-cloudtrail.html#service-name-data-plane-events-cloudtrail) on a web experience. | Amazon Q Business web experience | AWS::QBusiness::WebExperience |
| Amazon Q Business | Amazon Q Business integration API activity. | **Amazon Q Business integration** | `AWS::QBusiness::Integration` |
| Amazon Q Developer | Amazon Q Developer API activity on an integration. | Q Developer integration | AWS::QDeveloper::Integration |
| Amazon Q Developer | [Amazon Q Developer API activity](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/logging_cw_api_calls.html#Q-Developer-Investigations-Cloudtrail) on operational investigations. | AIOps Investigation Group | AWS::AIOps::InvestigationGroup |
| Amazon Quick | Amazon Quick API activity on an action connector. | AWSQuickSuite Actions | AWS::Quicksight::ActionConnector |
| Amazon Quick | Amazon Quick Flow API activity. | **QuickSight flow** | `AWS::QuickSight::Flow` |
| Amazon Quick | Amazon Quick FlowSession API activity. | **QuickSight flow session** | `AWS::QuickSight::FlowSession` |
| Amazon SageMaker AI | Amazon SageMaker AI [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_runtime_InvokeEndpointWithResponseStream.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_runtime_InvokeEndpointWithResponseStream.html) activity on endpoints. | SageMaker AI endpoint | AWS::SageMaker::Endpoint |
| Amazon SageMaker AI | Amazon SageMaker AI API activity on feature stores. | SageMaker AI feature store | AWS::SageMaker::FeatureGroup |
| Amazon SageMaker AI | Amazon SageMaker AI API activity on [experiment trial components](https://docs.aws.amazon.com/sagemaker/latest/dg/experiments-monitoring.html). | SageMaker AI metrics experiment trial component | AWS::SageMaker::ExperimentTrialComponent |
| Amazon SageMaker AI | Amazon SageMaker AI MLflow API activity. | **SageMaker MLflow** | `AWS::SageMaker::MlflowTrackingServer` |
| AWS Signer | Signer API activity on signing jobs. | Signer signing job | AWS::Signer::SigningJob |
| AWS Signer | Signer API activity on signing profiles. | Signer signing profile | AWS::Signer::SigningProfile |
| Amazon Simple Email Service | Amazon Simple Email Service (Amazon SES) API activity on configuration sets. | SES configuration set | AWS::SES::ConfigurationSet |
| Amazon Simple Email Service | Amazon Simple Email Service (Amazon SES) API activity on email identities. | SES identity | AWS::SES::EmailIdentity |
| Amazon Simple Email Service | Amazon Simple Email Service (Amazon SES) API activity on templates. | SES template | AWS::SES::Template |
| Amazon SimpleDB | Amazon SimpleDB API activity on domains. | SimpleDB domain | AWS::SDB::Domain |
| AWS Step Functions | [Step Functions API activity](https://docs.aws.amazon.com/step-functions/latest/dg/procedure-cloud-trail.html#cloudtrail-data-events) on activities. | Step Functions | AWS::StepFunctions::Activity |
| AWS Step Functions | [Step Functions API activity](https://docs.aws.amazon.com/step-functions/latest/dg/procedure-cloud-trail.html#cloudtrail-data-events) on state machines. | Step Functions state machine | AWS::StepFunctions::StateMachine |
| AWS Systems Manager | [Systems Manager API activity](https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-cloudtrail-logs.html#cloudtrail-data-events) on control channels. | Systems Manager | AWS::SSMMessages::ControlChannel |
| AWS Systems Manager | Systems Manager API activity on impact assessments. | SSM Impact Assessment | AWS::SSM::ExecutionPreview |
| AWS Systems Manager | [Systems Manager API activity](https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-cloudtrail-logs.html#cloudtrail-data-events) on managed nodes. | Systems Manager managed node | AWS::SSM::ManagedNode |
| Amazon Timestream | Amazon Timestream [https://docs.aws.amazon.com/timestream/latest/developerguide/API_query_Query.html](https://docs.aws.amazon.com/timestream/latest/developerguide/API_query_Query.html) API activity on databases. | Timestream database | AWS::Timestream::Database |
| Amazon Timestream | Amazon Timestream API activity on regional endpoints. | Timestream regional endpoint | AWS::Timestream::RegionalEndpoint |
| Amazon Timestream | Amazon Timestream [https://docs.aws.amazon.com/timestream/latest/developerguide/API_query_Query.html](https://docs.aws.amazon.com/timestream/latest/developerguide/API_query_Query.html) API activity on tables. | Timestream table | AWS::Timestream::Table |
| Amazon Verified Permissions | Amazon Verified Permissions API activity on a policy store. | Amazon Verified Permissions | AWS::VerifiedPermissions::PolicyStore |
| Amazon WorkSpaces Thin Client | WorkSpaces Thin Client API activity on a Device. | Thin Client Device | AWS::ThinClient::Device |
| Amazon WorkSpaces Thin Client | WorkSpaces Thin Client API activity on an Environment. | Thin Client Environment | AWS::ThinClient::Environment |
| AWS X-Ray | [X-Ray API activity](https://docs.aws.amazon.com/xray/latest/devguide/xray-api-cloudtrail.html#cloudtrail-data-events) on [traces](https://docs.aws.amazon.com/xray/latest/devguide/xray-concepts.html#xray-concepts-traces). | X-Ray trace | AWS::XRay::Trace |
| Amazon AIDevOps | AIDevOps API activity on agent spaces. | Agent Space | AWS::AIDevOps::AgentSpace |
| Amazon AIDevOps | AIDevOps API activity on associations. | AIDevOps association | AWS::AIDevOps::Association |
| Amazon AIDevOps | AIDevOps API activity on operator app teams. | AIDevOps operator app team | AWS::AIDevOps::OperatorAppTeam |
| Amazon AIDevOps | AIDevOps API activity on pipeline metadata. | AIDevOps Pipelines Metadata | AWS::AIDevOps::PipelineMetadata |
| Amazon AIDevOps | AIDevOps API activity on services. | AIDevOps service | AWS::AIDevOps::Service |
| Amazon Bedrock | Bedrock API activity on advanced optimize prompt jobs. | AdvancedOptimizePromptJob | AWS::Bedrock::AdvancedOptimizePromptJob |
| Amazon Bedrock AgentCore | Bedrock AgentCore API activity on evaluators. | Bedrock-AgentCore Evaluator | AWS::BedrockAgentCore::Evaluator |
| Amazon Cost Optimization | CloudOptimization API activity on profiles. | CloudOptimization Profile | AWS::CloudOptimization::Profile |
| Amazon Cost Optimization | CloudOptimization API activity on recommendations. | CloudOptimization Recommendation | AWS::CloudOptimization::Recommendation |
| Amazon GuardDuty | GuardDuty API activity on malware scans. | GuardDuty malware scan | AWS::GuardDuty::MalwareScan |
| Amazon NovaAct | Amazon NovaAct API activity on workflow definitions. | Workflow definition | AWS::NovaAct::WorkflowDefinition |
| Amazon NovaAct | Amanzon NovaAct API activity on workflow runs. | Workflow run | AWS::NovaAct::WorkflowRun |
| Amazon Redshift | Redshift API activity on clusters. | Amazon Redshift Cluster | AWS::Redshift::Cluster |
| Amazon Support | SupportAccess API activity on tenants. | SupportAccess tenant | AWS::SupportAccess::Tenant |
| Amazon Support | SupportAccess API activity on trusting accounts. | SupportAccess trusting account | AWS::SupportAccess::TrustingAccount |
| Amazon Support | SupportAccess API activity on trusting roles. | SupportAccess trusting role | AWS::SupportAccess::TrustingRole |
| Amazon Transform | Transform API activity on agent instances. | Transform agent instance | AWS::Transform::AgentInstance |
| Amazon Transform Custom | Transform Custom API activity on campaigns. | Transform-Custom campaign | AWS::TransformCustom::Campaign |
| Amazon Transform Custom | Transform Custom API activity on conversations. | Transform-Custom conversation | AWS::TransformCustom::Conversation |
| Amazon Transform Custom | Transform Custom API activity on knowledge items. | Transform-Custom knowledge item | AWS::TransformCustom::KnowledgeItem |
| Amazon Transform Custom | Transform Custom API activity on packages. | Transform-Custom package | AWS::TransformCustom::Package |
Data events are not logged by default when you create a trail or event data store. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity. For more information, see [Creating a trail with the CloudTrail console](cloudtrail-create-a-trail-using-the-console-first-time.md) and [Create an event data store for CloudTrail events with the console](query-event-data-store-cloudtrail.md).
Additional charges apply for logging data events. For CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
The following example shows a single log record of a data event for the Amazon SNS `Publish` action.
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Bob",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AKIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "ExampleUser"
},
"attributes": {
"creationDate": "2023-08-21T16:44:05Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-08-21T16:48:37Z",
"eventSource": "sns.amazonaws.com",
"eventName": "Publish",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/1.29.16 md/Botocore#1.31.16 ua/2.0 os/linux#5.4.250-173.369.amzn2int.x86_64 md/arch#x86_64 lang/python#3.8.17 md/pyimpl#CPython cfg/retry-mode#legacy botocore/1.31.16",
"requestParameters": {
"topicArn": "arn:aws:sns:us-east-1:123456789012:ExampleSNSTopic",
"message": "HIDDEN_DUE_TO_SECURITY_REASONS",
"subject": "HIDDEN_DUE_TO_SECURITY_REASONS",
"messageStructure": "json",
"messageAttributes": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"responseElements": {
"messageId": "0787cd1e-d92b-521c-a8b4-90434e8ef840"
},
"requestID": "0a8ab208-11bf-5e01-bd2d-ef55861b545d",
"eventID": "bb3496d4-5252-4660-9c28-3c6aebdb21c0",
"readOnly": false,
"resources": [{
"accountId": "123456789012",
"type": "AWS::SNS::Topic",
"ARN": "arn:aws:sns:us-east-1:123456789012:ExampleSNSTopic"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "sns.us-east-1.amazonaws.com"
}
}
```
The next example shows a single log record of a data event for the Amazon Cognito `GetCredentialsForIdentity` action.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown"
},
"eventTime": "2023-01-19T16:55:08Z",
"eventSource": "cognito-identity.amazonaws.com",
"eventName": "GetCredentialsForIdentity",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.4",
"userAgent": "aws-cli/2.7.25 Python/3.9.11 Darwin/21.6.0 exe/x86_64 prompt/off command/cognito-identity.get-credentials-for-identity",
"requestParameters": {
"logins": {
"cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE"
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionToken": "aAaAaAaAaAaAab1111111111EXAMPLE",
"expiration": "Jan 19, 2023 5:55:08 PM"
},
"identityId": "us-east-1:1cf667a2-49a6-454b-9e45-23199EXAMPLE"
},
"requestID": "659dfc23-7c4e-4e7c-858a-1abce884d645",
"eventID": "6ad1c766-5a41-4b28-b5ca-e223ccb00f0d",
"readOnly": false,
"resources": [{
"accountId": "111122223333",
"type": "AWS::Cognito::IdentityPool",
"ARN": "arn:aws:cognito-identity:us-east-1:111122223333:identitypool/us-east-1:2dg778b3-50b7-565c-0f56-34200EXAMPLE"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data"
}
```
## Network activity events
CloudTrail network activity events enable VPC endpoint owners to record AWS API calls made using their VPC endpoints from a private VPC to the AWS service. Network activity events provide visibility into the resource operations performed within a VPC.
You can log network activity events for the following services:
+ AWS AppConfig
+ AWS App Mesh
+ Amazon Athena
+ AWS B2B Data Interchange
+ AWS Backup gateway
+ Amazon Bedrock
+ Billing and Cost Management
+ AWS Pricing Calculator
+ AWS Cost Explorer
+ AWS Cloud Control API
+ AWS CloudHSM
+ AWS Cloud Map
+ AWS CloudFormation
+ AWS CloudTrail
+ Amazon CloudWatch
+ CloudWatch Application Signals
+ AWS CodeDeploy
+ Amazon Comprehend Medical
+ AWS Config
+ AWS Data Exports
+ Amazon Data Firehose
+ AWS Directory Service
+ Amazon DynamoDB
+ Amazon EC2
+ Amazon Elastic Container Service
+ Amazon Elastic File System
+ Elastic Load Balancing
+ Amazon EventBridge
+ Amazon EventBridge Scheduler
+ Amazon Fraud Detector
+ AWS Free Tier
+ Amazon FSx
+ AWS Glue
+ AWS HealthLake
+ AWS IoT FleetWise
+ AWS IoT Secure Tunneling
+ AWS Invoicing
+ Amazon Keyspaces (for Apache Cassandra)
+ AWS KMS
+ AWS Lake Formation
+ AWS Lambda
+ AWS License Manager
+ Amazon Lookout for Equipment
+ Amazon Lookout for Vision
+ Amazon Personalize
+ Amazon Q Business
+ Amazon Rekognition
+ Amazon Relational Database Service
+ Amazon S3
**Note**
Amazon S3 [Multi-Region Access Points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRequests.html) are not supported.
+ Amazon SageMaker AI
+ AWS Secrets Manager
+ Amazon Simple Notification Service
+ Amazon Simple Queue Service
+ Amazon Simple Workflow Service
+ AWS Storage Gateway
+ AWS Systems Manager Incident Manager
+ Amazon Textract
+ Amazon Transcribe
+ Amazon Translate
+ AWS Transform
+ Amazon Verified Permissions
+ Amazon WorkMail
Network activity events are not logged by default when you create a trail or event data store. To record CloudTrail network activity events, you must explicitly set the event source for which you want to collect activity. For more information, see [Logging network activity events](logging-network-events-with-cloudtrail.md).
Additional charges apply for logging network activity events. For CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
The following example shows a successful AWS KMS `ListKeys` event that traversed a VPC endpoint. The `vpcEndpointId` field shows the ID of the VPC endpoint. The `vpcEndpointAccountId` field shows the account ID of the VPC endpoint owner. In this example, the request was made by the VPC endpoint owner.
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ASIAIOSFODNN7EXAMPLE:role-name",
"arn": "arn:aws:sts::123456789012:assumed-role/Admin/role-name",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-06-04T23:10:46Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2024-06-04T23:12:50Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ListKeys",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"requestID": "16bcc089-ac49-43f1-9177-EXAMPLE23731",
"eventID": "228ca3c8-5f95-4a8a-9732-EXAMPLE60ed9",
"eventType": "AwsVpceEvent",
"recipientAccountId": "123456789012",
"sharedEventID": "a1f3720c-ef19-47e9-a5d5-EXAMPLE8099f",
"vpcEndpointId": "vpce-EXAMPLE08c1b6b9b7",
"vpcEndpointAccountId": "123456789012",
"eventCategory": "NetworkActivity"
}
```
The next example shows an unsuccessful AWS KMS `ListKeys` event with a VPC endpoint policy violation. Because a VPC policy violation occurred, both the `errorCode` and `errorMessage` fields are present. The account ID in the `recipientAccountId` and `vpcEndpointAccountId` fields is the same, which indicates the event was sent to the VPC endpoint owner. The `accountId` in the `userIdentity` element is not the `vpcEndpointAccountId`, which indicates that the user making the request is not the VPC endpoint owner.
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AWSAccount",
"principalId": "AKIAIOSFODNN7EXAMPLE",
"accountId": "777788889999"
},
"eventTime": "2024-07-15T23:57:12Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ListKeys",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"errorCode": "VpceAccessDenied",
"errorMessage": "The request was denied due to a VPC endpoint policy",
"requestID": "899003b8-abc4-42bb-ad95-EXAMPLE0c374",
"eventID": "7c6e3d04-0c3b-42f2-8589-EXAMPLE826c0",
"eventType": "AwsVpceEvent",
"recipientAccountId": "123456789012",
"sharedEventID": "702f74c4-f692-4bfd-8491-EXAMPLEb1ac4",
"vpcEndpointId": "vpce-EXAMPLE08c1b6b9b7",
"vpcEndpointAccountId": "123456789012",
"eventCategory": "NetworkActivity"
}
```
## Insights events
CloudTrail Insights events capture unusual API call rate or error rate activity in your AWS account by analyzing CloudTrail management activity. Insights events provide relevant information, such as the associated API, error code, incident time, and statistics, that help you understand and act on unusual activity. Unlike other types of events captured in a CloudTrail trail or event data store, Insights events are logged only when CloudTrail detects changes in your account's API usage or error rate logging that differ significantly from the account's typical usage patterns. For more information, see [Working with CloudTrail Insights](logging-insights-events-with-cloudtrail.md).
Examples of activity that might generate Insights events include:
+ Your account typically logs no more than 20 Amazon S3 `deleteBucket` API calls per minute, but your account starts to log an average of 100 `deleteBucket` API calls per minute. An Insights event is logged at the start of the unusual activity, and another Insights event is logged to mark the end of the unusual activity.
+ Your account typically logs 20 calls per minute to the Amazon EC2 `AuthorizeSecurityGroupIngress` API, but your account starts to log zero calls to `AuthorizeSecurityGroupIngress`. An Insights event is logged at the start of the unusual activity, and ten minutes later, when the unusual activity ends, another Insights event is logged to mark the end of the unusual activity.
+ Your account typically logs less than one `AccessDeniedException` error in a seven-day period on the AWS Identity and Access Management API, `DeleteInstanceProfile`. Your account starts to log an average of 12 `AccessDeniedException` errors per minute on the `DeleteInstanceProfile` API call. An Insights event is logged at the start of the unusual error rate activity, and another Insights event is logged to mark the end of the unusual activity.
These examples are provided for illustration purposes only. Your results may vary depending on your use case.
To log CloudTrail Insights events, you must explicitly enable Insights events on a new or existing trail or event data store. For more information about creating a trail, see [Creating a trail with the CloudTrail console](cloudtrail-create-a-trail-using-the-console-first-time.md). For more information about creating an event data store, see [Create an event data store for Insights events with the console](query-event-data-store-insights.md).
Additional charges apply for Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
There are two events logged to show unusual activity in CloudTrail Insights: a start event and an end event. The following example shows a single log record of a starting Insights event that occurred when the Application Auto Scaling API `CompleteLifecycleAction` was called an unusual number of times. For Insights events, the value of `eventCategory` is `Insight`. An `insightDetails` block identifies the event state, source, name, Insights type, and context, including statistics and attributions. For more information about the `insightDetails` block, see [CloudTrail record contents for Insights events for trails](cloudtrail-insights-fields-trails.md).
```
{
"eventVersion": "1.08",
"eventTime": "2023-07-10T01:42:00Z",
"awsRegion": "us-east-1",
"eventID": "55ed45c5-0b0c-4228-9fe5-EXAMPLEc3f4d",
"eventType": "AwsCloudTrailInsight",
"recipientAccountId": "123456789012",
"sharedEventID": "979c82fe-14d4-4e4c-aa01-EXAMPLE3acee",
"insightDetails": {
"state": "Start",
"eventSource": "autoscaling.amazonaws.com",
"eventName": "CompleteLifecycleAction",
"insightType": "ApiCallRateInsight",
"insightContext": {
"statistics": {
"baseline": {
"average": 9.82222E-5
},
"insight": {
"average": 5.0
},
"insightDuration": 1,
"baselineDuration": 10181
},
"attributions": [{
"attribute": "userIdentityArn",
"insight": [{
"value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole1",
"average": 5.0
}, {
"value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole2",
"average": 5.0
}, {
"value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole3",
"average": 5.0
}],
"baseline": [{
"value": "arn:aws:sts::123456789012:assumed-role/CodeDeployRole1",
"average": 9.82222E-5
}]
}, {
"attribute": "userAgent",
"insight": [{
"value": "codedeploy.amazonaws.com",
"average": 5.0
}],
"baseline": [{
"value": "codedeploy.amazonaws.com",
"average": 9.82222E-5
}]
}, {
"attribute": "errorCode",
"insight": [{
"value": "null",
"average": 5.0
}],
"baseline": [{
"value": "null",
"average": 9.82222E-5
}]
}]
}
},
"eventCategory": "Insight"
}
```
# Logging management events
By default, trails and event data stores log management events and don't include data or Insights events.
Additional charges apply for data or Insights events. For more information, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
**Contents**
+ [
## Management events
](#logging-management-events)
+ [
## Read and write events
](#read-write-events-mgmt)
+ [
## Logging management events with the AWS Management Console
](#logging-management-events-with-the-cloudtrail-console)
+ [
### Updating the management event settings for an existing trail
](#logging-management-events-with-the-cloudtrail-console-trail)
+ [
### Updating the management event settings for an existing event data store
](#logging-management-events-with-the-cloudtrail-console-eds)
+ [
## Logging management events with the AWS CLI
](#creating-mgmt-event-selectors-with-the-AWS-CLI)
+ [
### Examples: Logging management events for trails
](#log-mgmt-events-trails-examples)
+ [
#### Examples: Logging management events for trails using advanced event selectors
](#log-mgmt-events-trails-examples-adv)
+ [
#### Examples: Logging management events for trails using basic event selectors
](#log-mgmt-events-trails-examples-basic)
+ [
### Examples: Logging management events for event data stores
](#log-mgmt-events-eds-examples)
+ [
#### Example: Exclude AWS KMS management events
](#log-mgmt-events-eds-examples-kms)
+ [
#### Example: Exclude Amazon RDS management events
](#log-mgmt-events-eds-examples-rds)
+ [
#### Example: Exclude AWS service events and events from AWS Management Console sessions
](#log-mgmt-events-eds-examples-service)
+ [
#### Example: Exclude management events for a specific IAM identity
](#log-mgmt-events-eds-examples-useridentity)
+ [
## Logging management events with the AWS SDKs
](#logging-management-events-with-the-AWS-SDKs)
## Management events
Management events provide visibility into management operations that are performed on resources in your AWS account. These are also known as control plane operations. Example management events include:
+ Configuring security (for example, IAM `AttachRolePolicy` API operations)
+ Registering devices (for example, Amazon EC2 `CreateDefaultVpc` API operations)
+ Configuring rules for routing data (for example, Amazon EC2 `CreateSubnet` API operations)
+ Setting up logging (for example, AWS CloudTrail `CreateTrail` API operations)
Management events can also include non-API events that occur in your account. For example, when a user logs in to your account, CloudTrail logs the `ConsoleLogin` event. For more information, see [Non-API events captured by CloudTrail](cloudtrail-non-api-events.md).
By default, trails and event data stores are configured to log management events.
**Note**
The CloudTrail **Event history** feature supports only management events. You cannot exclude AWS KMS or Amazon RDS Data API events from **Event history**; settings that you apply to a trail or event data store do not apply to **Event history**. For more information, see [Working with CloudTrail event history](view-cloudtrail-events.md).
## Read and write events
When you configure your trail or event data store to log management events, you can specify whether you want read-only events, write-only events, or both.
+ **Read**
Read-only events include API operations that read your resources, but don't make changes. For example, read-only events include the Amazon EC2 `DescribeSecurityGroups` and `DescribeSubnets` API operations. These operations return only information about your Amazon EC2 resources and don't change your configurations.
+ **Write**
Write-only events include API operations that modify (or might modify) your resources. For example, the Amazon EC2 `RunInstances` and `TerminateInstances` API operations modify your instances.
**Example: Logging read and write events for separate trails**
The following example shows how you can configure trails to split log activity for an account into separate S3 buckets: one bucket receives read-only events and a second bucket receives write-only events.
1. You create a trail and choose an S3 bucket named `amzn-s3-demo-bucket1` to receive log files. You then update the trail to specify that you want **Read** management events.
1. You create a second trail and choose an S3 bucket named `amzn-s3-demo-bucket2` to receive log files. You then update the trail to specify that you want **Write** management events.
1. The Amazon EC2 `DescribeInstances` and `TerminateInstances` API operations occur in your account.
1. The `DescribeInstances` API operation is a read-only event and it matches the settings for the first trail. The trail logs and delivers the event to `amzn-s3-demo-bucket1`.
1. The `TerminateInstances` API operation is a write-only event and it matches the settings for the second trail. The trail logs and delivers the event to `amzn-s3-demo-bucket2`.
## Logging management events with the AWS Management Console
This section describes how to update the management event settings for an existing trail or event data store.
**Topics**
+ [
### Updating the management event settings for an existing trail
](#logging-management-events-with-the-cloudtrail-console-trail)
+ [
### Updating the management event settings for an existing event data store
](#logging-management-events-with-the-cloudtrail-console-eds)
### Updating the management event settings for an existing trail
Use the following procedure to update the management event settings for an existing trail.
1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. Open the **Trails** page of the CloudTrail console and choose the trail name.
1. For **Management events**, choose **Edit**.
+ Choose if you want to log **Read** events, **Write** events, or both.
+ Choose **Exclude AWS KMS events** to filter AWS Key Management Service (AWS KMS) events out of your traiL. The default setting is to include all AWS KMS events.
The option to log or exclude AWS KMS events is available only if you log management events on your trail. If you choose not to log management events, AWS KMS events are not logged, and you cannot change AWS KMS event logging settings.
AWS KMS actions such as `Encrypt`, `Decrypt`, and `GenerateDataKey` typically generate a large volume (more than 99%) of events. These actions are now logged as **Read** events. Low-volume, relevant AWS KMS actions such as `Disable`, `Delete`, and `ScheduleKey` (which typically account for less than 0.5% of AWS KMS event volume) are logged as **Write** events.
To exclude high-volume events like `Encrypt`, `Decrypt`, and `GenerateDataKey`, but still log relevant events such as `Disable`, `Delete` and `ScheduleKey`, choose to log **Write** management events, and clear the check box for **Exclude AWS KMS events**.
+ Choose **Exclude Amazon RDS Data API events** to filter Amazon Relational Database Service Data API events out of your trail. The default setting is to include all Amazon RDS Data API events. For more information about Amazon RDS Data API events, see [Logging Data API calls with AWS CloudTrail](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/logging-using-cloudtrail-data-api.html) in the *Amazon RDS User Guide for Aurora*.
1. Choose **Save changes** when you are finished.
### Updating the management event settings for an existing event data store
1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. Open the **Event data stores** page of the CloudTrail console and choose the event data store name.
1. For **Management events**, choose **Edit** and then configure the following settings:
1. Choose between **Simple event collection** or **Advanced event collection**:
+ Choose **Simple event collection** if you want to log all events, log only read events, or log only write events. You can choose also to exclude AWS Key Management Service and Amazon RDS Data API management events.
+ Choose **Advanced event collection** if you want to include or exclude management events based on the values of advanced event selector fields, including the `eventName`, `eventType`, `eventSource`, and `userIdentity.arn` fields.
1. If you selected **Simple event collection**, choose whether you want to log all events, log only read events, or log only write events. You can also choose to exclude AWS KMS and Amazon RDS management events.
1. If you selected **Advanced event collection**, make the following selections:
1. In **Log selector template**, choose a predefined template, or **Custom** to build a custom configuration based on advanced event selector field values.
You can choose from the following predefined templates:
+ **Log all events** – Choose this template to log all events.
+ **Log only read events** – Choose this template to log only read events. Read-only events are events that do not change the state of a resource, such as `Get*` or `Describe*` events.
+ **Log only write events** – Choose this template to log only write events. Write events add, change, or delete resources, attributes, or artifacts, such as `Put*`, `Delete*`, or `Write*` events.
+ **Log only AWS Management Console events** – Choose this template to log only events originating from the AWS Management Console.
+ **Exclude AWS service initiated events** – Choose this template to exclude AWS service events, which have an `eventType` of `AwsServiceEvent`, and events initiated with AWS service-linked roles (SLRs).
1. (Optional) In **Selector name**, enter a name to identify your selector. The selector name is a descriptive name for an advanced event selector, such as "Log management events from AWS Management Console sessions". The selector name is listed as `Name` in the advanced event selector and is viewable if you expand the **JSON view**.
1. If you chose **Custom**, in **Advanced event selectors** build an expression based on advanced event selector field values.
**Note**
Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith`, `EndsWith`, `NotStartsWith`, or `NotEndsWith` to explicitly match the beginning or end of the event field.
1. Choose from the following fields.
+ **`readOnly`** – `readOnly` can be set to **equals** a value of `true` or `false`. When it is set to `false`, the event data store logs Write-only management events. Read-only management events are events that do not change the state of a resource, such as `Get*` or `Describe*` events. Write events add, change, or delete resources, attributes, or artifacts, such as `Put*`, `Delete*`, or `Write*` events. To log both **Read** and **Write** events, don't add a `readOnly` selector.
+ **`eventName`** – `eventName` can use any operator. You can use it to include or exclude any management event, such as `CreateAccessPoint` or `GetAccessPoint`.
+ **`userIdentity.arn`** – Include or exclude events for actions taken by specific IAM identities. For more information, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
+ **`sessionCredentialFromConsole`** – Include or exclude events originating from an AWS Management Console session. This field can be set to **equals** or **not equals** with a value of `true`.
+ **`eventSource`** – You can use it to include or exclude specific event sources. The `eventSource` is typically a short form of the service name without spaces plus `.amazonaws.com`. For example, you could set `eventSource` **equals** to `ec2.amazonaws.com` to log only Amazon EC2 management events.
+ **`eventType`** – The [eventType](cloudtrail-event-reference-record-contents.md#ct-event-type) to include or exclude. For example, you can set this field to **not equals** `AwsServiceEvent` to exclude [AWS service events](non-api-aws-service-events.md).
1. For each field, choose **\$1 Condition** to add as many conditions as you need, up to a maximum of 500 specified values for all conditions.
For information about how CloudTrail evaluates multiple conditions, see [How CloudTrail evaluates multiple conditions for a field](filtering-data-events.md#filtering-data-events-conditions).
**Note**
You can have a maximum of 500 values for all selectors on an event data store. This includes arrays of multiple values for a selector such as `eventName`. If you have single values for all selectors, you can have a maximum of 500 conditions added to a selector.
1. Choose **\$1 Field** to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields.
1. Optionally, expand **JSON view** to see your advanced event selectors as a JSON block.
1. Choose **Enable Insights events capture** to enable Insights. To enable Insights, you need to set up a [destination event data store](query-event-data-store-insights.md#query-event-data-store-insights-procedure) to collect Insights events based upon the management event activity in this event data store.
If you choose to enable Insights, do the following.
1. Choose the destination event store that will log Insights events. The destination event data store will collect Insights events based upon the management event activity in this event data store. For information about how to create the destination event data store, see [To create a destination event data store that logs Insights events](query-event-data-store-insights.md#query-event-data-store-insights-procedure).
1. Choose the Insights types. You can choose **API call rate**, **API error rate**, or both. You must be logging **Write** management events to log Insights events for **API call rate**. You must be logging **Read** or **Write** management events to log Insights events for **API error rate**.
1. Choose **Save changes** when you are finished.
## Logging management events with the AWS CLI
You can configure your trails or event data stores to log management events using the AWS CLI.
**Topics**
+ [
### Examples: Logging management events for trails
](#log-mgmt-events-trails-examples)
+ [
### Examples: Logging management events for event data stores
](#log-mgmt-events-eds-examples)
### Examples: Logging management events for trails
To view whether your trail is logging management events, run the `get-event-selectors` command.
```
aws cloudtrail get-event-selectors --trail-name TrailName
```
The following example returns the default settings for a trail. By default, trails log all management events, log events from all event sources, and don't log data events.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName",
"AdvancedEventSelectors": [
{
"Name": "Management events selector",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
}
]
}
]
}
```
You can use either basic or advanced event selectors to log management events. You cannot apply both event selectors and advanced event selectors to a trail. If you apply advanced event selectors to a trail, any existing basic event selectors are overwritten. The following sections provide examples of how to log management events using advanced event selectors and basic event selectors.
**Topics**
+ [
#### Examples: Logging management events for trails using advanced event selectors
](#log-mgmt-events-trails-examples-adv)
+ [
#### Examples: Logging management events for trails using basic event selectors
](#log-mgmt-events-trails-examples-basic)
#### Examples: Logging management events for trails using advanced event selectors
The following example creates an advanced event selector for a trail named *TrailName* to include read-only and write-only management events (by omitting the `readOnly` selector), but to exclude AWS Key Management Service (AWS KMS) events. Because AWS KMS events are treated as management events, and there can be a high volume of them, they can have a substantial impact on your CloudTrail bill if you have more than one trail that captures management events.
If you choose not to log management events, AWS KMS events are not logged, and you cannot change AWS KMS event logging settings.
To start logging AWS KMS events to a trail again, remove the `eventSource` selector, and run the command again.
```
aws cloudtrail put-event-selectors --trail-name TrailName \
--advanced-event-selectors '
[
{
"Name": "Log all management events except KMS events",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Management"] },
{ "Field": "eventSource", "NotEquals": ["kms.amazonaws.com"] }
]
}
]'
```
The example returns the advanced event selectors that are configured for the trail.
```
{
"AdvancedEventSelectors": [
{
"Name": "Log all management events except KMS events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [ "Management" ]
},
{
"Field": "eventSource",
"NotEquals": [ "kms.amazonaws.com" ]
}
]
}
],
"TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName"
}
```
To start logging excluded events to a trail again, remove the `eventSource` selector, as shown in the following command.
```
aws cloudtrail put-event-selectors --trail-name TrailName \
--advanced-event-selectors '
[
{
"Name": "Log all management events",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Management"] }
]
}
]'
```
The next example creates an advanced event selector for a trail named *TrailName* to include read-only and write-only management events (by omitting the `readOnly` selector), but to exclude Amazon RDS Data API management events. To exclude Amazon RDS Data API management events, specify the Amazon RDS Data API event source in the string value for the `eventSource` field: `rdsdata.amazonaws.com`.
If you choose not to log management events, Amazon RDS Data API management events are not logged, and you cannot change Amazon RDS Data API event logging settings.
To start logging Amazon RDS Data API management events to a trail again, remove the `eventSource` selector, and run the command again.
```
aws cloudtrail put-event-selectors --trail-name TrailName \
--advanced-event-selectors '
[
{
"Name": "Log all management events except Amazon RDS Data API management events",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Management"] },
{ "Field": "eventSource", "NotEquals": ["rdsdata.amazonaws.com"] }
]
}
]'
```
The example returns the advanced event selectors that are configured for the trail.
```
{
"AdvancedEventSelectors": [
{
"Name": "Log all management events except Amazon RDS Data API management events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [ "Management" ]
},
{
"Field": "eventSource",
"NotEquals": [ "rdsdata.amazonaws.com" ]
}
]
}
],
"TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName"
}
```
To start logging excluded events to a trail again, remove the `eventSource` selector, as shown in the following command.
```
aws cloudtrail put-event-selectors --trail-name TrailName \
--advanced-event-selectors '
[
{
"Name": "Log all management events",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Management"] }
]
}
]'
```
#### Examples: Logging management events for trails using basic event selectors
To configure your trail to log management events, run the `put-event-selectors` command. The following example shows how to configure your trail to include all management events for two S3 objects. You can specify from 1 to 5 event selectors for a trail. You can specify from 1 to 250 data resources for a trail.
**Note**
The maximum number of S3 data resources is 250, regardless of the number of event selectors.
```
aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::amzn-s3-demo-bucket/prefix", "arn:aws:s3:::amzn-s3-demo-bucket2/prefix2"] }] }]'
```
The following example returns the event selector configured for the trail.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName",
"EventSelectors": [
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": [
"arn:aws:s3:::amzn-s3-demo-bucket/prefix",
"arn:aws:s3:::amzn-s3-demo-bucket2/prefix2",
]
}
],
"ExcludeManagementEventSources": []
}
]
}
```
To exclude AWS Key Management Service (AWS KMS) events from a trail's logs, run the `put-event-selectors` command and add the attribute `ExcludeManagementEventSources` with a value of `kms.amazonaws.com`. The following example creates an event selector for a trail named *TrailName* to include read-only and write-only management events, but exclude AWS KMS events. Because AWS KMS can generate a high volume of events, the user in this example might want to limit events to manage the cost of a trail.
```
aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{"ReadWriteType": "All","ExcludeManagementEventSources": ["kms.amazonaws.com"],"IncludeManagementEvents": true}]'
```
The example returns the event selector configured for the trail.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName",
"EventSelectors": [
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [],
"ExcludeManagementEventSources": [
"kms.amazonaws.com"
]
}
]
}
```
To exclude Amazon RDS Data API management events from a trail's logs, run the `put-event-selectors` command and add the attribute `ExcludeManagementEventSources` with a value of `rdsdata.amazonaws.com`. The following example creates an event selector for a trail named *TrailName* to include read-only and write-only management events, but exclude Amazon RDS Data API management events. Because Amazon RDS Data API can generate a high volume of management events, the user in this example might want to limit events to manage the cost of a trail.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName",
"EventSelectors": [
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [],
"ExcludeManagementEventSources": [
"rdsdata.amazonaws.com"
]
}
]
}
```
To start logging AWS KMS or Amazon RDS Data API management events to a trail again, pass an empty string as the value of `ExcludeManagementEventSources`, as shown in the following command.
```
aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{"ReadWriteType": "All","ExcludeManagementEventSources": [],"IncludeManagementEvents": true}]'
```
To log relevant AWS KMS events to a trail like `Disable`, `Delete` and `ScheduleKey`, but exclude high-volume AWS KMS events like `Encrypt`, `Decrypt`, and `GenerateDataKey`, log write-only management events, and keep the default setting to log AWS KMS events, as shown in the following example.
```
aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{"ReadWriteType": "WriteOnly","ExcludeManagementEventSources": [],"IncludeManagementEvents": true}]'
```
### Examples: Logging management events for event data stores
You log management events for event data stores by configuring advanced event selectors.
The following advanced event selector fields are supported for logging management events on event data stores:
+ **`eventCategory`** – You must set `eventCategory` equal to `Management` to log management events. This is a required field.
+ **`readOnly`** – `readOnly` can be set to `Equals` a value of `true` or `false`. When it is set to `false`, the event data store logs Write-only management events. Read-only management events are events that do not change the state of a resource, such as `Get*` or `Describe*` events. Write events add, change, or delete resources, attributes, or artifacts, such as `Put*`, `Delete*`, or `Write*` events. To log both **Read** and **Write** events, don't add a `readOnly` selector.
+ **`eventName`** – `eventName` can use any operator. You can use it to include or exclude any management event, such as `CreateAccessPoint` or `GetAccessPoint`. You can use any operator with this field.
+ **`userIdentity.arn`** – Include or exclude events for actions taken by specific IAM identities. For more information, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
+ **`sessionCredentialFromConsole`** – Include or exclude events originating from an AWS Management Console session. This field can be set to **Equals** or `NotEquals` with a value of `true`.
+ **`eventSource`** – You can use it to include or exclude specific event sources. The `eventSource` is typically a short form of the service name without spaces plus `.amazonaws.com`. For example, you could set `eventSource` `Equals` to `ec2.amazonaws.com` to log only Amazon EC2 management events.
+ **`eventType`** – The [eventType](cloudtrail-event-reference-record-contents.md#ct-event-type) to include or exclude. For example, you can set this field to `NotEquals` `AwsServiceEvent` to exclude [AWS service events](non-api-aws-service-events.md). You can use any operator with this field.
To view whether your event data store includes management events, run the **get-event-data-store** command.
```
aws cloudtrail get-event-data-store
--event-data-store arn:aws:cloudtrail:us-east-1:12345678910:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE
```
The following is an example response. Creation and last updated times are in `timestamp` format.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:12345678910:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"Name": "myManagementEvents",
"Status": "ENABLED",
"AdvancedEventSelectors": [
{
"Name": "Management events selector",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "FIXED_RETENTION_PRICING",
"RetentionPeriod": 2557,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2023-02-04T15:56:27.418000+00:00",
"UpdatedTimestamp": "2023-02-04T15:56:27.544000+00:00"
}
```
To create an event data store that includes all management events, you run the **create-event-data-store** command. You do not need to specify any advanced event selectors to include all management events.
```
aws cloudtrail create-event-data-store
--name my-event-data-store
--retention-period 90\
```
The following is an example response.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:12345678910:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"Name": "my-event-data-store",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "Default management events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "EXTENDABLE_RETENTION_PRICING",
"RetentionPeriod": 90,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2023-11-13T16:41:57.224000+00:00",
"UpdatedTimestamp": "2023-11-13T16:41:57.357000+00:00"
}
```
**Topics**
+ [
#### Example: Exclude AWS KMS management events
](#log-mgmt-events-eds-examples-kms)
+ [
#### Example: Exclude Amazon RDS management events
](#log-mgmt-events-eds-examples-rds)
+ [
#### Example: Exclude AWS service events and events from AWS Management Console sessions
](#log-mgmt-events-eds-examples-service)
+ [
#### Example: Exclude management events for a specific IAM identity
](#log-mgmt-events-eds-examples-useridentity)
#### Example: Exclude AWS KMS management events
To create an event data store that excludes AWS Key Management Service (AWS KMS) events, run the `create-event-data-store` command and specify that `eventSource` does not equal `kms.amazonaws.com`. The following example creates an event data store that includes read-only and write-only management events, but excludes AWS KMS events.
```
aws cloudtrail create-event-data-store --name event-data-store-name --retention-period 90 --advanced-event-selectors '[
{
"Name": "Management events selector",
"FieldSelectors": [
{"Field": "eventCategory","Equals": ["Management"]},
{"Field": "eventSource","NotEquals": ["kms.amazonaws.com"]}
]
}
]'
```
The following is an example response.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:12345678910:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"Name": "event-data-store-name",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "Management events selector",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
},
{
"Field": "eventSource",
"NotEquals": [
"kms.amazonaws.com"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "EXTENDABLE_RETENTION_PRICING",
"RetentionPeriod": 90,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2023-11-13T17:02:02.067000+00:00",
"UpdatedTimestamp": "2023-11-13T17:02:02.241000+00:00"
}
```
#### Example: Exclude Amazon RDS management events
To create an event data store that excludes Amazon RDS Data API management events, run the `create-event-data-store` command and specify that `eventSource` does not equal `rdsdata.amazonaws.com`. The following example creates an event data store that includes read-only and write-only management events, but excludes Amazon RDS Data API events.
```
aws cloudtrail create-event-data-store --name event-data-store-name --retention-period 90 --advanced-event-selectors '[
{
"Name": "Management events selector",
"FieldSelectors": [
{"Field": "eventCategory","Equals": ["Management"]},
{"Field": "eventSource","NotEquals": ["rdsdata.amazonaws.com"]}
]
}
]'
```
The following is an example response.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:12345678910:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"Name": "my-event-data-store",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "Management events selector",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
},
{
"Field": "eventSource",
"NotEquals": [
"rdsdata.amazonaws.com"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "EXTENDABLE_RETENTION_PRICING",
"RetentionPeriod": 90,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2023-11-13T17:02:02.067000+00:00",
"UpdatedTimestamp": "2023-11-13T17:02:02.241000+00:00"
}
```
#### Example: Exclude AWS service events and events from AWS Management Console sessions
The following example creates an event data store that logs management events but excludes AWS service events and events originating from AWS Management Console sessions.
```
aws cloudtrail create-event-data-store --name event-data-store-name --advanced-event-selectors '[
{
"Name": "Exclude AWS service and console events",
"FieldSelectors": [
{"Field": "eventCategory","Equals": ["Management"]},
{"Field": "eventType","NotEquals": ["AwsServiceEvent"]},
{"Field": "sessionCredentialFromConsole","NotEquals": ["true"]}
]
}
]'
```
The following is an example response.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:12345678910:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"Name": "event-data-store-name",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "Exclude AWS service and console events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
},
{
"Field": "eventType",
"NotEquals": [
"AwsServiceEvent"
]
},
{
"Field": "sessionCredentialFromConsole",
"NotEquals": [
"true"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "EXTENDABLE_RETENTION_PRICING",
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2024-11-13T17:02:02.067000+00:00",
"UpdatedTimestamp": "2024-11-13T17:02:02.241000+00:00"
}
```
#### Example: Exclude management events for a specific IAM identity
The following example creates an event data store that logs management events but excludes events generated by the `bucket-scanner-role` `userIdentity`.
```
aws cloudtrail create-event-data-store --name event-data-store-name --advanced-event-selectors '[
{
"Name": "Exclude events generated by bucket-scanner-role userIdentity",
"FieldSelectors": [
{"Field": "eventCategory","Equals": ["Management"]},
{"Field": "userIdentity.arn","NotStartsWith": ["arn:aws:sts::123456789012:assumed-role/bucket-scanner-role"]}
]
}
]'
```
The following is an example response.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"Name": "event-data-store-name",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "Exclude events generated by bucket-scanner-role userIdentity",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
},
{
"Field": "userIdentity.arn",
"NotStartsWith": [
"arn:aws:sts::123456789012:assumed-role/bucket-scanner-role"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "EXTENDABLE_RETENTION_PRICING",
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2024-11-13T17:02:02.067000+00:00",
"UpdatedTimestamp": "2024-11-13T17:02:02.241000+00:00"
}
```
## Logging management events with the AWS SDKs
Use the [GetEventSelectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_GetEventSelectors.html) operation to see whether your trail is logging management events for a trail. You can configure your trails to log management events with the [PutEventSelectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html) operation. For more information, see the [AWS CloudTrail API Reference](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/).
Run the [GetEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_GetEventDataStore.html) operation to see whether your event data store includes management events. You can configure your event data stores to include management events by running the [CreateEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateEventDataStore.html) or [UpdateEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateEventDataStore.html) operations. For more information, see [Create, update, and manage event data stores with the AWS CLI](lake-eds-cli.md) and the [AWS CloudTrail API Reference](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/).
# Logging data events
This section describes how to log data events using the [CloudTrail console](#logging-data-events-console) and [AWS CLI](#creating-data-event-selectors-with-the-AWS-CLI).
By default, trails and event data stores do not log data events. Additional charges apply for data events. For more information, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
Data events provide information about the resource operations performed on or in a resource. These are also known as *data plane operations*. Data events are often high-volume activities.
Example data events include:
+ [Amazon S3 object-level API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events) (for example, `GetObject`, `DeleteObject`, and `PutObject` API operations) on objects in S3 buckets.
+ AWS Lambda function execution activity (the `Invoke` API).
+ CloudTrail [https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html](https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html) activity on a [CloudTrail Lake channel](query-event-data-store-integration.md) that is used to log events from outside AWS.
+ Amazon SNS [https://docs.aws.amazon.com/sns/latest/api/API_Publish.html](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) and [https://docs.aws.amazon.com/sns/latest/api/API_PublishBatch.html](https://docs.aws.amazon.com/sns/latest/api/API_PublishBatch.html) API operations on topics.
You can use advanced event selectors to create fine-grained selectors, which help you control costs by only logging the specific events of interest for your use cases. For example, you can use advanced event selectors to log specific API calls by adding a filter on the `eventName` field. For more information, see [Filtering data events by using advanced event selectors](filtering-data-events.md).
**Note**
The events that are logged by your trails are available in Amazon EventBridge. For example, if you choose to log data events for S3 objects but not management events, your trail processes and logs only data events for the specified S3 objects. The data events for these S3 objects are available in Amazon EventBridge. For more information, see [AWS service events delivered via CloudTrail](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event-cloudtrail.html) in the *Amazon EventBridge User Guide* and the [AWS Events Reference](https://docs.aws.amazon.com//eventbridge/latest/ref/welcome.html).
**Contents**
+ [
## Data events
](#logging-data-events)
+ [
### Data events supported by AWS CloudTrail
](#w2aac21c31c19c11)
+ [
### Examples: Logging data events for Amazon S3 objects
](#logging-data-events-examples)
+ [
### Logging data events for S3 objects in other AWS accounts
](#logging-data-events-for-s3-resources-in-other-accounts)
+ [
## Read-only and write-only events
](#read-write-events-data)
+ [
## Logging data events with the AWS Management Console
](#logging-data-events-console)
+ [
## Logging data events with the AWS Command Line Interface
](#creating-data-event-selectors-with-the-AWS-CLI)
+ [
### Logging data events for trails with the AWS CLI
](#logging-data-events-CLI-trail-examples)
+ [
#### Log data events for trails by using advanced event selectors
](#creating-data-event-selectors-advanced)
+ [
#### Log all Amazon S3 events for an Amazon S3 bucket by using advanced event selectors
](#creating-data-adv-event-selectors-CLI-s3)
+ [
#### Log Amazon S3 on AWS Outposts events by using advanced event selectors
](#creating-data-event-selectors-CLI-outposts)
+ [
#### Log events by using basic event selectors
](#creating-data-event-selectors-basic)
+ [
### Logging data events for event data stores with the AWS CLI
](#logging-data-events-CLI-eds-examples)
+ [
#### Include all Amazon S3 events for a specific bucket
](#creating-data-adv-event-selectors-CLI-s3-eds)
+ [
#### Include Amazon S3 on AWS Outposts events
](#creating-data-event-selectors-CLI-outposts-eds)
+ [
# Filtering data events by using advanced event selectors
](filtering-data-events.md)
+ [
## How CloudTrail evaluates multiple conditions for a field
](filtering-data-events.md#filtering-data-events-conditions)
+ [
### Example showing multiple conditions for the `resources.ARN` field
](filtering-data-events.md#filtering-data-events-conditions-ex)
+ [
## AWS CLI examples for filtering data events
](filtering-data-events.md#filtering-data-events-examples)
+ [
### Example 1: Filtering on the `eventName` field
](filtering-data-events.md#filtering-data-events-eventname)
+ [
### Example 2: Filtering on the `resources.ARN` and `userIdentity.arn` fields
](filtering-data-events.md#filtering-data-events-useridentityarn)
+ [
### Example 3: Filtering on the `resources.type` and `eventName` fields to exclude individual objects deleted by an Amazon S3 DeleteObjects event
](filtering-data-events.md#filtering-data-events-deleteobjects)
+ [
# Aggregating data events
](aggregating-data-events.md)
+ [
## Enabling aggregations for data events using the console
](aggregating-data-events.md#aggregating-data-events-console)
+ [
## Enabling aggregations for data events using the AWS CLI
](aggregating-data-events.md#aggregating-data-events-cli)
+ [
### Example: API\$1ACTIVITY aggregated event
](aggregating-data-events.md#aggregating-data-events-api-activity-example)
+ [
### Example: RESOURCE\$1ACCESS aggregated event
](aggregating-data-events.md#aggregating-data-events-resource-access-example)
+ [
## Logging data events for AWS Config compliance
](#config-data-events-best-practices)
+ [
## Logging data events with the AWS SDKs
](#logging-data-events-with-the-AWS-SDKs)
## Data events
The following table shows the resource types available for trails and event data stores. The **Resource type (console)** column shows the appropriate selection in the console. The **resources.type value** column shows the `resources.type` value that you would specify to include data events of that type in your trail or event data store using the AWS CLI or CloudTrail APIs.
For trails, you can use basic or advanced event selectors to log data events for Amazon S3 objects in general purpose buckets, Lambda functions, and DynamoDB tables (shown in the first three rows of the table). You can use only advanced event selectors to log the resource types shown in the remaining rows.
For event data stores, you can use only advanced event selectors to include data events.
### Data events supported by AWS CloudTrail
****
| AWS service | Description | Resource type (console) | resources.type value |
| --- | --- | --- | --- |
| Amazon RDS | [Amazon RDS API activity](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/logging-using-cloudtrail-data-api.html#logging-using-cloudtrail-data-api.including-excluding-cloudtrail-events) on a DB Cluster. | RDS Data API - DB Cluster | AWS::RDS::DBCluster |
| Amazon S3 | [Amazon S3 object-level API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events) (for example, `GetObject`, `DeleteObject`, and `PutObject` API operations) on objects in general purpose buckets. | S3 | AWS::S3::Object |
| Amazon S3 | [Amazon S3 API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events) on access points. | S3 Access Point | AWS::S3::AccessPoint |
| Amazon S3 | [Amazon S3 object-level API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events) (for example, `GetObject`, `DeleteObject`, and `PutObject` API operations) on objects in directory buckets. | S3 Express | AWS::S3Express::Object |
| Amazon S3 | [Amazon S3 Object Lambda access points API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events), such as calls to `CompleteMultipartUpload` and `GetObject`. | S3 Object Lambda | AWS::S3ObjectLambda::AccessPoint |
| Amazon S3 | Amazon FSx API activity on volumes. | FSx Volume | AWS::FSx::Volume |
| Amazon S3 Tables | Amazon S3 API activity on [tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-create.html). | S3 table | AWS::S3Tables::Table |
| Amazon S3 Tables | Amazon S3 API activity on [table buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets.html). | S3 table bucket | AWS::S3Tables::TableBucket |
| Amazon S3 Vectors | Amazon S3 API activity on [vector buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-buckets.html). | S3 vector bucket | AWS::S3Vectors::VectorBucket |
| Amazon S3 Vectors | Amazon S3 API activity on [vector indexes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-indexes.html). | S3 vector index | AWS::S3Vectors::Index |
| Amazon S3 on Outposts | [Amazon S3 on Outposts object-level API activity](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-data-events). | S3 Outposts | AWS::S3Outposts::Object |
| Amazon SNS | Amazon SNS [https://docs.aws.amazon.com/sns/latest/api/API_Publish.html](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) API operations on platform endpoints. | SNS platform endpoint | AWS::SNS::PlatformEndpoint |
| Amazon SNS | Amazon SNS [https://docs.aws.amazon.com/sns/latest/api/API_Publish.html](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) and [https://docs.aws.amazon.com/sns/latest/api/API_PublishBatch.html](https://docs.aws.amazon.com/sns/latest/api/API_PublishBatch.html) API operations on topics. | SNS topic | AWS::SNS::Topic |
| Amazon SQS | [Amazon SQS API activity](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-logging-using-cloudtrail.html#sqs-data-events-in-cloud-trail) on messages. | SQS | AWS::SQS::Queue |
| AWS Supply Chain | AWS Supply Chain API activity on an instance. | Supply Chain | AWS::SCN::Instance |
| Amazon SWF | [Amazon SWF API activity](https://docs.aws.amazon.com/amazonswf/latest/developerguide/ct-logging.html#cloudtrail-data-events) on [domains](https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-domains.html). | SWF domain | AWS::SWF::Domain |
| AWS AppConfig | [AWS AppConfig API activity](https://docs.aws.amazon.com/appconfig/latest/userguide/logging-using-cloudtrail.html#appconfig-data-events-cloudtrail) for configuration operations such as calls to `StartConfigurationSession` and `GetLatestConfiguration`. | AWS AppConfig | AWS::AppConfig::Configuration |
| AWS AppSync | [AWS AppSync API activity](https://docs.aws.amazon.com/appsync/latest/devguide/cloudtrail-logging.html#cloudtrail-data-events) on AppSync GraphQL APIs. | AppSync GraphQL | AWS::AppSync::GraphQLApi |
| Amazon Aurora DSQL | Amazon Aurora DSQL API activity on cluster resources. | Amazon Aurora DSQL | AWS::DSQL::Cluster |
| AWS B2B Data Interchange | B2B Data Interchange API activity for Transformer operations such as calls to `GetTransformerJob` and `StartTransformerJob`. | B2B Data Interchange | AWS::B2BI::Transformer |
| AWS Backup | AWS Backup Search Data API activity on search jobs. | AWS Backup Search Data APIs | AWS::Backup::SearchJob |
| Amazon Bedrock | [Amazon Bedrock API activity](https://docs.aws.amazon.com/bedrock/latest/userguide/logging-using-cloudtrail.html#service-name-data-events-cloudtrail) on an agent alias. | Bedrock agent alias | AWS::Bedrock::AgentAlias |
| Amazon Bedrock | Amazon Bedrock API activity on async invocations. | Bedrock async invoke | AWS::Bedrock::AsyncInvoke |
| Amazon Bedrock | Amazon Bedrock API activity on a flow alias. | Bedrock flow alias | AWS::Bedrock::FlowAlias |
| Amazon Bedrock | Amazon Bedrock API activity on guardrails. | Bedrock guardrail | AWS::Bedrock::Guardrail |
| Amazon Bedrock | Amazon Bedrock API activity on inline agents. | Bedrock Invoke Inline-Agent | AWS::Bedrock::InlineAgent |
| Amazon Bedrock | [Amazon Bedrock API activity](https://docs.aws.amazon.com/bedrock/latest/userguide/logging-using-cloudtrail.html#service-name-data-events-cloudtrail) on a knowledge base. | Bedrock knowledge base | AWS::Bedrock::KnowledgeBase |
| Amazon Bedrock | Amazon Bedrock API activity on models. | Bedrock model | AWS::Bedrock::Model |
| Amazon Bedrock | Amazon Bedrock API activity on prompts. | Bedrock prompt | AWS::Bedrock::PromptVersion |
| Amazon Bedrock | Amazon Bedrock API activity on sessions. | Bedrock session | AWS::Bedrock::Session |
| Amazon Bedrock | Amazon Bedrock API activity on flow executions. | Bedrock flow execution | AWS::Bedrock::FlowExecution |
| Amazon Bedrock | Amazon Bedrock API activity on an automated reasoning policy. | Bedrock automated reasoning policy | AWS::Bedrock::AutomatedReasoningPolicy |
| Amazon Bedrock | Amazon Bedrock API activity on an automated reasoning policy version. | Bedrock automated reasoning policy version | AWS::Bedrock::AutomatedReasoningPolicyVersion |
| Amazon Bedrock | Amazon Bedrock data automation project API activity. | **Bedrock Data Automation project** | `AWS::Bedrock::DataAutomationProject` |
| Amazon Bedrock | Bedrock data automation invocation API activity. | **Bedrock Data Automation invocation** | `AWS::Bedrock::DataAutomationInvocation` |
| Amazon Bedrock | Amazon Bedrock data automation profile API activity. | **Bedrock Data Automation profile** | `AWS::Bedrock::DataAutomationProfile` |
| Amazon Bedrock | Amazon Bedrock blueprint API activity. | **Bedrock blueprint** | `AWS::Bedrock::Blueprint` |
| Amazon Bedrock | Amazon Bedrock Code-Interpreter API activity. | **Bedrock-AgentCore Code-Interpreter** | `AWS::BedrockAgentCore::CodeInterpreter` |
| Amazon Bedrock | Amazon Bedrock Browser API activity. | **Bedrock-AgentCore Browser** | `AWS::BedrockAgentCore::Browser` |
| Amazon Bedrock | Amazon Bedrock Workload Identity API activity. | **Bedrock-AgentCore Workload Identity** | `AWS::BedrockAgentCore::WorkloadIdentity` |
| Amazon Bedrock | Amazon Bedrock Workload Identity Directory API activity. | **Bedrock-AgentCore Workload Identity Directory** | `AWS::BedrockAgentCore::WorkloadIdentityDirectory` |
| Amazon Bedrock | Amazon Bedrock Token Vault API activity. | **Bedrock-AgentCore Token Vault** | `AWS::BedrockAgentCore::TokenVault` |
| Amazon Bedrock | Amazon Bedrock APIKey CredentialProvider API activity. | **Bedrock-AgentCore APIKey CredentialProvider** | `AWS::BedrockAgentCore::APIKeyCredentialProvider` |
| Amazon Bedrock | Amazon Bedrock Runtime API activity. | **Bedrock-AgentCore Runtime** | `AWS::BedrockAgentCore::Runtime` |
| Amazon Bedrock | Amazon Bedrock Runtime-Endpoint API activity. | **Bedrock-AgentCore Runtime-Endpoint** | `AWS::BedrockAgentCore::RuntimeEndpoint` |
| Amazon Bedrock | Amazon Bedrock Gateway API activity. | **Bedrock-AgentCore Gateway** | `AWS::BedrockAgentCore::Gateway` |
| Amazon Bedrock | Amazon Bedrock Memory API activity. | **Bedrock-AgentCore Memory** | `AWS::BedrockAgentCore::Memory` |
| Amazon Bedrock | Amazon Bedrock Oauth2 CredentialProvider API activity. | **Bedrock-AgentCore Oauth2 CredentialProvider** | `AWS::BedrockAgentCore::OAuth2CredentialProvider` |
| Amazon Bedrock | Amazon Bedrock Browser-Custom API activity. | **Bedrock-AgentCore Browser-Custom** | `AWS::BedrockAgentCore::BrowserCustom` |
| Amazon Bedrock | Amazon Bedrock Code-Interpreter-Custom API activity. | **Bedrock-AgentCore Code-Interpreter-Custom** | `AWS::BedrockAgentCore::CodeInterpreterCustom` |
| Amazon Bedrock | Amazon Bedrock Tool API activity. | Bedrock Tool | AWS::Bedrock::Tool |
| AWS Cloud Map | [AWS Cloud Map API activity](https://docs.aws.amazon.com/cloud-map/latest/dg/cloudtrail-data-events.html) on a [namespace](https://docs.aws.amazon.com/cloud-map/latest/api/API_Namespace.html). | AWS Cloud Map namespace | AWS::ServiceDiscovery::Namespace |
| AWS Cloud Map | [AWS Cloud Map API activity](https://docs.aws.amazon.com/cloud-map/latest/dg/cloudtrail-data-events.html) on a [service](https://docs.aws.amazon.com/cloud-map/latest/api/API_Service.html). | AWS Cloud Map service | AWS::ServiceDiscovery::Service |
| Amazon CloudFront | CloudFront API activity on a [https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_KeyValueStore.html](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_KeyValueStore.html). | CloudFront KeyValueStore | AWS::CloudFront::KeyValueStore |
| AWS CloudTrail | CloudTrail [https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html](https://docs.aws.amazon.com/awscloudtraildata/latest/APIReference/API_PutAuditEvents.html) activity on a [CloudTrail Lake channel](query-event-data-store-integration.md) that is used to log events from outside AWS. | CloudTrail channel | AWS::CloudTrail::Channel |
| Amazon CloudWatch | [Amazon CloudWatch API activity](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/logging_cw_api_calls.html#CloudWatch-data-plane-events) on metrics. | CloudWatch metric | AWS::CloudWatch::Metric |
| Amazon CloudWatch Network Flow Monitor | Amazon CloudWatch Network Flow Monitor API activity on monitors. | Network Flow Monitor monitor | AWS::NetworkFlowMonitor::Monitor |
| Amazon CloudWatch Network Flow Monitor | Amazon CloudWatch Network Flow Monitor API activity on scopes. | Network Flow Monitor scope | AWS::NetworkFlowMonitor::Scope |
| Amazon CloudWatch RUM | Amazon CloudWatch RUM API activity on app monitors. | RUM app monitor | AWS::RUM::AppMonitor |
| Amazon CodeGuru Profiler | CodeGuru Profiler API activity on profiling groups. | CodeGuru Profiler profiling group | AWS::CodeGuruProfiler::ProfilingGroup |
| Amazon CodeWhisperer | Amazon CodeWhisperer API activity on a customization. | CodeWhisperer customization | AWS::CodeWhisperer::Customization |
| Amazon CodeWhisperer | Amazon CodeWhisperer API activity on a profile. | CodeWhisperer | AWS::CodeWhisperer::Profile |
| Amazon Cognito | Amazon Cognito API activity on Amazon Cognito [identity pools](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-info-in-cloudtrail.html#identity-pools-cloudtrail-events). | Cognito Identity Pools | AWS::Cognito::IdentityPool |
| AWS Data Exchange | AWS Data Exchange API activity on assets. | **Data Exchange asset** | `AWS::DataExchange::Asset` |
| Amazon Data Firehose | Amazon Data Firehose delivery stream API activity. | **Amazon Data Firehose** | `AWS::KinesisFirehose::DeliveryStream` |
| AWS Deadline Cloud | [Deadline Cloud](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on fleets. | **Deadline Cloud fleet** | `AWS::Deadline::Fleet` |
| AWS Deadline Cloud | [Deadline Cloud](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on jobs. | **Deadline Cloud job** | `AWS::Deadline::Job` |
| AWS Deadline Cloud | [Deadline Cloud](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on queues. | **Deadline Cloud queue** | `AWS::Deadline::Queue` |
| AWS Deadline Cloud | [Deadline Cloud](https://docs.aws.amazon.com/deadline-cloud/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on workers. | **Deadline Cloud worker** | `AWS::Deadline::Worker` |
| Amazon DynamoDB | [Amazon DynamoDB item-level API activity](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html#ddb-data-plane-events-in-cloudtrail) on tables (for example, `PutItem`, `DeleteItem`, and `UpdateItem` API operations). For tables with streams enabled, the `resources` field in the data event contains both `AWS::DynamoDB::Stream` and `AWS::DynamoDB::Table`. If you specify `AWS::DynamoDB::Table` for the `resources.type`, it will log both DynamoDB table and DynamoDB streams events by default. To exclude [streams events](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html#ddb-data-plane-events-in-cloudtrail), add a filter on the `eventName` field. | DynamoDB | `AWS::DynamoDB::Table` |
| Amazon DynamoDB | [Amazon DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html#ddb-data-plane-events-in-cloudtrail) API activity on streams. | DynamoDB Streams | AWS::DynamoDB::Stream |
| Amazon Elastic Block Store | [Amazon Elastic Block Store (EBS)](https://docs.aws.amazon.com/ebs/latest/userguide/logging-ebs-apis-using-cloudtrail.html) direct APIs, such as `PutSnapshotBlock`, `GetSnapshotBlock`, and `ListChangedBlocks` on Amazon EBS snapshots. | Amazon EBS direct APIs | AWS::EC2::Snapshot |
| Amazon Elastic Compute Cloud | Amazon EC2 instance connect endpoint API activity. | **EC2 instance connect endpoint** | `AWS::EC2::InstanceConnectEndpoint` |
| Amazon Elastic Container Service | Amazon Elastic Container Service API activity on a container instance. | ECS container instance | AWS::ECS::ContainerInstance |
| Amazon Elastic Kubernetes Service | Amazon Elastic Kubernetes Service API activity on dashboards. | Amazon Elastic Kubernetes Service dashboard | AWS::EKS::Dashboard |
| Amazon EMR | [Amazon EMR API activity](https://docs.aws.amazon.com/emr/latest/ManagementGuide/logging-using-cloudtrail.html#cloudtrail-data-events) on a write-ahead log workspace. | EMR write-ahead log workspace | AWS::EMRWAL::Workspace |
| AWS End User Messaging SMS | [AWS End User Messaging SMS](https://docs.aws.amazon.com/sms-voice/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on origination identities. | SMS Voice origination identity | AWS::SMSVoice::OriginationIdentity |
| AWS End User Messaging SMS | [AWS End User Messaging SMS](https://docs.aws.amazon.com/sms-voice/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on messages. | SMS Voice message | AWS::SMSVoice::Message |
| AWS End User Messaging Social | [AWS End User Messaging Social](https://docs.aws.amazon.com/social-messaging/latest/userguide/logging-using-cloudtrail.html#cloudtrail-data-events) API activity on phone number IDs. | Social-Messaging Phone Number Id | AWS::SocialMessaging::PhoneNumberId |
| AWS End User Messaging Social | AWS End User Messaging Social API activity on Waba IDs. | Social-Messaging Waba ID | AWS::SocialMessaging::WabaId |
| Amazon FinSpace | [Amazon FinSpace](https://docs.aws.amazon.com/finspace/latest/userguide/logging-cloudtrail-events.html#finspace-dataplane-events) API activity on environments. | FinSpace | AWS::FinSpace::Environment |
| Amazon GameLift Streams | Amazon GameLift Streams [streaming API activity](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/logging-using-cloudtrail.html#cloudtrail-data-events) on applications. | GameLift Streams application | AWS::GameLiftStreams::Application |
| Amazon GameLift Streams | Amazon GameLift Streams [streaming API activity](https://docs.aws.amazon.com/gameliftstreams/latest/developerguide/logging-using-cloudtrail.html#cloudtrail-data-events) on stream groups. | GameLift Streams stream group | AWS::GameLiftStreams::StreamGroup |
| AWS Glue | AWS Glue API activity on tables that were created by Lake Formation. | Lake Formation | AWS::Glue::Table |
| Amazon GuardDuty | Amazon GuardDuty API activity for a [detector](https://docs.aws.amazon.com/guardduty/latest/ug/logging-using-cloudtrail.html#guardduty-data-events-in-cloudtrail). | GuardDuty detector | AWS::GuardDuty::Detector |
| AWS HealthImaging | AWS HealthImaging API activity on data stores. | MedicalImaging data store | AWS::MedicalImaging::Datastore |
| AWS HealthImaging | AWS HealthImaging image set API activity. | **MedicalImaging image set** | `AWS::MedicalImaging::Imageset` |
| AWS IoT | [AWS IoT API activity](https://docs.aws.amazon.com/greengrass/v2/developerguide/logging-using-cloudtrail.html#greengrass-data-events-cloudtrail) on [certificates](https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html). | IoT certificate | AWS::IoT::Certificate |
| AWS IoT | [AWS IoT API activity](https://docs.aws.amazon.com/greengrass/v2/developerguide/logging-using-cloudtrail.html#greengrass-data-events-cloudtrail) on [things](https://docs.aws.amazon.com/iot/latest/developerguide/thing-registry.html). | IoT thing | AWS::IoT::Thing |
| AWS IoT Greengrass Version 2 | [Greengrass API activity](https://docs.aws.amazon.com/greengrass/v2/developerguide/logging-using-cloudtrail.html#greengrass-data-events-cloudtrail) from a Greengrass core device on a component version. Greengrass doesn't log access denied events. | IoT Greengrass component version | AWS::GreengrassV2::ComponentVersion |
| AWS IoT Greengrass Version 2 | [Greengrass API activity](https://docs.aws.amazon.com/greengrass/v2/developerguide/logging-using-cloudtrail.html#greengrass-data-events-cloudtrail) from a Greengrass core device on a deployment. Greengrass doesn't log access denied events. | IoT Greengrass deployment | AWS::GreengrassV2::Deployment |
| AWS IoT SiteWise | [IoT SiteWise API activity](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/logging-using-cloudtrail.html#service-name-data-events-cloudtrail) on [assets](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_CreateAsset.html). | IoT SiteWise asset | AWS::IoTSiteWise::Asset |
| AWS IoT SiteWise | [IoT SiteWise API activity](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/logging-using-cloudtrail.html#service-name-data-events-cloudtrail) on [time series](https://docs.aws.amazon.com/iot-sitewise/latest/APIReference/API_DescribeTimeSeries.html). | IoT SiteWise time series | AWS::IoTSiteWise::TimeSeries |
| AWS IoT SiteWise Assistant | Sitewise Assistant API activity on conversations. | Sitewise Assistant conversation | AWS::SitewiseAssistant::Conversation |
| AWS IoT TwinMaker | IoT TwinMaker API activity on an [entity](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateEntity.html). | IoT TwinMaker entity | AWS::IoTTwinMaker::Entity |
| AWS IoT TwinMaker | IoT TwinMaker API activity on a [workspace](https://docs.aws.amazon.com/iot-twinmaker/latest/apireference/API_CreateWorkspace.html). | IoT TwinMaker workspace | AWS::IoTTwinMaker::Workspace |
| Amazon Kendra Intelligent Ranking | Amazon Kendra Intelligent Ranking API activity on [rescore execution plans](https://docs.aws.amazon.com/kendra/latest/dg/cloudtrail-intelligent-ranking.html#cloud-trail-intelligent-ranking-log-entry). | Kendra Ranking | AWS::KendraRanking::ExecutionPlan |
| Amazon Keyspaces (for Apache Cassandra) | [Amazon Keyspaces API activity](https://docs.aws.amazon.com/keyspaces/latest/devguide/logging-using-cloudtrail.html#keyspaces-in-cloudtrail-dml) on a table. | Cassandra table | AWS::Cassandra::Table |
| Amazon Keyspaces (for Apache Cassandra) | Amazon Keyspaces (for Apache Cassandra) API activity on Cassandra CDC streams. | Cassandra CDC streams | AWS::Cassandra::Stream |
| Amazon Kinesis Data Streams | Kinesis Data Streams API activity on [streams](https://docs.aws.amazon.com/streams/latest/dev/working-with-streams.html). | Kinesis stream | AWS::Kinesis::Stream |
| Amazon Kinesis Data Streams | Kinesis Data Streams API activity on [stream consumers](https://docs.aws.amazon.com/streams/latest/dev/building-consumers.html). | Kinesis stream consumer | AWS::Kinesis::StreamConsumer |
| Amazon Kinesis Video Streams | Kinesis Video Streams API activity on video streams, such as calls to GetMedia and PutMedia. | Kinesis video stream | AWS::KinesisVideo::Stream |
| Amazon Kinesis Video Streams | Kinesis Video Streams video signaling channel API activity. | **Kinesis video signaling channel** | `AWS::KinesisVideo::SignalingChannel` |
| AWS Lambda | AWS Lambda function execution activity (the `Invoke` API). | Lambda | AWS::Lambda::Function |
| Amazon Location Maps | Amazon Location Maps API activity. | Geo Maps | AWS::GeoMaps::Provider |
| Amazon Location Places | Amazon Location Places API activity. | Geo Places | AWS::GeoPlaces::Provider |
| Amazon Location Routes | Amazon Location Routes API activity. | Geo Routes | AWS::GeoRoutes::Provider |
| Amazon Machine Learning | Machine Learning API activity on ML models. | Maching Learning MlModel | AWS::MachineLearning::MlModel |
| Amazon Managed Blockchain | Amazon Managed Blockchain API activity on a network. | Managed Blockchain network | AWS::ManagedBlockchain::Network |
| Amazon Managed Blockchain | [Amazon Managed Blockchain](https://docs.aws.amazon.com/managed-blockchain/latest/ethereum-dev/logging-using-cloudtrail.html#ethereum-jsonrpc-logging) JSON-RPC calls on Ethereum nodes, such as `eth_getBalance` or `eth_getBlockByNumber`. | Managed Blockchain | AWS::ManagedBlockchain::Node |
| Amazon Managed Blockchain Query | Amazon Managed Blockchain Query API activity. | Managed Blockchain Query | AWS::ManagedBlockchainQuery::QueryAPI |
| Amazon Managed Workflows for Apache Airflow | Amazon MWAA API activity on environments. | Managed Apache Airflow | AWS::MWAA::Environment |
| Amazon Neptune Graph | Data API activities, for example queries, algorithms, or vector search, on a Neptune Graph. | Neptune Graph | AWS::NeptuneGraph::Graph |
| Amazon One Enterprise | Amazon One Enterprise API activity on a UKey. | Amazon One UKey | AWS::One::UKey |
| Amazon One Enterprise | Amazon One Enterprise API activity on users. | Amazon One User | AWS::One::User |
| AWS Payment Cryptography | AWS Payment Cryptography API activity on aliases. | Payment Cryptography Alias | AWS::PaymentCryptography::Alias |
| AWS Payment Cryptography | AWS Payment Cryptography API activity on keys. | Payment Cryptography Key | AWS::PaymentCryptography::Key |
| Amazon Pinpoint | Amazon Pinpoint API activity on mobile targeting applications. | Mobile Targeting Application | AWS::Pinpoint::App |
| AWS Private CA | AWS Private CA Connector for Active Directory API activity. | AWS Private CA Connector for Active Directory | AWS::PCAConnectorAD::Connector |
| AWS Private CA | AWS Private CA Connector for SCEP API activity. | AWS Private CA Connector for SCEP | AWS::PCAConnectorSCEP::Connector |
| Amazon Q Apps | Data API activity on [Amazon Q Apps](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/purpose-built-qapps.html). | Amazon Q Apps | AWS::QApps::QApp |
| Amazon Q Apps | Data API activity on Amazon Q App sessions. | Amazon Q App Session | AWS::QApps::QAppSession |
| Amazon Q Business | [Amazon Q Business API activity](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/logging-using-cloudtrail.html#service-name-data-plane-events-cloudtrail) on an application. | Amazon Q Business application | AWS::QBusiness::Application |
| Amazon Q Business | [Amazon Q Business API activity](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/logging-using-cloudtrail.html#service-name-data-plane-events-cloudtrail) on a data source. | Amazon Q Business data source | AWS::QBusiness::DataSource |
| Amazon Q Business | [Amazon Q Business API activity](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/logging-using-cloudtrail.html#service-name-data-plane-events-cloudtrail) on an index. | Amazon Q Business index | AWS::QBusiness::Index |
| Amazon Q Business | [Amazon Q Business API activity](https://docs.aws.amazon.com/amazonq/latest/business-use-dg/logging-using-cloudtrail.html#service-name-data-plane-events-cloudtrail) on a web experience. | Amazon Q Business web experience | AWS::QBusiness::WebExperience |
| Amazon Q Business | Amazon Q Business integration API activity. | **Amazon Q Business integration** | `AWS::QBusiness::Integration` |
| Amazon Q Developer | Amazon Q Developer API activity on an integration. | Q Developer integration | AWS::QDeveloper::Integration |
| Amazon Q Developer | [Amazon Q Developer API activity](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/logging_cw_api_calls.html#Q-Developer-Investigations-Cloudtrail) on operational investigations. | AIOps Investigation Group | AWS::AIOps::InvestigationGroup |
| Amazon Quick | Amazon Quick API activity on an action connector. | AWSQuickSuite Actions | AWS::Quicksight::ActionConnector |
| Amazon Quick | Amazon Quick Flow API activity. | **QuickSight flow** | `AWS::QuickSight::Flow` |
| Amazon Quick | Amazon Quick FlowSession API activity. | **QuickSight flow session** | `AWS::QuickSight::FlowSession` |
| Amazon SageMaker AI | Amazon SageMaker AI [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_runtime_InvokeEndpointWithResponseStream.html](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_runtime_InvokeEndpointWithResponseStream.html) activity on endpoints. | SageMaker AI endpoint | AWS::SageMaker::Endpoint |
| Amazon SageMaker AI | Amazon SageMaker AI API activity on feature stores. | SageMaker AI feature store | AWS::SageMaker::FeatureGroup |
| Amazon SageMaker AI | Amazon SageMaker AI API activity on [experiment trial components](https://docs.aws.amazon.com/sagemaker/latest/dg/experiments-monitoring.html). | SageMaker AI metrics experiment trial component | AWS::SageMaker::ExperimentTrialComponent |
| Amazon SageMaker AI | Amazon SageMaker AI MLflow API activity. | **SageMaker MLflow** | `AWS::SageMaker::MlflowTrackingServer` |
| AWS Signer | Signer API activity on signing jobs. | Signer signing job | AWS::Signer::SigningJob |
| AWS Signer | Signer API activity on signing profiles. | Signer signing profile | AWS::Signer::SigningProfile |
| Amazon Simple Email Service | Amazon Simple Email Service (Amazon SES) API activity on configuration sets. | SES configuration set | AWS::SES::ConfigurationSet |
| Amazon Simple Email Service | Amazon Simple Email Service (Amazon SES) API activity on email identities. | SES identity | AWS::SES::EmailIdentity |
| Amazon Simple Email Service | Amazon Simple Email Service (Amazon SES) API activity on templates. | SES template | AWS::SES::Template |
| Amazon SimpleDB | Amazon SimpleDB API activity on domains. | SimpleDB domain | AWS::SDB::Domain |
| AWS Step Functions | [Step Functions API activity](https://docs.aws.amazon.com/step-functions/latest/dg/procedure-cloud-trail.html#cloudtrail-data-events) on activities. | Step Functions | AWS::StepFunctions::Activity |
| AWS Step Functions | [Step Functions API activity](https://docs.aws.amazon.com/step-functions/latest/dg/procedure-cloud-trail.html#cloudtrail-data-events) on state machines. | Step Functions state machine | AWS::StepFunctions::StateMachine |
| AWS Systems Manager | [Systems Manager API activity](https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-cloudtrail-logs.html#cloudtrail-data-events) on control channels. | Systems Manager | AWS::SSMMessages::ControlChannel |
| AWS Systems Manager | Systems Manager API activity on impact assessments. | SSM Impact Assessment | AWS::SSM::ExecutionPreview |
| AWS Systems Manager | [Systems Manager API activity](https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-cloudtrail-logs.html#cloudtrail-data-events) on managed nodes. | Systems Manager managed node | AWS::SSM::ManagedNode |
| Amazon Timestream | Amazon Timestream [https://docs.aws.amazon.com/timestream/latest/developerguide/API_query_Query.html](https://docs.aws.amazon.com/timestream/latest/developerguide/API_query_Query.html) API activity on databases. | Timestream database | AWS::Timestream::Database |
| Amazon Timestream | Amazon Timestream API activity on regional endpoints. | Timestream regional endpoint | AWS::Timestream::RegionalEndpoint |
| Amazon Timestream | Amazon Timestream [https://docs.aws.amazon.com/timestream/latest/developerguide/API_query_Query.html](https://docs.aws.amazon.com/timestream/latest/developerguide/API_query_Query.html) API activity on tables. | Timestream table | AWS::Timestream::Table |
| Amazon Verified Permissions | Amazon Verified Permissions API activity on a policy store. | Amazon Verified Permissions | AWS::VerifiedPermissions::PolicyStore |
| Amazon WorkSpaces Thin Client | WorkSpaces Thin Client API activity on a Device. | Thin Client Device | AWS::ThinClient::Device |
| Amazon WorkSpaces Thin Client | WorkSpaces Thin Client API activity on an Environment. | Thin Client Environment | AWS::ThinClient::Environment |
| AWS X-Ray | [X-Ray API activity](https://docs.aws.amazon.com/xray/latest/devguide/xray-api-cloudtrail.html#cloudtrail-data-events) on [traces](https://docs.aws.amazon.com/xray/latest/devguide/xray-concepts.html#xray-concepts-traces). | X-Ray trace | AWS::XRay::Trace |
| Amazon AIDevOps | AIDevOps API activity on agent spaces. | Agent Space | AWS::AIDevOps::AgentSpace |
| Amazon AIDevOps | AIDevOps API activity on associations. | AIDevOps association | AWS::AIDevOps::Association |
| Amazon AIDevOps | AIDevOps API activity on operator app teams. | AIDevOps operator app team | AWS::AIDevOps::OperatorAppTeam |
| Amazon AIDevOps | AIDevOps API activity on pipeline metadata. | AIDevOps Pipelines Metadata | AWS::AIDevOps::PipelineMetadata |
| Amazon AIDevOps | AIDevOps API activity on services. | AIDevOps service | AWS::AIDevOps::Service |
| Amazon Bedrock | Bedrock API activity on advanced optimize prompt jobs. | AdvancedOptimizePromptJob | AWS::Bedrock::AdvancedOptimizePromptJob |
| Amazon Bedrock AgentCore | Bedrock AgentCore API activity on evaluators. | Bedrock-AgentCore Evaluator | AWS::BedrockAgentCore::Evaluator |
| Amazon Cost Optimization | CloudOptimization API activity on profiles. | CloudOptimization Profile | AWS::CloudOptimization::Profile |
| Amazon Cost Optimization | CloudOptimization API activity on recommendations. | CloudOptimization Recommendation | AWS::CloudOptimization::Recommendation |
| Amazon GuardDuty | GuardDuty API activity on malware scans. | GuardDuty malware scan | AWS::GuardDuty::MalwareScan |
| Amazon NovaAct | Amazon NovaAct API activity on workflow definitions. | Workflow definition | AWS::NovaAct::WorkflowDefinition |
| Amazon NovaAct | Amanzon NovaAct API activity on workflow runs. | Workflow run | AWS::NovaAct::WorkflowRun |
| Amazon Redshift | Redshift API activity on clusters. | Amazon Redshift Cluster | AWS::Redshift::Cluster |
| Amazon Support | SupportAccess API activity on tenants. | SupportAccess tenant | AWS::SupportAccess::Tenant |
| Amazon Support | SupportAccess API activity on trusting accounts. | SupportAccess trusting account | AWS::SupportAccess::TrustingAccount |
| Amazon Support | SupportAccess API activity on trusting roles. | SupportAccess trusting role | AWS::SupportAccess::TrustingRole |
| Amazon Transform | Transform API activity on agent instances. | Transform agent instance | AWS::Transform::AgentInstance |
| Amazon Transform Custom | Transform Custom API activity on campaigns. | Transform-Custom campaign | AWS::TransformCustom::Campaign |
| Amazon Transform Custom | Transform Custom API activity on conversations. | Transform-Custom conversation | AWS::TransformCustom::Conversation |
| Amazon Transform Custom | Transform Custom API activity on knowledge items. | Transform-Custom knowledge item | AWS::TransformCustom::KnowledgeItem |
| Amazon Transform Custom | Transform Custom API activity on packages. | Transform-Custom package | AWS::TransformCustom::Package |
To record CloudTrail data events, you must explicitly add each resource type for which you want to collect activity. For more information, see [Creating a trail with the CloudTrail console](cloudtrail-create-a-trail-using-the-console-first-time.md) and [Create an event data store for CloudTrail events with the console](query-event-data-store-cloudtrail.md).
On a single-Region trail or event data store, you can log data events only for resources that you can access in that Region. Though S3 buckets are global, AWS Lambda functions and DynamoDB tables are regional.
Additional charges apply for logging data events. For CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
### Examples: Logging data events for Amazon S3 objects
**Logging data events for all S3 objects in an S3 bucket**
The following example demonstrates how logging works when you configure logging of all data events for an S3 bucket named `amzn-s3-demo-bucket`. In this example, the CloudTrail user specified an empty prefix, and the option to log both **Read** and **Write** data events.
1. A user uploads an object to `amzn-s3-demo-bucket`.
1. The `PutObject` API operation is an Amazon S3 object-level API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified an S3 bucket with an empty prefix, events that occur on any object in that bucket are logged. The trail or event data store processes and logs the event.
1. Another user uploads an object to `amzn-s3-demo-bucket2`.
1. The `PutObject` API operation occurred on an object in an S3 bucket that wasn't specified for the trail or event data store. The trail or event data store doesn't log the event.
**Logging data events for specific S3 objects**
The following example demonstrates how logging works when you configure a trail or event data store to log events for specific S3 objects. In this example, the CloudTrail user specified an S3 bucket named `amzn-s3-demo-bucket3`, with the prefix *my-images*, and the option to log only **Write** data events.
1. A user deletes an object that begins with the `my-images` prefix in the bucket, such as `arn:aws:s3:::amzn-s3-demo-bucket3/my-images/example.jpg`.
1. The `DeleteObject` API operation is an Amazon S3 object-level API. It is recorded as a **Write** data event in CloudTrail. The event occurred on an object that matches the S3 bucket and prefix specified in the trail or event data store. The trail or event data store processes and logs the event.
1. Another user deletes an object with a different prefix in the S3 bucket, such as `arn:aws:s3:::amzn-s3-demo-bucket3/my-videos/example.avi`.
1. The event occurred on an object that doesn't match the prefix specified in your trail or event data store. The trail or event data store doesn't log the event.
1. A user calls the `GetObject` API operation for the object, `arn:aws:s3:::amzn-s3-demo-bucket3/my-images/example.jpg`.
1. The event occurred on a bucket and prefix that are specified in the trail or event data store, but `GetObject` is a read-type Amazon S3 object-level API. It is recorded as a **Read** data event in CloudTrail, and the trail or event data store is not configured to log **Read** events. The trail or event data store doesn't log the event.
**Note**
For trails, if you are logging data events for specific Amazon S3 buckets, we recommend you do not use an Amazon S3 bucket for which you are logging data events to receive log files that you have specified in the data events section for your trail. Using the same Amazon S3 bucket causes your trail to log a data event each time log files are delivered to your Amazon S3 bucket. Log files are aggregated events delivered at intervals, so this is not a 1:1 ratio of event to log file; the event is logged in the next log file. For example, when CloudTrail delivers logs, the `PutObject` event occurs on the S3 bucket. If the S3 bucket is also specified in the data events section, the trail processes and logs the `PutObject` event as a data event. That action is another `PutObject` event, and the trail processes and logs the event again.
To avoid logging data events for the Amazon S3 bucket where you receive log files if you configure a trail to log all Amazon S3 data events in your AWS account, consider configuring delivery of log files to an Amazon S3 bucket that belongs to another AWS account. For more information, see [Receiving CloudTrail log files from multiple accountsRedacting bucket owner account IDs for data events called by other accounts](cloudtrail-receive-logs-from-multiple-accounts.md).
### Logging data events for S3 objects in other AWS accounts
When you configure your trail to log data events, you can also specify S3 objects that belong to other AWS accounts. When an event occurs on a specified object, CloudTrail evaluates whether the event matches any trails in each account. If the event matches the settings for a trail, the trail processes and logs the event for that account. Generally, both API callers and resource owners can receive events.
If you own an S3 object and you specify it in your trail, your trail logs events that occur on the object in your account. Because you own the object, your trail also logs events when other accounts call the object.
If you specify an S3 object in your trail, and another account owns the object, your trail only logs events that occur on that object in your account. Your trail doesn't log events that occur in other accounts.
**Example: Logging data events for an Amazon S3 object for two AWS accounts**
The following example shows how two AWS accounts configure CloudTrail to log events for the same S3 object.
1. In your account, you want your trail to log data events for all objects in your S3 bucket named `amzn-s3-demo-bucket`. You configure the trail by specifying the S3 bucket with an empty object prefix.
1. Bob has a separate account that has been granted access to the S3 bucket. Bob also wants to log data events for all objects in the same S3 bucket. For his trail, he configures his trail and specifies the same S3 bucket with an empty object prefix.
1. Bob uploads an object to the S3 bucket with the `PutObject` API operation.
1. This event occurred in his account and it matches the settings for his trail. Bob's trail processes and logs the event.
1. Because you own the S3 bucket and the event matches the settings for your trail, your trail also processes and logs the same event. Because there are now two copies of the event (one logged in Bob's trail, and one logged in yours), CloudTrail charges for two copies of the data event.
1. You upload an object to the S3 bucket.
1. This event occurs in your account and it matches the settings for your trail. Your trail processes and logs the event.
1. Because the event didn't occur in Bob's account, and he doesn't own the S3 bucket, Bob's trail doesn't log the event. CloudTrail charges for only one copy of this data event.
**Example: Logging data events for all buckets, including an S3 bucket used by two AWS accounts**
The following example shows the logging behavior when **Select all S3 buckets in your account** is enabled for trails that collect data events in an AWS account.
1. In your account, you want your trail to log data events for all S3 buckets. You configure the trail by choosing **Read** events, **Write** events, or both for **All current and future S3 buckets** in **Data events**.
1. Bob has a separate account that has been granted access to an S3 bucket in your account. He wants to log data events for the bucket to which he has access. He configures his trail to get data events for all S3 buckets.
1. Bob uploads an object to the S3 bucket with the `PutObject` API operation.
1. This event occurred in his account and it matches the settings for his trail. Bob's trail processes and logs the event.
1. Because you own the S3 bucket and the event matches the settings for your trail, your trail also processes and logs the event. Because there are now two copies of the event (one logged in Bob's trail, and one logged in yours), CloudTrail charges each account for a copy of the data event.
1. You upload an object to the S3 bucket.
1. This event occurs in your account and it matches the settings for your trail. Your trail processes and logs the event.
1. Because the event didn't occur in Bob's account, and he doesn't own the S3 bucket, Bob's trail doesn't log the event. CloudTrail charges for only one copy of this data event in your account.
1. A third user, Mary, has access to the S3 bucket, and runs a `GetObject` operation on the bucket. She has a trail configured to log data events on all S3 buckets in her account. Because she is the API caller, CloudTrail logs a data event in her trail. Though Bob has access to the bucket, he is not the resource owner, so no event is logged in his trail this time. As the resource owner, you receive an event in your trail about the `GetObject` operation that Mary called. CloudTrail charges your account and Mary's account for each copy of the data event: one in Mary's trail, and one in yours.
## Read-only and write-only events
When you configure your trail or event data store to log data and management events, you can specify whether you want read-only events, write-only events, or both.
+ **Read**
**Read** events include API operations that read your resources, but don't make changes. For example, read-only events include the Amazon EC2 `DescribeSecurityGroups` and `DescribeSubnets` API operations. These operations return only information about your Amazon EC2 resources and don't change your configurations.
+ **Write**
**Write** events include API operations that modify (or might modify) your resources. For example, the Amazon EC2 `RunInstances` and `TerminateInstances` API operations modify your instances.
**Example: Logging read and write events for separate trails**
The following example shows how you can configure trails to split log activity for an account into separate S3 buckets: one bucket named amzn-s3-demo-bucket1 receives read-only events and a second amzn-s3-demo-bucket2 receives write-only events.
1. You create a trail and choose the S3 bucket named `amzn-s3-demo-bucket1` to receive log files. You then update the trail to specify that you want **Read** management events and data events.
1. You create a second trail and choose the S3 bucket the `amzn-s3-demo-bucket2 ` to receive log files. You then update the trail to specify that you want **Write** management events and data events.
1. The Amazon EC2 `DescribeInstances` and `TerminateInstances` API operations occur in your account.
1. The `DescribeInstances` API operation is a read-only event and it matches the settings for the first trail. The trail logs and delivers the event to the `amzn-s3-demo-bucket1`.
1. The `TerminateInstances` API operation is a write-only event and it matches the settings for the second trail. The trail logs and delivers the event to the `amzn-s3-demo-bucket2 `.
## Logging data events with the AWS Management Console
The following procedures describe how to an update existing event data store or trail to log data events by using the AWS Management Console. For information about how to create an event data store to log data events, see [Create an event data store for CloudTrail events with the console](query-event-data-store-cloudtrail.md). For information about how to create a trail to log data events, see [Creating a trail with the console](cloudtrail-create-a-trail-using-the-console-first-time.md#creating-a-trail-in-the-console).
For trails, the steps for logging data events differ based on whether you're using advanced event selectors or basic event selectors. You can log data events for all resource types using advanced event selectors, but if you use basic event selectors you're limited to logging data events for Amazon S3 buckets and bucket objects, AWS Lambda functions, and Amazon DynamoDB tables.
### Updating an existing event data store to log data events using the console
Use the following procedure to update an existing event data store to log data events. For more information about using advanced event selectors, see [Filtering data events by using advanced event selectors](filtering-data-events.md) in this topic.
1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. From the navigation pane, under **Lake**, choose **Event data stores**.
1. On the **Event data stores** page, choose the event data store you want to update.
**Note**
You can only enable data events on event data stores that contain CloudTrail events. You cannot enable data events on CloudTrail event data stores for AWS Config configuration items, CloudTrail Insights events, or non-AWS events.
1. On the details page, in **Data events**, choose **Edit**.
1. If you are not already logging data events, choose the **Data events** check box.
1. For **Resource type**, choose the resource type on which you want to log data events.
1. Choose a log selector template. You can choose a predefined template, or choose **Custom** to define your own event collection conditions.
You can choose from the following predefined templates:
+ **Log all events** – Choose this template to log all events.
+ **Log only read events** – Choose this template to log only read events. Read-only events are events that do not change the state of a resource, such as `Get*` or `Describe*` events.
+ **Log only write events** – Choose this template to log only write events. Write events add, change, or delete resources, attributes, or artifacts, such as `Put*`, `Delete*`, or `Write*` events.
+ **Log only AWS Management Console events** – Choose this template to log only events originating from the AWS Management Console.
+ **Exclude AWS service initiated events** – Choose this template to exclude AWS service events, which have an `eventType` of `AwsServiceEvent`, and events initiated with AWS service-linked roles (SLRs).
1. (Optional) In **Selector name**, enter a name to identify your selector. The selector name is a descriptive name for an advanced event selector, such as "Log data events for only two S3 buckets". The selector name is listed as `Name` in the advanced event selector and is viewable if you expand the **JSON view**.
1. If you selected **Custom**, in **Advanced event selectors** build an expression based on the values of advanced event selector fields.
**Note**
Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith`, `EndsWith`, `NotStartsWith`, or `NotEndsWith` to explicitly match the beginning or end of the event field.
1. Choose from the following fields.
+ **`readOnly`** - `readOnly` can be set to **equals** a value of `true` or `false`. Read-only data events are events that do not change the state of a resource, such as `Get*` or `Describe*` events. Write events add, change, or delete resources, attributes, or artifacts, such as `Put*`, `Delete*`, or `Write*` events. To log both `read` and `write` events, don't add a `readOnly` selector.
+ **`eventName`** - `eventName` can use any operator. You can use it to include or exclude any data event logged to CloudTrail, such as `PutBucket`, `GetItem`, or `GetSnapshotBlock`.
+ **`eventSource`** – The event source to include or exclude. This field can use any operator.
+ **eventType** – The event type to include or exclude. For example, you can set this field to **not equals** `AwsServiceEvent` to exclude [AWS service events](non-api-aws-service-events.md). For a list of event types, see [`eventType`](cloudtrail-event-reference-record-contents.md#ct-event-type) in [CloudTrail record contents for management, data, and network activity events](cloudtrail-event-reference-record-contents.md).
+ **sessionCredentialFromConsole** – Include or exclude events originating from an AWS Management Console session. This field can be set to **equals** or **not equals** with a value of `true`.
+ **userIdentity.arn** – Include or exclude events for actions taken by specific IAM identities. For more information, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
+ **`resources.ARN`** - You can use any operator with `resources.ARN`, but if you use **equals** or **does not equal**, the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of `resources.type`.
**Note**
You can't use the `resources.ARN` field to filter resource types that do not have ARNs.
For more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference*.
1. For each field, choose **\$1 Condition** to add as many conditions as you need, up to a maximum of 500 specified values for all conditions. For example, to exclude data events for two S3 buckets from data events that are logged on your event data store, you can set the field to **resources.ARN**, set the operator for **does not start with**, and then paste in an S3 bucket ARN for which you do not want to log events.
To add the second S3 bucket, choose **\$1 Condition**, and then repeat the preceding instruction, pasting in the ARN for or browsing for a different bucket.
For information about how CloudTrail evaluates multiple conditions, see [How CloudTrail evaluates multiple conditions for a field](filtering-data-events.md#filtering-data-events-conditions).
**Note**
You can have a maximum of 500 values for all selectors on an event data store. This includes arrays of multiple values for a selector such as `eventName`. If you have single values for all selectors, you can have a maximum of 500 conditions added to a selector.
1. Choose **\$1 Field** to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields. For example, do not specify an ARN in one selector to be equal to a value, then specify that the ARN not equal the same value in another selector.
1. To add another resource type on which to log data events, choose **Add data event type**. Repeat steps 6 through this step to configure advanced event selectors for another resource type.
1. After you've reviewed and verified your choices, choose **Save changes**.
### Updating an existing trail to log data events with advanced event selectors using the console
In the AWS Management Console, if your trail is using advanced event selectors, you can choose from predefined templates that log all data events on a selected resource. After you choose a log selector template, you can customize the template to include only the data events you most want to see. For more information about using advanced event selectors, see [Filtering data events by using advanced event selectors](filtering-data-events.md) in this topic.
1. On the **Dashboard** or **Trails** pages of the CloudTrail console, choose the trail you want to update.
1. On the details page, in **Data events**, choose **Edit**.
1. If you are not already logging data events, choose the **Data events** check box.
1. For **Resource type**, choose the resource type on which you want to log data events.
1. Choose a log selector template. You can choose a predefined template, or choose **Custom** to define your own event collection conditions.
You can choose from the following predefined templates:
+ **Log all events** – Choose this template to log all events.
+ **Log only read events** – Choose this template to log only read events. Read-only events are events that do not change the state of a resource, such as `Get*` or `Describe*` events.
+ **Log only write events** – Choose this template to log only write events. Write events add, change, or delete resources, attributes, or artifacts, such as `Put*`, `Delete*`, or `Write*` events.
+ **Log only AWS Management Console events** – Choose this template to log only events originating from the AWS Management Console.
+ **Exclude AWS service initiated events** – Choose this template to exclude AWS service events, which have an `eventType` of `AwsServiceEvent`, and events initiated with AWS service-linked roles (SLRs).
**Note**
Choosing a predefined template for S3 buckets enables data event logging for all buckets currently in your AWS account and any buckets you create after you finish creating the trail. It also enables logging of data event activity performed by any user or role in your AWS account, even if that activity is performed on a bucket that belongs to another AWS account.
If the trail applies only to one Region, choosing a predefined template that logs all S3 buckets enables data event logging for all buckets in the same Region as your trail and any buckets you create later in that Region. It will not log data events for Amazon S3 buckets in other Regions in your AWS account.
If you are creating a trail for all Regions, choosing a predefined template for Lambda functions enables data event logging for all functions currently in your AWS account, and any Lambda functions you might create in any Region after you finish creating the trail. If you are creating a trail for a single Region (for trails, this only can be done by using the AWS CLI), this selection enables data event logging for all functions currently in that Region in your AWS account, and any Lambda functions you might create in that Region after you finish creating the trail. It does not enable data event logging for Lambda functions created in other Regions.
Logging data events for all functions also enables logging of data event activity performed by any user or role in your AWS account, even if that activity is performed on a function that belongs to another AWS account.
1. (Optional) In **Selector name**, enter a name to identify your selector. The selector name is a descriptive name for an advanced event selector, such as "Log data events for only two S3 buckets". The selector name is listed as `Name` in the advanced event selector and is viewable if you expand the **JSON view**.
1. If you selected **Custom**, in **Advanced event selectors** build an expression based on the values of advanced event selector fields.
**Note**
Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith`, `EndsWith`, `NotStartsWith`, or `NotEndsWith` to explicitly match the beginning or end of the event field.
1. Choose from the following fields.
+ **`readOnly`** - `readOnly` can be set to **equals** a value of `true` or `false`. Read-only data events are events that do not change the state of a resource, such as `Get*` or `Describe*` events. Write events add, change, or delete resources, attributes, or artifacts, such as `Put*`, `Delete*`, or `Write*` events. To log both `read` and `write` events, don't add a `readOnly` selector.
+ **`eventName`** - `eventName` can use any operator. You can use it to include or exclude any data event logged to CloudTrail, such as `PutBucket`, `GetItem`, or `GetSnapshotBlock`.
+ **`eventSource`** – The event source to include or exclude. This field can use any operator.
+ **eventType** – The event type to include or exclude. For example, you can set this field to **not equals** `AwsServiceEvent` to exclude [AWS service events](non-api-aws-service-events.md). For a list of event types, see [`eventType`](cloudtrail-event-reference-record-contents.md#ct-event-type) in [CloudTrail record contents for management, data, and network activity events](cloudtrail-event-reference-record-contents.md).
+ **sessionCredentialFromConsole** – Include or exclude events originating from an AWS Management Console session. This field can be set to **equals** or **not equals** with a value of `true`.
+ **userIdentity.arn** – Include or exclude events for actions taken by specific IAM identities. For more information, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
+ **`resources.ARN`** - You can use any operator with `resources.ARN`, but if you use **equals** or **does not equal**, the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of `resources.type`.
**Note**
You can't use the `resources.ARN` field to filter resource types that do not have ARNs.
For more information about the ARN formats of data event resources, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference*.
1. For each field, choose **\$1 Condition** to add as many conditions as you need, up to a maximum of 500 specified values for all conditions. For example, to exclude data events for two S3 buckets from data events that are logged on your event data store, you can set the field to **resources.ARN**, set the operator for **does not start with**, and then paste in an S3 bucket ARN for which you do not want to log events.
To add the second S3 bucket, choose **\$1 Condition**, and then repeat the preceding instruction, pasting in the ARN for or browsing for a different bucket.
For information about how CloudTrail evaluates multiple conditions, see [How CloudTrail evaluates multiple conditions for a field](filtering-data-events.md#filtering-data-events-conditions).
**Note**
You can have a maximum of 500 values for all selectors on an event data store. This includes arrays of multiple values for a selector such as `eventName`. If you have single values for all selectors, you can have a maximum of 500 conditions added to a selector.
1. Choose **\$1 Field** to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields. For example, do not specify an ARN in one selector to be equal to a value, then specify that the ARN not equal the same value in another selector.
1. To add another resource type on which to log data events, choose **Add data event type**. Repeat steps 4 through this step to configure advanced event selectors for the resource type.
1. After you've reviewed and verified your choices, choose **Save changes**.
### Update an existing trail to log data events with basic event selectors using the console
Use the following procedure to update an existing trail to log data events using basic event selectors.
1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. Open the **Trails** page of the CloudTrail console and choose the trail name.
**Note**
While you can edit an existing trail to log data events, as a best practice, consider creating a separate trail specifically for logging data events.
1. For **Data events**, choose **Edit**.
1. For Amazon S3 buckets:
1. For **Data event source**, choose **S3**.
1. You can choose to log **All current and future S3 buckets**, or you can specify individual buckets or functions. By default, data events are logged for all current and future S3 buckets.
**Note**
Keeping the default **All current and future S3 buckets** option enables data event logging for all buckets currently in your AWS account and any buckets you create after you finish creating the trail. It also enables logging of data event activity performed by any user or role in your AWS account, even if that activity is performed on a bucket that belongs to another AWS account.
If you are creating a trail for a single Region (done by using the AWS CLI), selecting the **Select all S3 buckets in your account** option enables data event logging for all buckets in the same Region as your trail and any buckets you create later in that Region. It will not log data events for Amazon S3 buckets in other Regions in your AWS account.
1. If you leave the default, **All current and future S3 buckets**, choose to log **Read** events, **Write** events, or both.
1. To select individual buckets, empty the **Read** and **Write** check boxes for **All current and future S3 buckets**. In **Individual bucket selection**, browse for a bucket on which to log data events. To find specific buckets, type a bucket prefix for the bucket you want. You can select multiple buckets in this window. Choose **Add bucket** to log data events for more buckets. Choose to log **Read** events, such as `GetObject`, **Write** events, such as `PutObject`, or both.
This setting takes precedence over individual settings you configure for individual buckets. For example, if you specify logging **Read** events for all S3 buckets, and then choose to add a specific bucket for data event logging, **Read** is already selected for the bucket you added. You cannot clear the selection. You can only configure the option for **Write**.
To remove a bucket from logging, choose **X**.
1. To add another resource type on which to log data events, choose **Add data event type**.
1. For Lambda functions:
1. For **Data event source**, choose **Lambda**.
1. In **Lambda function**, choose **All regions** to log all Lambda functions, or **Input function as ARN** to log data events on a specific function.
To log data events for all Lambda functions in your AWS account, select **Log all current and future functions**. This setting takes precedence over individual settings you configure for individual functions. All functions are logged, even if all functions are not displayed.
**Note**
If you are creating a trail for all Regions, this selection enables data event logging for all functions currently in your AWS account, and any Lambda functions you might create in any Region after you finish creating the trail. If you are creating a trail for a single Region (done by using the AWS CLI), this selection enables data event logging for all functions currently in that Region in your AWS account, and any Lambda functions you might create in that Region after you finish creating the trail. It does not enable data event logging for Lambda functions created in other Regions.
Logging data events for all functions also enables logging of data event activity performed by any user or role in your AWS account, even if that activity is performed on a function that belongs to another AWS account.
1. If you choose **Input function as ARN**, enter the ARN of a Lambda function.
**Note**
If you have more than 15,000 Lambda functions in your account, you cannot view or select all functions in the CloudTrail console when creating a trail. You can still select the option to log all functions, even if they are not displayed. If you want to log data events for specific functions, you can manually add a function if you know its ARN. You can also finish creating the trail in the console, and then use the AWS CLI and the **put-event-selectors** command to configure data event logging for specific Lambda functions. For more information, see [Managing trails with the AWS CLI](cloudtrail-additional-cli-commands.md).
1. To add another resource type on which to log data events, choose **Add data event type**.
1. For DynamoDB tables:
1. For **Data event source**, choose **DynamoDB**.
1. In **DynamoDB table selection**, choose **Browse** to select a table, or paste in the ARN of a DynamoDB table to which you have access. A DynamoDB table ARN uses the following format:
```
arn:partition:dynamodb:region:account_ID:table/table_name
```
To add another table, choose **Add row**, and browse for a table or paste in the ARN of a table to which you have access.
1. Choose **Save changes**.
## Logging data events with the AWS Command Line Interface
You can configure your trails or event data stores to log data events using the AWS CLI.
**Topics**
+ [
### Logging data events for trails with the AWS CLI
](#logging-data-events-CLI-trail-examples)
+ [
### Logging data events for event data stores with the AWS CLI
](#logging-data-events-CLI-eds-examples)
### Logging data events for trails with the AWS CLI
You can configure your trails to log management and data events using the AWS CLI.
**Note**
Be aware that if your account is logging more than one copy of management events, you incur charges. There is always a charge for logging data events. For more information, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
You can use either advanced event selectors or basic event selectors, but not both. If you apply advanced event selectors to a trail, any existing basic event selectors are overwritten.
If your trail uses basic event selectors, you can only log the following resource types:
`AWS::DynamoDB::Table`
`AWS::Lambda::Function`
`AWS::S3::Object`
To log additional resource types, you'll need to use advanced event selectors. To convert a trail to advanced event selectors, run the **get-event-selectors** command to confirm the current event selectors, and then configure the advanced event selectors to match the coverage of the previous event selectors, then add selectors for any resource types for which you want to log data events.
You can use advanced event selectors to filter based on the value of the [supported advanced event selector fields](filtering-data-events.md)supported advanced event selector fields, giving you the ability to log only the data events of interest. For more information about configuring these fields, see [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) in the *AWS CloudTrail API Reference* and [Filtering data events by using advanced event selectors](filtering-data-events.md) in this guide.
To see whether your trail is logging management and data events, run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/get-event-selectors.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/get-event-selectors.html) command.
```
aws cloudtrail get-event-selectors --trail-name TrailName
```
The command returns the event selectors for the trail.
**Topics**
+ [
#### Log data events for trails by using advanced event selectors
](#creating-data-event-selectors-advanced)
+ [
#### Log all Amazon S3 events for an Amazon S3 bucket by using advanced event selectors
](#creating-data-adv-event-selectors-CLI-s3)
+ [
#### Log Amazon S3 on AWS Outposts events by using advanced event selectors
](#creating-data-event-selectors-CLI-outposts)
+ [
#### Log events by using basic event selectors
](#creating-data-event-selectors-basic)
#### Log data events for trails by using advanced event selectors
**Note**
If you apply advanced event selectors to a trail, any existing basic event selectors are overwritten. Before configuring advanced event selectors, run the **get-event-selectors** command to confirm the current event selectors, and then configure the advanced event selectors to match the coverage of the previous event selectors, then add selectors for any additional data events you want to log.
The following example creates custom advanced event selectors for a trail named *TrailName* to include read and write management events (by omitting the `readOnly` selector), `PutObject` and `DeleteObject` data events for all Amazon S3 bucket/prefix combinations except for a bucket named `amzn-s3-demo-bucket` and data events for an AWS Lambda function named `MyLambdaFunction`. Because these are custom advanced event selectors, each set of selectors has a descriptive name. Note that a trailing slash is part of the ARN value for S3 buckets.
```
aws cloudtrail put-event-selectors --trail-name TrailName --advanced-event-selectors
'[
{
"Name": "Log readOnly and writeOnly management events",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Management"] }
]
},
{
"Name": "Log PutObject and DeleteObject events for all but one bucket",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::S3::Object"] },
{ "Field": "eventName", "Equals": ["PutObject","DeleteObject"] },
{ "Field": "resources.ARN", "NotStartsWith": ["arn:aws:s3:::amzn-s3-demo-bucket/"] }
]
},
{
"Name": "Log data plane actions on MyLambdaFunction",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::Lambda::Function"] },
{ "Field": "resources.ARN", "Equals": ["arn:aws:lambda:us-east-2:111122223333:function/MyLambdaFunction"] }
]
}
]'
```
The example returns the advanced event selectors that are configured for the trail.
```
{
"AdvancedEventSelectors": [
{
"Name": "Log readOnly and writeOnly management events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [ "Management" ]
}
]
},
{
"Name": "Log PutObject and DeleteObject events for all but one bucket",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [ "Data" ]
},
{
"Field": "resources.type",
"Equals": [ "AWS::S3::Object" ]
},
{
"Field": "resources.ARN",
"NotStartsWith": [ "arn:aws:s3:::amzn-s3-demo-bucket/" ]
},
]
},
{
"Name": "Log data plane actions on MyLambdaFunction",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [ "Data" ]
},
{
"Field": "resources.type",
"Equals": [ "AWS::Lambda::Function" ]
},
{
"Field": "eventName",
"Equals": [ "Invoke" ]
},
{
"Field": "resources.ARN",
"Equals": [ "arn:aws:lambda:us-east-2:111122223333:function/MyLambdaFunction" ]
}
]
}
],
"TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName"
}
```
#### Log all Amazon S3 events for an Amazon S3 bucket by using advanced event selectors
**Note**
If you apply advanced event selectors to a trail, any existing basic event selectors are overwritten.
The following example shows how to configure your trail to include all data events for all Amazon S3 objects in a specific S3 bucket. The value for S3 events for the `resources.type` field is `AWS::S3::Object`. Because the ARN values for S3 objects and S3 buckets are slightly different, you must add the `StartsWith` operator for `resources.ARN` to capture all events.
```
aws cloudtrail put-event-selectors --trail-name TrailName --region region \
--advanced-event-selectors \
'[
{
"Name": "S3EventSelector",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::S3::Object"] },
{ "Field": "resources.ARN", "StartsWith": ["arn:partition:s3:::amzn-s3-demo-bucket/"] }
]
}
]'
```
The command returns the following example output.
```
{
"TrailARN": "arn:aws:cloudtrail:region:account_ID:trail/TrailName",
"AdvancedEventSelectors": [
{
"Name": "S3EventSelector",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Data"
]
},
{
"Field": "resources.type",
"Equals": [
"AWS::S3::Object"
]
},
{
"Field": "resources.ARN",
"StartsWith": [
"arn:partition:s3:::amzn-s3-demo-bucket/"
]
}
]
}
]
}
```
#### Log Amazon S3 on AWS Outposts events by using advanced event selectors
**Note**
If you apply advanced event selectors to a trail, any existing basic event selectors are overwritten.
The following example shows how to configure your trail to include all data events for all Amazon S3 on Outposts objects in your outpost.
```
aws cloudtrail put-event-selectors --trail-name TrailName --region region \
--advanced-event-selectors \
'[
{
"Name": "OutpostsEventSelector",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::S3Outposts::Object"] }
]
}
]'
```
The command returns the following example output.
```
{
"TrailARN": "arn:aws:cloudtrail:region:account_ID:trail/TrailName",
"AdvancedEventSelectors": [
{
"Name": "OutpostsEventSelector",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Data"
]
},
{
"Field": "resources.type",
"Equals": [
"AWS::S3Outposts::Object"
]
}
]
}
]
}
```
#### Log events by using basic event selectors
The following is an example result of the **get-event-selectors** command showing basic event selectors. By default, when you create a trail by using the AWS CLI, a trail logs all management events. By default, trails do not log data events.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName",
"EventSelectors": [
{
"IncludeManagementEvents": true,
"DataResources": [],
"ReadWriteType": "All"
}
]
}
```
To configure your trail to log management and data events, run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/put-event-selectors.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/put-event-selectors.html) command.
The following example shows how to use basic event selectors to configure your trail to include all management and data events for the S3 objects in two S3 bucket prefixes. You can specify from 1 to 5 event selectors for a trail. You can specify from 1 to 250 data resources for a trail.
**Note**
The maximum number of S3 data resources is 250, if you choose to limit data events by using basic event selectors.
```
aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::amzn-s3-demo-bucket1/prefix", "arn:aws:s3:::amzn-s3-demo-bucket2;/prefix2"] }] }]'
```
The command returns the event selectors that are configured for the trail.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName",
"EventSelectors": [
{
"IncludeManagementEvents": true,
"DataResources": [
{
"Values": [
"arn:aws:s3:::amzn-s3-demo-bucket1/prefix",
"arn:aws:s3:::amzn-s3-demo-bucket2/prefix2",
],
"Type": "AWS::S3::Object"
}
],
"ReadWriteType": "All"
}
]
}
```
### Logging data events for event data stores with the AWS CLI
You can configure your event data stores to include data events using the AWS CLI. Use the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html) command to create a new event data store to log data events. Use the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-event-data-store.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-event-data-store.html) command to update the advanced event selectors for an existing event data store.
You configure advanced event selectors to log data events on an event data store. For a list of supported fields, see [Filtering data events by using advanced event selectors](filtering-data-events.md).
To see whether your event data store includes data events, run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/get-event-data-store.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/get-event-data-store.html) command.
```
aws cloudtrail get-event-data-store --event-data-store EventDataStoreARN
```
The command returns the settings for the event data store.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE492-301f-4053-ac5e-EXAMPLE6441aa",
"Name": "ebs-data-events",
"Status": "ENABLED",
"AdvancedEventSelectors": [
{
"Name": "Log all EBS direct APIs on EBS snapshots",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Data"
]
},
{
"Field": "resources.type",
"Equals": [
"AWS::EC2::Snapshot"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "EXTENDABLE_RETENTION_PRICING",
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2023-11-04T15:57:33.701000+00:00",
"UpdatedTimestamp": "2023-11-20T20:37:34.228000+00:00"
}
```
**Topics**
+ [
#### Include all Amazon S3 events for a specific bucket
](#creating-data-adv-event-selectors-CLI-s3-eds)
+ [
#### Include Amazon S3 on AWS Outposts events
](#creating-data-event-selectors-CLI-outposts-eds)
#### Include all Amazon S3 events for a specific bucket
The following example shows how to create an event data store to include all data events for all Amazon S3 objects in a specific general purpose S3 bucket and exclude AWS service events and events generated by the `bucket-scanner-role` `userIdentity`. The value for S3 events for the `resources.type` field is `AWS::S3::Object`. Because the ARN values for S3 objects and S3 buckets are slightly different, you must add the `StartsWith` operator for `resources.ARN` to capture all events.
```
aws cloudtrail create-event-data-store --name "EventDataStoreName" --multi-region-enabled \
--advanced-event-selectors \
'[
{
"Name": "S3EventSelector",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::S3::Object"] },
{ "Field": "resources.ARN", "StartsWith": ["arn:partition:s3:::amzn-s3-demo-bucket/"] },
{ "Field": "userIdentity.arn", "NotStartsWith": ["arn:aws:sts::123456789012:assumed-role/bucket-scanner-role"]},
{ "Field": "eventType","NotEquals": ["AwsServiceEvent"]}
]
}
]'
```
The command returns the following example output.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE492-301f-4053-ac5e-EXAMPLE441aa",
"Name": "EventDataStoreName",
"Status": "ENABLED",
"AdvancedEventSelectors": [
{
"Name": "S3EventSelector",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Data"
]
},
{
"Field": "resources.ARN",
"StartsWith": [
"arn:partition:s3:::amzn-s3-demo-bucket/"
]
},
{
"Field": "resources.type",
"Equals": [
"AWS::S3::Object"
]
},
{
"Field": "userIdentity.arn",
"NotStartsWith": [
"arn:aws:sts::123456789012:assumed-role/bucket-scanner-role"
]
},
{
"Field": "eventType",
"NotEquals": [
"AwsServiceEvent"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "EXTENDABLE_RETENTION_PRICING",
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2024-11-04T15:57:33.701000+00:00",
"UpdatedTimestamp": "2024-11-20T20:49:21.766000+00:00"
}
```
#### Include Amazon S3 on AWS Outposts events
The following example shows how to create an event data store that includes all data events for all Amazon S3 on Outposts objects in your outpost.
```
aws cloudtrail create-event-data-store --name EventDataStoreName \
--advanced-event-selectors \
'[
{
"Name": "OutpostsEventSelector",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::S3Outposts::Object"] }
]
}
]'
```
The command returns the following example output.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEb4a8-99b1-4ec2-9258-EXAMPLEc890",
"Name": "EventDataStoreName",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "OutpostsEventSelector",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Data"
]
},
{
"Field": "resources.type",
"Equals": [
"AWS::S3Outposts::Object"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "EXTENDABLE_RETENTION_PRICING",
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2023-02-20T21:00:17.673000+00:00",
"UpdatedTimestamp": "2023-02-20T21:00:17.820000+00:00"
}
```
# Filtering data events by using advanced event selectors
This section describes how you can use advanced event selectors to create fine-grained selectors for logging data events, which can help you control costs by only logging the specific data events of interest.
For example:
+ You can include or exclude specific API calls by adding a filter on the `eventName` field.
+ You can include or exclude logging for specific resources by adding a filter on the `resources.ARN` field. For example, if you were logging S3 data events, you could exclude logging for the S3 bucket for your trail.
+ You can choose to log only write-only events or read-only events by adding a filter on the `readOnly` field.
The following table describes the supported fields for filtering data events. For a list of supported fields for each CloudTrail event type, see [AdvancedEventSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html) in the *AWS CloudTrail API Reference*.
| Field | Required | Valid operators | Description |
| --- | --- | --- | --- |
| **`eventCategory` ** | Yes | `Equals` | This field is set to `Data` to log data events. |
| **`resources.type`** | Yes | `Equals` | This field is used to select the resource type for which you want to log data events. The [Data events](logging-data-events-with-cloudtrail.md#logging-data-events) table shows the possible values. |
| **`readOnly`** | No | `Equals` | This is an optional field used to include or exclude data events based on the `readOnly` value. A value of `true` logs only read events. A value of `false` logs only write events. If you do not add this field, CloudTrail logs both read and write events. |
| **`eventName`** | No | `EndsWith` `Equals` `NotEndsWith` `NotEquals` `NotStartsWith` `StartsWith` | This is an optional filed used to filter in or filter out any data event logged to CloudTrail, such as `PutBucket` or `GetSnapshotBlock`. If you're using the AWS CLI, you can specify multiple values by separating each value with a comma. If you're using the console, you can specify multiple values by creating a condition for each `eventName` you want to filter on. |
| **`resources.ARN`** | No | `EndsWith` `Equals` `NotEndsWith` `NotEquals` `NotStartsWith` `StartsWith` | This is an optional field used to exclude or include data events for a specific resource by providing the `resources.ARN`. You can use any operator with `resources.ARN`, but if you use `Equals` or `NotEquals`, the value must exactly match the ARN of a valid resource for the `resources.type` you've specified. To log all data events for all objects in a specific S3 bucket, use the `StartsWith` operator, and include only the bucket ARN as the matching value. If you're using the AWS CLI, you can specify multiple values by separating each value with a comma. If you're using the console, you can specify multiple values by creating a condition for each `resources.ARN` you want to filter on. |
| **`eventSource`** | No | `EndsWith` `Equals` `NotEndsWith` `NotEquals` `NotStartsWith` `StartsWith` | You can use it to include or exclude specific event sources. The `eventSource` is typically a short form of the service name without spaces plus `.amazonaws.com`. For example, you could set `eventSource` `Equals` to `ec2.amazonaws.com` to log only Amazon EC2 data events. |
| **`eventType`** | No | `EndsWith` `Equals` `NotEndsWith` `NotEquals` `NotStartsWith` `StartsWith` | The [eventType](cloudtrail-event-reference-record-contents.md#ct-event-type) to include or exclude. For example, you can set this field to `NotEquals` `AwsServiceEvent` to exclude [AWS service events](non-api-aws-service-events.md). |
| **`sessionCredentialFromConsole`** | No | `Equals` `NotEquals` | Include or exclude events originating from an AWS Management Console session. This field can be set to `Equals` or `NotEquals` with a value of `true`. |
| **`userIdentity.arn`** | No | `EndsWith` `Equals` `NotEndsWith` `NotEquals` `NotStartsWith` `StartsWith` | Include or exclude events for actions taken by specific IAM identities. For more information, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). |
To log data events using the CloudTrail console, you choose the **Data events** option and then select the **Resource type** of interest when you are creating or updating a trail or event data store. The [Data events](logging-data-events-with-cloudtrail.md#logging-data-events) table shows the possible resource types you can choose on the CloudTrail console.
![\[Selection of the SNS topic resource type on the console.\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-data-event-type.png)
To log data events with the AWS CLI, configure the `--advanced-event-selector` parameter to set the `eventCategory` equal to `Data` and the `resources.type` value equal to the resource type value for which you want to log data events. The [Data events](logging-data-events-with-cloudtrail.md#logging-data-events) table lists the available resource types.
For example, if you wanted to log data events for all Cognito Identity pools, you’d configure the `--advanced-event-selectors` parameter to look like this:
```
--advanced-event-selectors '[
{
"Name": "Log Cognito data events on Identity pools",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::Cognito::IdentityPool"] }
]
}
]'
```
The preceding example logs all Cognito data events on Identity pools. You can further refine the advanced event selectors to filter on the `eventName`, `readOnly`, and `resources.ARN` fields to log specific events of interest or exclude events that aren’t of interest.
You can configure advanced event selectors to filter data events based on multiple fields. For example, you can configure advanced event selectors to log all Amazon S3 `PutObject` and `DeleteObject` API calls but exclude event logging for a specific S3 bucket as shown in the following example. Replace *amzn-s3-demo-bucket* with the name of your bucket.
```
--advanced-event-selectors
'[
{
"Name": "Log PutObject and DeleteObject events for all but one bucket",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::S3::Object"] },
{ "Field": "eventName", "Equals": ["PutObject","DeleteObject"] },
{ "Field": "resources.ARN", "NotStartsWith": ["arn:aws:s3:::amzn-s3-demo-bucket/"] }
]
}
]'
```
You can also include multiple conditions for a field. For information on how multiple conditions are evaluated, see [How CloudTrail evaluates multiple conditions for a field](#filtering-data-events-conditions).
You can use advanced event selectors to log both management and data events. To log data events for multiple resource types, add a field selector statement for each resource type that you want to log data events for.
**Note**
Trails can use either basic event selectors or advanced event selectors, but not both. If you apply advanced event selectors to a trail, any existing basic event selectors are overwritten.
Selectors don't support the use of wildcards like `*` . To match multiple values with a single condition, you may use `StartsWith`, `EndsWith`, `NotStartsWith`, or `NotEndsWith` to explicitly match the beginning or end of the event field.
**Topics**
+ [
## How CloudTrail evaluates multiple conditions for a field
](#filtering-data-events-conditions)
+ [
## AWS CLI examples for filtering data events
](#filtering-data-events-examples)
## How CloudTrail evaluates multiple conditions for a field
For advanced event selectors, CloudTrail evaluates multiple conditions for a field as follows:
+ DESELECT operators are AND'd together. If any of the DESELECT operator conditions are met, the event is not delivered. These are the valid DESELECT operators for advanced event selectors:
+ `NotEndsWith`
+ `NotEquals`
+ `NotStartsWith`
+ SELECT operators are OR'd together. These are the valid SELECT operators for advanced event selectors:
+ `EndsWith`
+ `Equals`
+ `StartsWith`
+ Combinations of SELECT and DESELECT operators follow the above rules and both groups are AND'd together.
### Example showing multiple conditions for the `resources.ARN` field
The following example event selector statement collects data events for the `AWS::S3::Object` resource type and applies multiple conditions on the `resources.ARN` field.
```
{
"Name": "S3Select",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Data"
]
},
{
"Field": "resources.type",
"Equals": [
"AWS::S3::Object"
]
},
{
"Field": "resources.ARN",
"Equals": [
"arn:aws:s3:::amzn-s3-demo-bucket/object1"
],
"StartsWith": [
"arn:aws:s3:::amzn-s3-demo-bucket/"
],
"EndsWith": [
"object3"
],
"NotStartsWith": [
"arn:aws:s3:::amzn-s3-demo-bucket/deselect"
],
"NotEndsWith": [
"object5"
],
"NotEquals": [
"arn:aws:s3:::amzn-s3-demo-bucket/object6"
]
}
]
}
```
In the preceding example, Amazon S3 data events for the `AWS::S3::Object` resource will be delivered if:
1. None of these DESELECT operator conditions are met:
+ the `resources.ARN` field `NotStartsWith` the value `arn:aws:s3:::amzn-s3-demo-bucket/deselect`
+ the `resources.ARN` field `NotEndsWith` the value `object5`
+ the `resources.ARN` field `NotEquals` the value `arn:aws:s3:::amzn-s3-demo-bucket/object6`
1. At least one of these SELECT operator conditions is met:
+ the `resources.ARN` field `Equals` the value `arn:aws:s3:::amzn-s3-demo-bucket/object1`
+ the `resources.ARN` field `StartsWith` the value `arn:aws:s3:::amzn-s3-demo-bucket/`
+ the `resources.ARN` field `EndsWith` the value `object3`
Based on the evaluation logic:
1. Data events for `amzn-s3-demo-bucket/object1` will be delivered because it matches the value for the `Equals` operator and doesn’t match any of the values for the `NotStartsWith`, `NotEndsWith`, and `NotEquals` operators.
1. Data event for `amzn-s3-demo-bucket/object2` will be delivered because it matches the value for the `StartsWith` operator and doesn’t match any of the values for the `NotStartsWith`, `NotEndsWith`, and `NotEquals` operators.
1. Data events for `amzn-s3-demo-bucket1/object3` will be delivered because it matches the `EndsWith` operator and doesn’t match any of the values for the `NotStartsWith`, `NotEndsWith`, and `NotEquals` operators.
1. Data events for `arn:aws:s3:::amzn-s3-demo-bucket/deselectObject4` will not be delivered because it matches the condition for the `NotStartsWith` even though it matches the condition for the `StartsWith` operator.
1. Data events for `arn:aws:s3:::amzn-s3-demo-bucket/object5` will not be delivered because it matches the condition for the `NotEndsWith` even though it matches the condition for the `StartsWith` operator.
1. Data events for the `arn:aws:s3:::amzn-s3-demo-bucket/object6` will not be delivered because it matches the condition for the `NotEquals` operator even though it matches the condition for the `StartsWith` operator.
## AWS CLI examples for filtering data events
This section provides AWS CLI examples showing how to filter data events on different fields. For additional AWS CLI examples, see [Log data events for trails by using advanced event selectors](logging-data-events-with-cloudtrail.md#creating-data-event-selectors-advanced) and [Logging data events for event data stores with the AWS CLI](logging-data-events-with-cloudtrail.md#logging-data-events-CLI-eds-examples).
For information about how to log data events using the console, see [Logging data events with the AWS Management Console](logging-data-events-with-cloudtrail.md#logging-data-events-console).
**Topics**
+ [
### Example 1: Filtering on the `eventName` field
](#filtering-data-events-eventname)
+ [
### Example 2: Filtering on the `resources.ARN` and `userIdentity.arn` fields
](#filtering-data-events-useridentityarn)
+ [
### Example 3: Filtering on the `resources.type` and `eventName` fields to exclude individual objects deleted by an Amazon S3 DeleteObjects event
](#filtering-data-events-deleteobjects)
### Example 1: Filtering on the `eventName` field
In the first example, the `--advanced-event-selectors` for a trail are configured to log only the `GetObject`, `PutObject`, and `DeleteObject` API calls for Amazon S3 objects in general purpose buckets.
```
aws cloudtrail put-event-selectors \
--trail-name trailName \
--advanced-event-selectors '[
{
"Name": "Log GetObject, PutObject and DeleteObject S3 data events",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::S3::Object"] },
{ "Field": "eventName", "Equals": ["GetObject","PutObject","DeleteObject"] }
]
}
]'
```
The next example creates a new event data store that logs data events for EBS Direct APIs but excludes `ListChangedBlocks` API calls. You can use the [https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/update-event-data-store.html](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/update-event-data-store.html) command to update an existing event data store.
```
aws cloudtrail create-event-data-store \
--name "eventDataStoreName"
--advanced-event-selectors '[
{
"Name": "Log all EBS Direct API data events except ListChangedBlocks",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::EC2::Snapshot"] },
{ "Field": "eventName", "NotEquals": ["ListChangedBlocks"] }
]
}
]'
```
### Example 2: Filtering on the `resources.ARN` and `userIdentity.arn` fields
The following example shows how to include all data events for all Amazon S3 objects in a specific general purpose S3 bucket but exclude events generated by the `bucket-scanner-role` `userIdentity`. The value for S3 events for the `resources.type` field is `AWS::S3::Object`. Because the ARN values for S3 objects and S3 buckets are slightly different, you must add the `StartsWith` operator for `resources.ARN`.
```
aws cloudtrail put-event-selectors \
--trail-name trailName \
--advanced-event-selectors \
'[
{
"Name": "S3EventSelector",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::S3::Object"] },
{ "Field": "resources.ARN", "StartsWith": ["arn:partition:s3:::amzn-s3-demo-bucket/"] },
{ "Field": "userIdentity.arn", "NotStartsWith": ["arn:aws:sts::123456789012:assumed-role/bucket-scanner-role"]}
]
}
]'
```
### Example 3: Filtering on the `resources.type` and `eventName` fields to exclude individual objects deleted by an Amazon S3 DeleteObjects event
The following example shows how to include all data events for all Amazon S3 objects in a specific general purpose Amazon S3 bucket but exclude the individual objects deleted by the `DeleteObject` operation. The value for S3 events for the `resources.type` field is `AWS::S3::Object`. The value for the event name is `DeleteObject`.
```
aws cloudtrail put-event-selectors \
--trail-name trailName \
--advanced-event-selectors \
{
"Name": "Exclude Events for DeleteObject operation",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Data"
]
},
{
"Field": "resources.type",
"Equals": [
"AWS::S3::Object"
]
},
{
"Field": "eventName",
"NotEquals": [
"DeleteObject"
]
}
]
},
{
"Name": "Exclude DeleteObject Events for individual objects deleted by DeleteObjects Operation",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Data"
]
},
{
"Field": "resources.type",
"Equals": [
"AWS::S3::Object"
]
},
{
"Field": "eventName",
"Equals": [
"DeleteObject"
]
},
{
"Field": "eventType",
"NotEquals": [
"AwsServiceEvent"
]
}
]
}
] (edited)
```
# Aggregating data events
Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities.
By enabling aggregation on your data events, you can efficiently monitor high-volume data access patterns without processing massive amounts of individual events. This feature automatically consolidates data events into 5-minute summaries, showing key trends like access frequency, error rates, and most-used actions. For example, instead of processing thousands of individual S3 bucket access events to understand usage patterns, you receive consolidated summaries showing top users and actions.
You can enable aggregation on data events when creating a new trail or updating an existing trail that collects data events. You can select one or all of the three out-of-the-box templates to aggregate your data events on:
+ **API Activity** to get a 5-minute summary of your data events based on the API calls made. Use this to understand your API usage patterns, including frequency, callers, and source.
+ **Resource Access** to get the activity patterns on your AWS resources. Use this to understand how your AWS resources are being accessed, how many times they are being accessed in the 5-minute window, who is accessing the resource, and what actions are being performed.
+ **User Actions** to get activity patterns based on the IAM principal making API calls in your account.
## Enabling aggregations for data events using the console
To enable aggregations on trails, you first choose data events logging when you are creating or updating a trail and configuring data events to log events in the trail. Then, in the configure event aggregation step, you can select templates such as **API Activity** and **Resource Access** from the Aggregation templates dropdown as shown in the screenshot below.
![\[Screenshot of the CloudTrail console showing the Aggregation templates dropdown with API Activity and Resource Access options selected\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/Enable-Aggregation-console.png)
## Enabling aggregations for data events using the AWS CLI
You can configure your trails to aggregate events using the AWS CLI.
To see whether your trail is aggregating data events, run the `get-event-configurations` command.
```
aws cloudtrail get-event-configuration --region us-east-1 --trail-name TrailName
```
The command returns the aggregation configuration for the trail.
Before you enable event aggregation, you must create a trail and configure data events in it.
To enable event aggregation on a trail, follow the step below. The trail will aggregate events based on the `API_ACTIVITY` and `RESOURCE_ACCESS` aggregation templates.
```
aws cloudtrail put-event-configuration --region us-east-1 --trail TrailName \
--aggregation-configurations \
'[
{
"EventCategory": "Data",
"Templates":
[
"API_ACTIVITY",
"RESOURCE_ACCESS"
]
}
]'
```
### Example: API\$1ACTIVITY aggregated event
The following shows an example of an aggregated event for the `API_ACTIVITY` template:
```
{
"eventVersion": "1.0",
"accountId": "111122223333",
"eventId": "62759c1a-6248-48e1-a6b3-d5fb7e6c4bc0",
"eventCategory": "Aggregated",
"eventType": "AwsAggregatedEvent",
"awsRegion": "us-west-2",
"eventSource": "s3.amazonaws.com",
"timeWindow":
{
"windowStart": "2025-11-17T19:20:00Z",
"windowEnd": "2025-11-17T19:25:00Z",
"windowSize": "PT5M"
},
"summary":
{
"primaryDimension":
{
"dimension": "eventName",
"statistics":
[
{
"name": "PutObject",
"value": 1000
}
],
"aggregationType": "Count"
},
"details":
[
{
"dimension": "resourceARN",
"statistics":
[
{
"name": "arn:aws:s3:::bucket-1",
"value": 800
},
{
"name": "arn:aws:s3:::bucket-2",
"value": 150
},
{
"name": "arn:aws:s3:::bucket-3",
"value": 50
}
],
"aggregationType": "Count"
}
]
}
}
```
### Example: RESOURCE\$1ACCESS aggregated event
The following shows an example of an aggregated event for the `RESOURCE_ACCESS` template:
```
{
"eventVersion": "1.0",
"accountId": "111122223333",
"eventId": "2ed87efa-45c1-412d-bc38-7e0879faa6df",
"eventCategory": "Aggregated",
"eventType": "AwsAggregatedEvent",
"awsRegion": "us-west-2",
"eventSource": "s3.amazonaws.com",
"timeWindow":
{
"windowStart": "2025-11-17T19:20:00Z",
"windowEnd": "2025-11-17T19:25:00Z",
"windowSize": "PT5M"
},
"summary":
{
"primaryDimension":
{
"dimension": "resourceARN",
"statistics":
[
{
"name": "arn:aws:s3:::bucket-1",
"value": 800
}
],
"aggregationType": "Count"
},
"details":
[
{
"dimension": "eventName",
"statistics":
[
{
"name": "PutObject",
"value": 800
}
],
"aggregationType": "Count"
}
]
}
}
```
## Logging data events for AWS Config compliance
If you are using AWS Config conformance packs to help your enterprise maintain compliance with formalized standards such as those required by Federal Risk and Authorization Management Program (FedRAMP) or National Institute of Standards and Technology (NIST), conformance packs for compliance frameworks generally require you to log data events for Amazon S3 buckets, at minimum. Conformance packs for compliance frameworks include a [managed rule](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) called [https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-dataevents-enabled.html](https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-s3-dataevents-enabled.html) that checks for S3 data event logging in your account. Many conformance packs that are not associated with compliance frameworks also require S3 data event logging. The following are examples of conformance packs that include this rule.
+ [Operational Best Practices for AWS Well-Architected Framework Security Pillar](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-wa-Security-Pillar.html)
+ [Operational Best Practices for FDA Title 21 CFR Part 11](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-FDA-21CFR-Part-11.html)
+ [Operational Best Practices for FFIEC](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-ffiec.html)
+ [Operational Best Practices for FedRAMP(Moderate)](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-fedramp-moderate.html)
+ [Operational Best Practices for HIPAA Security](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html)
+ [Operational Best Practices for K-ISMS](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-k-isms.html)
+ [Operational Best Practices for Logging](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-logging.html)
For a full list of sample conformance packs available in AWS Config, see [Conformance pack sample templates](https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html) in the *AWS Config Developer Guide.*
## Logging data events with the AWS SDKs
Run the [GetEventSelectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_GetEventSelectors.html) operation to see whether your trail is logging data events. You can configure your trails to log data events by running the [PutEventSelectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html) operation. For more information, see the [AWS CloudTrail API Reference](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/).
Run the [GetEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_GetEventDataStore.html) operation to see whether your event data store is logging data events. You can configure your event data stores to include data events by running the [CreateEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateEventDataStore.html) or [UpdateEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateEventDataStore.html) operations and specifying advanced event selectors. For more information, see [Create, update, and manage event data stores with the AWS CLI](lake-eds-cli.md) and the [AWS CloudTrail API Reference](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/).
# Logging network activity events
CloudTrail network activity events enable VPC endpoint owners to record AWS API calls made using their VPC endpoints from a private VPC to the AWS service. Network activity events provide visibility into the resource operations performed within a VPC. For example, logging network activity events can help VPC endpoint owners detect when credentials from outside their organization attempt to access their VPC endpoints.
You can log network activity events for the following services:
+ AWS AppConfig
+ AWS App Mesh
+ Amazon Athena
+ AWS B2B Data Interchange
+ AWS Backup gateway
+ Amazon Bedrock
+ Billing and Cost Management
+ AWS Pricing Calculator
+ AWS Cost Explorer
+ AWS Cloud Control API
+ AWS CloudHSM
+ AWS Cloud Map
+ AWS CloudFormation
+ AWS CloudTrail
+ Amazon CloudWatch
+ CloudWatch Application Signals
+ AWS CodeDeploy
+ Amazon Comprehend Medical
+ AWS Config
+ AWS Data Exports
+ Amazon Data Firehose
+ AWS Directory Service
+ Amazon DynamoDB
+ Amazon EC2
+ Amazon Elastic Container Service
+ Amazon Elastic File System
+ Elastic Load Balancing
+ Amazon EventBridge
+ Amazon EventBridge Scheduler
+ Amazon Fraud Detector
+ AWS Free Tier
+ Amazon FSx
+ AWS Glue
+ AWS HealthLake
+ AWS IoT FleetWise
+ AWS IoT Secure Tunneling
+ AWS Invoicing
+ Amazon Keyspaces (for Apache Cassandra)
+ AWS KMS
+ AWS Lake Formation
+ AWS Lambda
+ AWS License Manager
+ Amazon Lookout for Equipment
+ Amazon Lookout for Vision
+ Amazon Personalize
+ Amazon Q Business
+ Amazon Rekognition
+ Amazon Relational Database Service
+ Amazon S3
**Note**
Amazon S3 [Multi-Region Access Points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRequests.html) are not supported.
+ Amazon SageMaker AI
+ AWS Secrets Manager
+ Amazon Simple Notification Service
+ Amazon Simple Queue Service
+ Amazon Simple Workflow Service
+ AWS Storage Gateway
+ AWS Systems Manager Incident Manager
+ Amazon Textract
+ Amazon Transcribe
+ Amazon Translate
+ AWS Transform
+ Amazon Verified Permissions
+ Amazon WorkMail
You can configure both trails and event data stores to log network activity events.
By default, trails and event data stores do not log network activity events. Additional charges apply for network activity events. For more information, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
**Contents**
+ [
## Advanced event selector fields for network activity events
](#logging-network-events)
+ [
## Logging network activity events with the AWS Management Console
](#creating-network-event-selectors-with-the-console)
+ [
### Update an existing trail to log network activity events
](#log-network-events-trail-console)
+ [
### Update an existing event data store to log network activity events
](#log-network-events-lake-console)
+ [
## Logging network activity events with the AWS Command Line Interface
](#creating-network-event-selectors-with-the-AWS-CLI)
+ [
### Examples: Logging network activity events for trails
](#logging-network-events-CLI-trail-examples)
+ [
#### Example: Log network activity events for CloudTrail operations
](#logging-network-events-CLI-trail-all-ct)
+ [
#### Example: Log `VpceAccessDenied` events for AWS KMS
](#logging-network-events-CLI-trail-kms)
+ [
#### Example: Log `VpceAccessDenied` events for Amazon S3
](#logging-network-events-CLI-trail-s3)
+ [
#### Example: Log EC2 `VpceAccessDenied` events over a specific VPC endpoint
](#logging-network-events-CLI-trail-ec2)
+ [
#### Example: Log all management events and network activity events for multiple event sources
](#logging-network-events-CLI-trail-multiple)
+ [
### Examples: Logging network activity events for event data stores
](#logging-network-events-CLI-eds-examples)
+ [
#### Example: Log all network activity events for CloudTrail operations
](#creating-network-events-eds-CLI-ct)
+ [
#### Example: Log `VpceAccessDenied` events for AWS KMS
](#creating-network-events-eds-CLI-kms)
+ [
#### Example: Log EC2 `VpceAccessDenied` events over a specific VPC endpoint
](#creating-network-events-eds-CLI-ec2)
+ [
#### Example: Log `VpceAccessDenied` events for Amazon S3
](#creating-network-events-eds-CLI-s3)
+ [
#### Example: Log all management events and network activity events for multiple event sources
](#creating-network-events-eds-CLI-multiple)
+ [
## Logging events with the AWS SDKs
](#logging-network-events-with-the-AWS-SDKs)
## Advanced event selector fields for network activity events
You configure advanced event selectors to log network activity events by specifying the event source for which you want to log activity. You can configure advanced event selectors using the AWS SDKs, AWS CLI, or CloudTrail console.
The following advanced event selector fields are required to log network activity events:
+ `eventCategory` – To log network activity events, the value must be `NetworkActivity`. `eventCategory` can only use the `Equals` operator.
+ `eventSource` – The event source for which you want to log network activity events. `eventSource` can only use the `Equals` operator. If you want to log network activity events for multiple event sources, you must create a separate field selector for each event source.
Valid values include:
+ `aco-automation.amazonaws.com`
+ `appconfig.amazonaws.com`
+ `application-signals.amazonaws.com`
+ `appmesh.amazonaws.com`
+ `athena.amazonaws.com`
+ `b2bi.amazonaws.com`
+ `backup-gateway.amazonaws.com`
+ `bcm-data-exports.amazonaws.com`
+ `bcm-pricing-calculator.amazonaws.com`
+ `bedrock-agentcore.amazonaws.com`
+ `bedrock.amazonaws.com`
+ `billing.amazonaws.com`
+ `cassandra.amazonaws.com`
+ `ce.amazonaws.com`
+ `cloudcontrolapi.amazonaws.com`
+ `cloudformation.amazonaws.com`
+ `cloudhsm.amazonaws.com`
+ `cloudoptimization.amazonaws.com`
+ `cloudtrail.amazonaws.com`
+ `codedeploy.amazonaws.com`
+ `comprehend.amazonaws.com`
+ `comprehendmedical.amazonaws.com`
+ `config.amazonaws.com`
+ `ds.amazonaws.com`
+ `dynamodb.amazonaws.com`
+ `ec2.amazonaws.com`
+ `ecs.amazonaws.com`
+ `elasticfilesystem.amazonaws.com`
+ `elasticloadbalancing.amazonaws.com`
+ `events.amazonaws.com`
+ `firehose.amazonaws.com`
+ `frauddetector.amazonaws.com`
+ `freetier.amazonaws.com`
+ `fsx.amazonaws.com`
+ `glue.amazonaws.com`
+ `healthlake.amazonaws.com`
+ `invoicing.amazonaws.com`
+ `iot.amazonaws.com`
+ `iotfleetwise.amazonaws.com`
+ `iotsecuredtunneling.amazonaws.com`
+ `kms.amazonaws.com`
+ `lakeformation.amazonaws.com`
+ `lambda.amazonaws.com`
+ `license-manager.amazonaws.com`
+ `lookoutequipment.amazonaws.com`
+ `lookoutvision.amazonaws.com`
+ `monitoring.amazonaws.com`
+ `nova-act.amazonaws.com`
+ `personalize.amazonaws.com`
+ `qbusiness.amazonaws.com`
+ `rds.amazonaws.com`
+ `rekognition.amazonaws.com`
+ `rolesanywhere.amazonaws.com`
+ `s3.amazonaws.com`
+ `sagemaker.amazonaws.com`
+ `scheduler.amazonaws.com`
+ `secretsmanager.amazonaws.com`
+ `servicediscovery.amazonaws.com`
+ `sns.amazonaws.com`
+ `sqs.amazonaws.com`
+ `ssm-contacts.amazonaws.com`
+ `ssm.amazonaws.com`
+ `storagegateway.amazonaws.com`
+ `swf.amazonaws.com`
+ `textract.amazonaws.com`
+ `transcribe.amazonaws.com`
+ `transcribestreaming.amazonaws.com`
+ `transform-agents.amazonaws.com`
+ `transform-custom.amazonaws.com`
+ `transform.amazonaws.com`
+ `translate.amazonaws.com`
+ `user-subscriptions.amazonaws.com`
+ `verifiedpermissions.amazonaws.com`
+ `voiceid.amazonaws.com`
+ `workmail.amazonaws.com`
+ `workmailmessageflow.amazonaws.com`
The following advanced event selector fields are optional:
+ `eventName` – The requested action that you want to filter on. For example, `CreateKey` or `ListKeys`. `eventName` can use any operator.
+ `errorCode` – The requested error code that you want to filter on. Currently, the only valid `errorCode` is `VpceAccessDenied`. You can use only the `Equals` operator with `errorCode`.
+ `vpcEndpointId` – Identifies the VPC endpoint that the operation passed through. You can use any operator with `vpcEndpointId`.
Network activity events are not logged by default when you create a trail or event data store. To record CloudTrail network activity events, you must explicitly configure each event source for which you want to collect activity.
Additional charges apply for logging network activity events. For CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
## Logging network activity events with the AWS Management Console
You can update an existing trail or event data store to log network activity events using the console.
**Topics**
+ [
### Update an existing trail to log network activity events
](#log-network-events-trail-console)
+ [
### Update an existing event data store to log network activity events
](#log-network-events-lake-console)
### Update an existing trail to log network activity events
Use the following procedure to update an existing trail to log network activity events.
**Note**
Additional charges apply for logging network activity events. For CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. In the left navigation pane of the CloudTrail console, open the **Trails** page, and choose a trail name.
1. If your trail is logging data events using basic event selectors, you’ll need to switch to advanced event selectors to log network activity events.
Take these steps to switch to advanced event selectors:
1. In the **Data events** area, take note of the current data event selectors. Switching to advanced event selectors will clear out any existing data event selectors.
1. Choose **Edit** and then choose **Switch to advanced event selectors**.
1. Reapply your data event selections using advanced event selectors. For more information, see [Updating an existing trail to log data events with advanced event selectors using the console](logging-data-events-with-cloudtrail.md#logging-data-events-with-the-cloudtrail-console-adv).
1. In **Network activity events**, choose **Edit**.
To log network activity events, take the following steps:
1. From **Network activity event source**, choose the source for network activity events.
1. In **Log selector template**, choose a template. You can choose to log all network activity events, log all network activity access denied events, or choose **Custom** to build a custom log selector to filter on multiple fields, such as `eventName` and `vpcEndpointId`.
1. (Optional) Enter a name to identify the selector. The selector name is listed as **Name** in the advanced event selector and is viewable if you expand the **JSON view**.
1. In **Advanced event selectors** build expressions by choosing values for **Field**, **Operator**, and **Value**. You can skip this step if you are using a predefined log template.
1. For excluding or including network activity events, you can choose from the following fields in the console.
+ **`eventName`** – You can use any operator with `eventName`. You can use it to include or exclude any event, such as `CreateKey`.
+ **`errorCode`** – You can use it to filter on an error code. Currently, the only supported `errorCode` is `VpceAccessDenied`.
+ **`vpcEndpointId`** – Identifies the VPC endpoint that the operation passed through. You can use any operator with `vpcEndpointId`.
1. For each field, choose **\$1 Condition** to add as many conditions as you need, up to a maximum of 500 specified values for all conditions.
1. Choose **\$1 Field** to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields.
1. To add another event source for which you want to log network activity events, choose **Add network activity event selector**.
1. Optionally, expand **JSON view** to see your advanced event selectors as a JSON block.
1. Choose **Save changes** to save your changes.
### Update an existing event data store to log network activity events
Use the following procedure to update an existing event data store to log network activity events.
**Note**
You can only log network activity events on event data stores of type **CloudTrail events**.
1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. In the left navigation pane of the CloudTrail console, under **Lake**, choose **Event data stores**.
1. Choose the event data store name.
1. In **Network activity events**, choose **Edit**.
To log network activity events, take the following steps:
1. From **Network activity event source**, choose the source for network activity events.
1. In **Log selector template**, choose a template. You can choose to log all network activity events, log all network activity access denied events, or choose **Custom** to build a custom log selector to filter on multiple fields, such as `eventName` and `vpcEndpointId`.
1. (Optional) Enter a name to identify the selector. The selector name is listed as **Name** in the advanced event selector and is viewable if you expand the **JSON view**.
1. In **Advanced event selectors** build expressions by choosing values for **Field**, **Operator**, and **Value**. You can skip this step if you are using a predefined log template.
1. For excluding or including network activity events, you can choose from the following fields in the console.
+ **`eventName`** – You can use any operator with `eventName`. You can use it to include or exclude any event, such as `CreateKey`.
+ **`errorCode`** – You can use it to filter on an error code. Currently, the only supported `errorCode` is `VpceAccessDenied`.
+ **`vpcEndpointId`** – Identifies the VPC endpoint that the operation passed through. You can use any operator with `vpcEndpointId`.
1. For each field, choose **\$1 Condition** to add as many conditions as you need, up to a maximum of 500 specified values for all conditions.
1. Choose **\$1 Field** to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields.
1. To add another event source for which you want to log network activity events, choose **Add network activity event selector**.
1. Optionally, expand **JSON view** to see your advanced event selectors as a JSON block.
1. Choose **Save changes** to save your changes.
## Logging network activity events with the AWS Command Line Interface
You can configure your trails or event data stores to log network activity events using the AWS CLI.
**Topics**
+ [
### Examples: Logging network activity events for trails
](#logging-network-events-CLI-trail-examples)
+ [
### Examples: Logging network activity events for event data stores
](#logging-network-events-CLI-eds-examples)
### Examples: Logging network activity events for trails
You can configure your trails to log network activity events using the AWS CLI. Run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/put-event-selectors.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/put-event-selectors.html) command to configure the advanced event selectors for your trail.
To see whether your trail is logging network activity events, run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/get-event-selectors.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/get-event-selectors.html) command.
**Topics**
+ [
#### Example: Log network activity events for CloudTrail operations
](#logging-network-events-CLI-trail-all-ct)
+ [
#### Example: Log `VpceAccessDenied` events for AWS KMS
](#logging-network-events-CLI-trail-kms)
+ [
#### Example: Log `VpceAccessDenied` events for Amazon S3
](#logging-network-events-CLI-trail-s3)
+ [
#### Example: Log EC2 `VpceAccessDenied` events over a specific VPC endpoint
](#logging-network-events-CLI-trail-ec2)
+ [
#### Example: Log all management events and network activity events for multiple event sources
](#logging-network-events-CLI-trail-multiple)
#### Example: Log network activity events for CloudTrail operations
The following example shows how to configure your trail to include all network activity events for CloudTrail API operations, such as `CreateTrail` and `CreateEventDataStore` calls. The value for the `eventSource` field is `cloudtrail.amazonaws.com`.
```
aws cloudtrail put-event-selectors /
--trail-name TrailName /
--region region /
--advanced-event-selectors '[
{
"Name": "Audit all CloudTrail API calls through VPC endpoints",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["cloudtrail.amazonaws.com"]
}
]
}
]'
```
The command returns the following example output.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName",
"AdvancedEventSelectors": [
{
"Name": "Audit all CloudTrail API calls through VPC endpoints",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"cloudtrail.amazonaws.com"
]
}
]
}
]
}
```
#### Example: Log `VpceAccessDenied` events for AWS KMS
The following example shows how to configure your trail to include `VpceAccessDenied` events for AWS KMS. This example sets the `errorCode` field equal to `VpceAccessDenied` events and the `eventSource` field equal to `kms.amazonaws.com`.
```
aws cloudtrail put-event-selectors \
--region region /
--trail-name TrailName /
--advanced-event-selectors '[
{
"Name": "Audit AccessDenied AWS KMS events through VPC endpoints",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["kms.amazonaws.com"]
},
{
"Field": "errorCode",
"Equals": ["VpceAccessDenied"]
}
]
}
]'
```
The command returns the following example output.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName",
"AdvancedEventSelectors": [
{
"Name": "Audit AccessDenied AWS KMS events through VPC endpoints",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"kms.amazonaws.com"
]
},
{
"Field": "errorCode",
"Equals": [
"VpceAccessDenied"
]
}
]
}
]
}
```
#### Example: Log `VpceAccessDenied` events for Amazon S3
The following example shows how to configure your trail to include `VpceAccessDenied` events for Amazon S3. This example sets the `errorCode` field equal to `VpceAccessDenied` events and the `eventSource` field equal to `s3.amazonaws.com`.
```
aws cloudtrail put-event-selectors \
--region region /
--trail-name TrailName /
--advanced-event-selectors '[
{
"Name": "Log S3 access denied network activity events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["s3.amazonaws.com"]
},
{
"Field": "errorCode",
"Equals": ["VpceAccessDenied"]
}
]
}
]'
```
The command returns the following example output.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName",
"AdvancedEventSelectors": [
{
"Name": "Log S3 access denied network activity events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"s3.amazonaws.com"
]
},
{
"Field": "errorCode",
"Equals": [
"VpceAccessDenied"
]
}
]
}
]
}
```
#### Example: Log EC2 `VpceAccessDenied` events over a specific VPC endpoint
The following example shows how to configure your trail to include `VpceAccessDenied` events for Amazon EC2 for a specific VPC endpoint. This example sets the `errorCode` field equal to `VpceAccessDenied` events, the `eventSource` field equal to `ec2.amazonaws.com`, and the `vpcEndpointId` equal to the VPC endpoint of interest.
```
aws cloudtrail put-event-selectors \
--region region /
--trail-name TrailName /
--advanced-event-selectors '[
{
"Name": "Audit AccessDenied EC2 events over a specific VPC endpoint",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["ec2.amazonaws.com"]
},
{
"Field": "errorCode",
"Equals": ["VpceAccessDenied"]
},
{
"Field": "vpcEndpointId",
"Equals": ["vpce-example8c1b6b9b7"]
}
]
}
]'
```
The command returns the following example output.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/TrailName",
"AdvancedEventSelectors": [
{
"Name": "Audit AccessDenied EC2 events over a specific VPC endpoint",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"ec2.amazonaws.com"
]
},
{
"Field": "errorCode",
"Equals": [
"VpceAccessDenied"
]
},
{
"Field": "vpcEndpointId",
"Equals": [
"vpce-example8c1b6b9b7"
]
}
]
}
]
}
```
#### Example: Log all management events and network activity events for multiple event sources
The following example configures a trail to log management events and all network activity events for the CloudTrail, Amazon EC2, AWS KMS, AWS Secrets Manager, and Amazon S3 event sources.
```
aws cloudtrail put-event-selectors \
--region region /
--trail-name TrailName /
--advanced-event-selectors '[
{
"Name": "Log all management events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["Management"]
}
]
},
{
"Name": "Log all network activity events for CloudTrail APIs",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["cloudtrail.amazonaws.com"]
}
]
},
{
"Name": "Log all network activity events for EC2",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["ec2.amazonaws.com"]
}
]
},
{
"Name": "Log all network activity events for KMS",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["kms.amazonaws.com"]
}
]
},
{
"Name": "Log all network activity events for S3",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["s3.amazonaws.com"]
}
]
},
{
"Name": "Log all network activity events for Secrets Manager",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["secretsmanager.amazonaws.com"]
}
]
}
]'
```
The command returns the following example output.
```
{
"TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TrailName",
"AdvancedEventSelectors": [
{
"Name": "Log all management events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
}
]
},
{
"Name": "Log all network activity events for CloudTrail APIs",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"cloudtrail.amazonaws.com"
]
}
]
},
{
"Name": "Log all network activity events for EC2",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"ec2.amazonaws.com"
]
}
]
},
{
"Name": "Log all network activity events for KMS",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"kms.amazonaws.com"
]
}
]
},
{
"Name": "Log all network activity events for S3",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"s3.amazonaws.com"
]
}
]
},
{
"Name": "Log all network activity events for Secrets Manager",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"secretsmanager.amazonaws.com"
]
}
]
}
]
}
```
### Examples: Logging network activity events for event data stores
You can configure your event data stores to include network activity events using the AWS CLI. Use the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html) command to create a new event data store to log network activity events. Use the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-event-data-store.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-event-data-store.html) command to update the advanced event selectors for an existing event data store.
To see whether your event data store includes network activity events, run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/get-event-data-store.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/get-event-data-store.html) command.
```
aws cloudtrail get-event-data-store --event-data-store EventDataStoreARN
```
**Topics**
+ [
#### Example: Log all network activity events for CloudTrail operations
](#creating-network-events-eds-CLI-ct)
+ [
#### Example: Log `VpceAccessDenied` events for AWS KMS
](#creating-network-events-eds-CLI-kms)
+ [
#### Example: Log EC2 `VpceAccessDenied` events over a specific VPC endpoint
](#creating-network-events-eds-CLI-ec2)
+ [
#### Example: Log `VpceAccessDenied` events for Amazon S3
](#creating-network-events-eds-CLI-s3)
+ [
#### Example: Log all management events and network activity events for multiple event sources
](#creating-network-events-eds-CLI-multiple)
#### Example: Log all network activity events for CloudTrail operations
The following example shows how to create an event data store that includes all network activity events related to CloudTrail operations, such as calls to `CreateTrail` and `CreateEventDataStore`. The value for the `eventSource` field is set to `cloudtrail.amazonaws.com`.
```
aws cloudtrail create-event-data-store \
--name "EventDataStoreName" \
--advanced-event-selectors '[
{
"Name": "Audit all CloudTrail API calls over VPC endpoint",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["cloudtrail.amazonaws.com"]
}
]
}
]'
```
The command returns the following example output.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE492-301f-4053-ac5e-EXAMPLE441aa",
"Name": "EventDataStoreName",
"Status": "ENABLED",
"AdvancedEventSelectors": [
{
"Name": "Audit all CloudTrail API calls over VPC endpoint",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"cloudtrail.amazonaws.com"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2024-05-20T21:00:17.673000+00:00",
"UpdatedTimestamp": "2024-05-20T21:00:17.820000+00:00"
}
```
#### Example: Log `VpceAccessDenied` events for AWS KMS
The following example shows how to create an event data store to include `VpceAccessDenied` events for AWS KMS. This example sets the `errorCode` field equal to `VpceAccessDenied` events and the `eventSource` field equal to `kms.amazonaws.com`.
```
aws cloudtrail create-event-data-store \
--name EventDataStoreName \
--advanced-event-selectors '[
{
"Name": "Audit AccessDenied AWS KMS events over VPC endpoints",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["kms.amazonaws.com"]
},
{
"Field": "errorCode",
"Equals": ["VpceAccessDenied"]
}
]
}
]'
```
The command returns the following example output.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEb4a8-99b1-4ec2-9258-EXAMPLEc890",
"Name": "EventDataStoreName",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "Audit AccessDenied AWS KMS events over VPC endpoints",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"kms.amazonaws.com"
]
},
{
"Field": "errorCode",
"Equals": [
"VpceAccessDenied"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2024-05-20T21:00:17.673000+00:00",
"UpdatedTimestamp": "2024-05-20T21:00:17.820000+00:00"
}
```
#### Example: Log EC2 `VpceAccessDenied` events over a specific VPC endpoint
The following example shows how to create an event data store to include `VpceAccessDenied` events for Amazon EC2 for a specific VPC endpoint. This example sets the `errorCode` field equal to `VpceAccessDenied` events, the `eventSource` field equal to `ec2.amazonaws.com`, and the `vpcEndpointId` equal to the VPC endpoint of interest.
```
aws cloudtrail create-event-data-store \
--name EventDataStoreName \
--advanced-event-selectors '[
{
"Name": "Audit AccessDenied EC2 events over a specific VPC endpoint",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["ec2.amazonaws.com"]
},
{
"Field": "errorCode",
"Equals": ["VpceAccessDenied"]
},
{
"Field": "vpcEndpointId",
"Equals": ["vpce-example8c1b6b9b7"]
}
]
}
]'
```
The command returns the following example output.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEb4a8-99b1-4ec2-9258-EXAMPLEc890",
"Name": "EventDataStoreName",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "Audit AccessDenied EC2 events over a specific VPC endpoint",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"ec2.amazonaws.com"
]
},
{
"Field": "errorCode",
"Equals": [
"VpceAccessDenied"
]
},
{
"Field": "vpcEndpointId",
"Equals": [
"vpce-example8c1b6b9b7"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2024-05-20T21:00:17.673000+00:00",
"UpdatedTimestamp": "2024-05-20T21:00:17.820000+00:00"
}
```
#### Example: Log `VpceAccessDenied` events for Amazon S3
The following example shows how to create an event data store to include `VpceAccessDenied` events for Amazon S3. This example sets the `errorCode` field equal to `VpceAccessDenied` events and the `eventSource` field equal to `s3.amazonaws.com`.
```
aws cloudtrail create-event-data-store \
--name EventDataStoreName \
--advanced-event-selectors '[
{
"Name": "Log S3 access denied network activity events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["s3.amazonaws.com"]
},
{
"Field": "errorCode",
"Equals": ["VpceAccessDenied"]
}
]
}
]'
```
The command returns the following example output.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEb4a8-99b1-4ec2-9258-EXAMPLEc890",
"Name": "EventDataStoreName",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "Log S3 access denied network activity events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"s3.amazonaws.com"
]
},
{
"Field": "errorCode",
"Equals": [
"VpceAccessDenied"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2024-05-20T21:00:17.673000+00:00",
"UpdatedTimestamp": "2024-05-20T21:00:17.820000+00:00"
}
```
#### Example: Log all management events and network activity events for multiple event sources
The following examples updates an event data store that is currently logging only management events to also log network activity events for multiple event sources. To update an event data store to add new event selectors, run the `get-event-data-store` command to return the current advanced event selectors. Then, run the `update-event-data-store` command and pass in the `--advanced-event-selectors` that includes the current selectors plus any new selectors. To log network activity events for multiple event sources, include one selector for each event source that you want to log.
```
aws cloudtrail update-event-data-store \
--event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE \
--advanced-event-selectors '[
{
"Name": "Log all management events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["Management"]
}
]
},
{
"Name": "Log all network activity events for CloudTrail APIs",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["cloudtrail.amazonaws.com"]
}
]
},
{
"Name": "Log all network activity events for EC2",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["ec2.amazonaws.com"]
}
]
},
{
"Name": "Log all network activity events for KMS",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]},
{
"Field": "eventSource",
"Equals": ["kms.amazonaws.com"]
}
]
},
{
"Name": "Log all network activity events for S3",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["s3.amazonaws.com"]
}
]
},
{
"Name": "Log all network activity events for Secrets Manager",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["NetworkActivity"]
},
{
"Field": "eventSource",
"Equals": ["secretsmanager.amazonaws.com"]
}
]
}
]'
```
The command returns the following example output.
```
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEb4a8-99b1-4ec2-9258-EXAMPLEc890",
"Name": "EventDataStoreName",
"Status": "CREATED",
"AdvancedEventSelectors": [
{
"Name": "Log all management events",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Management"
]
}
]
},
{
"Name": "Log all network activity events for CloudTrail APIs",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"cloudtrail.amazonaws.com"
]
}
]
},
{
"Name": "Log all network activity events for EC2",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"ec2.amazonaws.com"
]
}
]
},
{
"Name": "Log all network activity events for KMS",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"kms.amazonaws.com"
]
}
]
},
{
"Name": "Log all network activity events for S3",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"s3.amazonaws.com"
]
}
]
},
{
"Name": "Log all network activity events for Secrets Manager",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"NetworkActivity"
]
},
{
"Field": "eventSource",
"Equals": [
"secretsmanager.amazonaws.com"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"RetentionPeriod": 366,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2024-11-20T21:00:17.673000+00:00",
"UpdatedTimestamp": "2024-11-20T21:00:17.820000+00:00"
}
```
## Logging events with the AWS SDKs
Run the [GetEventSelectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_GetEventSelectors.html) operation to see whether your trail is logging network activity events. You can configure your trails to log network activity events by running the [PutEventSelectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html) operation. For more information, see the [AWS CloudTrail API Reference](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/).
Run the [GetEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_GetEventDataStore.html) operation to see whether your event data store is logging network activity events. You can configure your event data stores to include network activity events by running the [CreateEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateEventDataStore.html) or [UpdateEventDataStore](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateEventDataStore.html) operations and specifying advanced event selectors. For more information, see [Create, update, and manage event data stores with the AWS CLI](lake-eds-cli.md) and the [AWS CloudTrail API Reference](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/).
# Enrich CloudTrail events by adding resource tag keys and IAM global condition keys
You can enrich CloudTrail management events and data events by adding resource tag keys, principal tag keys, and IAM global condition keys when you create or update an event data store. This allows you to categorize, search, and analyze CloudTrail events based on the business context, such as cost allocation and financial management, operations, and data security requirements. You can analyze events by running queries in CloudTrail Lake. You can also choose to [federate](query-federation.md) your event data store and run queries in Amazon Athena. You can add resource tag keys and IAM global condition keys to an event data store using the [CloudTrail console](query-event-data-store-cloudtrail.md), [AWS CLI](lake-cli-manage-eds.md#lake-cli-put-event-configuration), and SDKs.
**Note**
Resource tags that you add after resource creation or updates might experience a delay before those tags are reflected in CloudTrail events. CloudTrail events for resource deletions might not include tag information.
IAM global condition keys will always be visible in the output of a query, but might not be visible to the resource owner.
When you add resource tag keys to enriched events, CloudTrail includes the selected tag keys associated with the resources that were involved in the API call.
When you add IAM global condition keys to an event data store, CloudTrail includes information about the selected condition keys that were evaluated during the authorization process, including additional details about the principal, session, and the request itself.
**Note**
Configuring CloudTrail to include a condition key or principal tag does not mean that this condition key or principal tag will be present in every event. For example, if you've set up CloudTrail to include a specific global condition key but you don't see it in a particular event, this indicates that the key wasn't relevant to the IAM policy evaluation for that action.
After you add resource tag keys or IAM condition keys, CloudTrail includes a `eventContext` field in CloudTrail events that provides the selected contextual information for the API action.
There are some exceptions when the event will not include the `eventContext` field, including the following:
+ API events related to deleted resources might or might not have resource tags.
+ The `eventContext` field will not have data for delayed events, and will not be present for events that were updated after the API call. For example, if there is a delay or outage for Amazon EventBridge, tags for events might remain out of date for some time after the outage is resolved. Some AWS services will experience longer delays. For more information, see [Resource tag updates in CloudTrail for enriched events](#resrouce-tags-updates).
+ If you modify or delete the AWSServiceRoleForCloudTrailEventContext service-linked role used for enriched events, CloudTrail will not populate any resource tags into `eventContext` .
**Note**
The `eventContext` field is only present in events for event data stores that are configured to include resource tag keys, principal tag keys, and IAM global condition keys. Events delivered to **Event history**, Amazon EventBridge, viewable with the AWS CLI `lookup-events` command, and delivered to trails, will not include the `eventContext` field.
**Topics**
+ [
## AWS services supporting resource tags
](#resource-tags-supported-services)
+ [
## AWS services supporting IAM global condition keys
](#condition-keys-supported-services)
+ [
## Event examples
](#context-event-examples)
## AWS services supporting resource tags
All AWS services support resource tags. For more information, see [Services that support the AWS Resource Groups Tagging API](https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html) .
### Resource tag updates in CloudTrail for enriched events
When configured to do so, CloudTrail captures information about resource tags and uses them to provide information in enriched events. When working with resource tags, there are certain conditions in which a resource tag might not be accurately reflected at the time of the system request for events. During standard operation, tags applied at resource creation time are always present and will experience minimal or no delays. However, the following services are expected to have delays in resource tag changes appearing in CloudTrail events:
+ Amazon Chime Voice Connector
+ AWS CloudTrail
+ AWS CodeConnections
+ Amazon DynamoDB
+ Amazon ElastiCache
+ Amazon Keyspaces (for Apache Cassandra)
+ Amazon Kinesis
+ Amazon Lex
+ Amazon MemoryDB
+ Amazon S3
+ Amazon Security Lake
+ AWS Direct Connect
+ AWS IAM Identity Center
+ AWS Key Management Service
+ AWS Lambda
+ AWS Marketplace Vendor Insights
+ AWS Organizations
+ AWS Payment Cryptography
+ Amazon Simple Queue Service
Service outages can also cause delays in updates to resource tag information. In the event of a service outage delay, subsequent CloudTrail events will include an `addendum` field that includes information about the resource tag change. This additional information will be used as specified to provide enriched CloudTrailevents.
## AWS services supporting IAM global condition keys
The following AWS services support IAM global condition keys for enriched events:
+ AWS Certificate Manager
+ AWS CloudTrail
+ Amazon CloudWatch
+ Amazon CloudWatch Logs
+ AWS CodeBuild
+ AWS CodeCommit
+ AWS CodeDeploy
+ Amazon Cognito Sync
+ Amazon Comprehend
+ Amazon Comprehend Medical
+ Amazon Connect Voice ID
+ AWS Control Tower
+ Amazon Data Firehose
+ Amazon Elastic Block Store
+ Elastic Load Balancing
+ AWS End User Messaging Social
+ Amazon EventBridge
+ Amazon EventBridge Scheduler
+ Amazon Data Firehose
+ Amazon FSx
+ AWS HealthImaging
+ AWS IoT Events
+ AWS IoT FleetWise
+ AWS IoT SiteWise
+ AWS IoT TwinMaker
+ AWS IoT Wireless
+ Amazon Kendra
+ AWS KMS
+ AWS Lambda
+ AWS License Manager
+ Amazon Lookout for Equipment
+ Amazon Lookout for Vision
+ AWS Network Firewall
+ AWS Payment Cryptography
+ Amazon Personalize
+ AWS Proton
+ Amazon Rekognition
+ Amazon SageMaker AI
+ AWS Secrets Manager
+ Amazon Simple Email Service (Amazon SES)
+ Amazon Simple Notification Service (Amazon SNS)
+ Amazon SQS
+ AWS Step Functions
+ AWS Storage Gateway
+ Amazon SWF
+ AWS Supply Chain
+ Amazon Timestream
+ Amazon Timestream for InfluxDB
+ Amazon Transcribe
+ AWS Transfer Family
+ AWS Trusted Advisor
+ Amazon WorkSpaces
+ AWS X-Ray
### Supported IAM global condition keys for enriched events
The following table lists the supported IAM global condition keys for CloudTrail enriched events, with example values:
**Global Condition Keys and Sample Values**
| Key | Example value |
| --- | --- |
| aws:FederatedProvider | "IdP" |
| aws:TokenIssueTime | "123456789" |
| aws:MultiFactorAuthAge | "99" |
| aws:MultiFactorAuthPresent | "true" |
| aws:SourceIdentity | "UserName" |
| aws:PrincipalAccount | "111122223333" |
| aws:PrincipalArn | "arn:aws:iam::555555555555:role/myRole" |
| aws:PrincipalIsAWSService | "false" |
| aws:PrincipalOrgID | "o-rganization" |
| aws:PrincipalOrgPaths | ["o-rganization/path-of-org"] |
| aws:PrincipalServiceName | "cloudtrail.amazonaws.com" |
| aws:PrincipalServiceNamesList | ["cloudtrail.amazonaws.com","s3.amazonaws.com"] |
| aws:PrincipalType | "AssumedRole" |
| aws:userid | "userid" |
| aws:username | "username" |
| aws:RequestedRegion | us-east-2" |
| aws:SecureTransport | "true" |
| aws:ViaAWSService | "false" |
| aws:CurrentTime | "2025-04-30 15:30:00" |
| aws:EpochTime | "1746049800" |
| aws:SourceAccount | "111111111111" |
| aws:SourceOrgID | "o-rganization" |
## Event examples
In the following example, the `eventContext` field includes IAM global condition key `aws:ViaAWSService` with a value of `false`, which indicates the API call was not made by an AWS service.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:sts::123456789012:assumed-role/admin",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ASIAIOSFODNN7EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/admin",
"accountId": "123456789012",
"userName": "admin"
},
"attributes": {
"creationDate": "2025-01-22T22:05:56Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2025-01-22T22:06:16Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "GetTrailStatus",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.0.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0",
"requestParameters": {
"name": "arn:aws:cloudtrail:us-east-1:123456789012:trail/myTrail"
},
"responseElements": null,
"requestID": "d09c4dd2-5698-412b-be7a-example1a23",
"eventID": "9cb5f426-7806-46e5-9729-exampled135d",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true",
"eventContext": {
"requestContext": {
"aws:ViaAWSService": "false"
},
"tagContext": {}
}
}
```
# CloudTrail record contents for management, data, and network activity events
This page describes the record contents of a management, data, or network activity event.
The body of the record contains fields that help you determine the requested action as well as when and where the request was made. When the value of **Optional** is **True**, the field is only present when it applies to the service, API, or event type. An **Optional** value of **False** means that the field is either always present, or that its presence does not depend on the service, API, or event type. An example is `responseElements`, which is present in events for actions that make changes (create, update, or delete actions).
**Note**
Fields for enriched events such as `eventContext` are only available for management events and data events. They are not available for network events.
**`eventTime`**
The date and time the request was completed, in coordinated universal time (UTC). An event's time stamp comes from the local host that provides the service API endpoint on which the API call was made. For example, a **CreateBucket** API event that is run in the US West (Oregon) Region would get its time stamp from the time on an AWS host running the Amazon S3 endpoint, `s3.us-west-2.amazonaws.com`. In general, AWS services use Network Time Protocol (NTP) to synchronize their system clocks.
**Since:** 1.0
**Optional:** False
**`eventVersion`**
The version of the log event format. The current version is 1.11.
The `eventVersion` value is a major and minor version in the form *major\$1version*.*minor\$1version*. For example, you can have an `eventVersion` value of `1.10`, where `1` is the major version, and `10` is the minor version.
CloudTrail increments the major version if a change is made to the event structure that is not backward-compatible. This includes removing a JSON field that already exists, or changing how the contents of a field are represented (for example, a date format). CloudTrail increments the minor version if a change adds new fields to the event structure. This can occur if new information is available for some or all existing events, or if new information is available only for new event types. Applications can ignore new fields to stay compatible with new minor versions of the event structure.
If CloudTrail introduces new event types, but the structure of the event is otherwise unchanged, the event version does not change.
To be sure that your applications can parse the event structure, we recommend that you perform an equal-to comparison on the major version number. To be sure that fields that are expected by your application exist, we also recommend performing a greater-than-or-equal-to comparison on the minor version. There are no leading zeroes in the minor version. You can interpret both *major\$1version* and *minor\$1version* as numbers, and perform comparison operations.
**Since:** 1.0
**Optional:** False
**`userIdentity`**
Information about the IAM identity that made a request. For more information, see [CloudTrail userIdentity element](cloudtrail-event-reference-user-identity.md).
**Since:** 1.0
**Optional:** False
**`eventSource`**
The service that the request was made to. This name is typically a short form of the service name without spaces plus `.amazonaws.com`. For example:
+ CloudFormation is `cloudformation.amazonaws.com`.
+ Amazon EC2 is `ec2.amazonaws.com`.
+ Amazon Simple Workflow Service is `swf.amazonaws.com`.
This convention has some exceptions. For example, the `eventSource` for Amazon CloudWatch is `monitoring.amazonaws.com`.
**Since:** 1.0
**Optional:** False
**`eventName`**
The requested action, which is one of the actions in the API for that service.
**Since:** 1.0
**Optional:** False
**`awsRegion`**
The AWS Region that the request was made to, such as `us-east-2`. See [CloudTrail supported Regions](cloudtrail-supported-regions.md).
**Since:** 1.0
**Optional:** False
**`sourceIPAddress`**
The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed.
For events originated by AWS, this field is usually `AWS Internal/#`, where `#` is a number used for internal purposes.
**Since:** 1.0
**Optional:** False
**`userAgent`**
The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI.
This field has a maximum size of 1 KB; content exceeding that limit is truncated. For event data stores configured to have a maximum event size of 1 MB, the field content is only truncated if the event payload exceeds 1 MB and the maximum field size is exceeded.
The following are example values:
+ `lambda.amazonaws.com` – The request was made with AWS Lambda.
+ `aws-sdk-java` – The request was made with the AWS SDK for Java.
+ `aws-sdk-ruby` – The request was made with the AWS SDK for Ruby.
+ `aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5` – The request was made with the AWS CLI installed on Linux.
For events originated by AWS, if CloudTrail knows which AWS service made the call, this field is the event source of the calling service (for example, `ec2.amazonaws.com`). Otherwise, this field is `AWS Internal/#`, where `#` is a number used for internal purposes.
**Since:** 1.0
**Optional:** True
**`errorCode`**
The AWS service error if the request returns an error. For an example that shows this field, see [Error code and message log example](cloudtrail-log-file-examples.md#error-code-and-error-message).
This field has a maximum size of 1 KB; content exceeding that limit is truncated. For event data stores configured to have a maximum event size of 1 MB, the field content is only truncated if the event payload exceeds 1 MB and the maximum field size is exceeded.
For network activity events, when there is a VPC endpoint policy violation, the error code is `VpceAccessDenied`.
**Since:** 1.0
**Optional:** True
**`errorMessage`**
If the request returns an error, the description of the error. This message includes messages for authorization failures. CloudTrail captures the message logged by the service in its exception handling. For an example, see [Error code and message log example](cloudtrail-log-file-examples.md#error-code-and-error-message).
This field has a maximum size of 1 KB; content exceeding that limit is truncated. For event data stores configured to have a maximum event size of 1 MB, the field content is only truncated if the event payload exceeds 1 MB and the maximum field size is exceeded.
For network activity events, when there is a VPC endpoint policy violation, the `errorMessage` will always be the following message: `The request was denied due to a VPC endpoint policy`. For more information about access denied events for VPC endpoint policy violations, see [ Access denied error message examples](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html#access-denied-error-examples) in the *IAM User Guide*. For an example network activity event showing a VPC endpoint policy violation, see [Network activity events](cloudtrail-events.md#network-event-example) in this guide.
Some AWS services provide the `errorCode` and `errorMessage` as top-level fields in the event. Other AWS services provide error information as part of `responseElements`.
**Since:** 1.0
**Optional:** True
**`requestParameters`**
The parameters, if any, that were sent with the request. These parameters are documented in the API reference documentation for the appropriate AWS service. This field has a maximum size of 100 KB. When the field size exceeds 100 KB, the `requestParameters` content is omitted. For event data stores configured to have a maximum event size of 1 MB, the field content is only omitted if the event payload exceeds 1 MB and the maximum field size is exceeded.
**Since:** 1.0
**Optional:** False
**`responseElements`**
The response elements, if any, for actions that make changes (create, update, or delete actions). For `readOnly` APIs, this field is `null`. If the action
doesn't return response elements, this field is `null`. The response elements for actions are documented in the API reference
documentation for the appropriate AWS service.
This field has a maximum size of 100 KB. When the field size exceeds 100 KB, the `reponseElements` content is omitted. For event data stores configured to have a maximum event size of 1 MB, the field content is only omitted if the event payload exceeds 1 MB and the maximum field size is exceeded.
The `responseElements` value is useful to help you trace a request
with AWS Support. Both `x-amz-request-id` and `x-amz-id-2`
contain information that helps you trace a request with Support. These values are
the same as those that the service returns in the response to the request that
initiates the events, so you can use them to match the event to the
request.
**Since:** 1.0
**Optional:** False
**`additionalEventData`**
Additional data about the event that was not part of the request or response. This field has a maximum size of 28 KB. When the field size exceeds 28 KB, the `additionalEventData` content is omitted. For event data stores configured to have a maximum event size of 1 MB, the field content is only omitted if the event payload exceeds 1 MB and the maximum field size is exceeded.
The content of `additionalEventData` is variable. For example, for [AWS Management Console sign-in events](cloudtrail-event-reference-aws-console-sign-in-events.md), `additionalEventData` could include the `MFAUsed` field with a value of `Yes` if the request was made by a root or IAM user using multi-factor authentication (MFA).
**Since:** 1.0
**Optional:** True
**`requestID`**
The value that identifies the request. The service being called generates this value. This field has a maximum size of 1 KB; content exceeding that limit is truncated. For event data stores configured to have a maximum event size of 1 MB, the field content is only truncated if the event payload exceeds 1 MB and the maximum field size is exceeded.
**Since:** 1.01
**Optional:** True
**`eventID`**
GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database.
**Since:** 1.01
**Optional:** False
**`eventType`**
Identifies the type of event that generated the event record. This can be the one of the following values:
+ `AwsApiCall` – An API was called.
+ `AwsServiceEvent` – The service generated an event related to your trail. For example, this can occur when another account made a call with a resource that you own.
+ `AwsConsoleAction` – An action was taken in the console that was not an API call.
+ `AwsConsoleSignIn` – A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.
+ `AwsVpceEvents` – CloudTrail network activity events enable VPC endpoint owners to record AWS API calls made using their VPC endpoints from a private VPC to the AWS service. To record network activity events, the VPC endpoint owner must enable network activity events for the event source.
**Since:** 1.02
**Optional:** False
**`apiVersion`**
Identifies the API version associated with the `AwsApiCall` `eventType` value.
**Since:** 1.01
**Optional:** True
**`managementEvent`**
A Boolean value that identifies whether the event is a management event. `managementEvent` is shown in an event record if `eventVersion` is 1.06 or higher, and the event type is one of the following:
+ `AwsApiCall`
+ `AwsConsoleAction`
+ `AwsConsoleSignIn`
+ `AwsServiceEvent`
**Since:** 1.06
**Optional:** True
**`readOnly`**
Identifies whether this operation is a read-only operation. This can be one of the following values:
+ `true` – The operation is read-only (for example, `DescribeTrails`).
+ `false` – The operation is write-only (for example, `DeleteTrail`).
**Since:** 1.01
**Optional:** True
**`resources`**
A list of resources accessed in the event. The field can contain the following information:
+ Resource ARNs
+ Account ID of the resource owner
+ Resource type identifier in the format: `AWS::aws-service-name::data-type-name`
For example, when an `AssumeRole` event is logged, the `resources` field can appear like the following:
+ ARN: `arn:aws:iam::123456789012:role/myRole`
+ Account ID: `123456789012`
+ Resource type identifier: `AWS::IAM::Role`
For example logs with the `resources` field, see [AWS STS API Event in CloudTrail Log File](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#stscloudtrailexample) in the *IAM User Guide* or [ Logging AWS KMS API Calls](https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html) in the *AWS Key Management Service Developer Guide*.
**Since:** 1.01
**Optional:** True
**`recipientAccountId`**
Represents the account ID that received this event. The `recipientAccountID` may be different from the [CloudTrail userIdentity element](cloudtrail-event-reference-user-identity.md) `accountId`. This can occur in cross-account resource access. For example, if a KMS key, also known as an [AWS KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html), was used by a separate account to call the [Encrypt API](https://docs.aws.amazon.com/kms/latest/developerguide/ct-encrypt.html), the `accountId` and `recipientAccountID` values will be the same for the event delivered to the account that made the call, but the values will be different for the event that is delivered to the account that owns the KMS key.
**Since:** 1.02
**Optional:** True
**`serviceEventDetails`**
Identifies the service event, including what triggered the event and the result. For more information, see [AWS service events](non-api-aws-service-events.md). This field has a maximum size of 100 KB. When the field size exceeds 100 KB, the `serviceEventDetails` content is omitted. For event data stores configured to have a maximum event size of 1 MB, the field content is only omitted if the event payload exceeds 1 MB and the maximum field size is exceeded.
**Since:** 1.05
**Optional:** True
**`sharedEventID`**
GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.
For example, when an account uses an [AWS KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) that belongs to another account, the account that used the KMS key and the account that owns the KMS key receive separate CloudTrail events for the same action. Each CloudTrail event delivered for this AWS action shares the same `sharedEventID`, but also has a unique `eventID` and `recipientAccountID`.
For more information, see [Example sharedEventID](#shared-event-ID).
The `sharedEventID` field is present only when CloudTrail events are delivered to multiple accounts. If the caller and owner are the same AWS account, CloudTrail sends only one event, and the `sharedEventID` field is not present.
**Since:** 1.03
**Optional:** True
**`vpcEndpointId`**
Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon EC2.
For events originated by AWS and through an AWS service's VPC, this field is usually `AWS Internal` or the service name.
**Since:** 1.04
**Optional:** True
**`vpcEndpointAccountId`**
Identifies the AWS account ID of the VPC endpoint owner for the corresponding endpoint for which a request has traversed.
For events originated by AWS and through an AWS service's VPC, this field is usually `AWS Internal` or the service name.
**Since:** 1.09
**Optional:** True
**`eventCategory`**
Shows the event category. The event category is used in [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html) calls to filter on management events.
+ For management events, the value is `Management`.
+ For data events, the value is `Data`.
+ For network activity events, the value is `NetworkActivity`.
**Since:** 1.07
**Optional:** False
**`addendum`**
If an event delivery was delayed, or additional information about an existing event becomes available after the event is logged, an addendum field shows information about why the event was delayed. If information was missing from an existing event, the addendum field includes the missing information and a reason for why it was missing. Contents include the following.
+ **`reason`** - The reason that the event or some of its contents were missing. Values can be any of the following.
+ **`DELIVERY_DELAY`** – There was a delay delivering events. This could be caused by high network traffic, connectivity issues, or a CloudTrail service issue.
+ **`UPDATED_DATA`** – A field in the event record was missing or had an incorrect value.
+ **`SERVICE_OUTAGE`** – A service that logs events to CloudTrail had an outage, and couldn’t log events to CloudTrail. This is exceptionally rare.
+ **`updatedFields`** - The event record fields that are updated by the addendum. This is only provided if the reason is `UPDATED_DATA`.
+ **`originalRequestID`** - The original unique ID of the request. This is only provided if the reason is `UPDATED_DATA`.
+ **`originalEventID`** - The original event ID. This is only provided if the reason is `UPDATED_DATA`.
**Since:** 1.08
**Optional:** True
**`sessionCredentialFromConsole`**
String with a value of `true` or `false` that shows whether or not an event originated from an AWS Management Console session. This field is not shown unless the value is `true`, meaning that the client that was used to make the API call was either a proxy or an external client. If a proxy client was used, the`tlsDetails` event field is not shown.
**Since:** 1.08
**Optional:** True
**`eventContext`**
This field is present in enriched events recorded for event data stores that were configured to include resource tag keys or IAM global condition keys. For more information, see [Enrich CloudTrail events by adding resource tag keys and IAM global condition keys](cloudtrail-context-events.md).
Contents include the following:
+ `requestContext` – Includes information about the IAM global condition keys that were evaluated during the authorization process, including additional details about the principal, session, network, and the request itself.
+ `tagContext` – Includes the tags associated with the resources that were involved in the API call as well as tags associated with IAM principals such as roles or users. For more information, see [Controlling access for IAM principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html#access_iam-tags_control-principals).
API events related to deleted resources will not have resource tags.
The `eventContext` field is only present in events for event data stores that are configured to include resource tag keys and IAM global condition keys. Events delivered to **Event history**, Amazon EventBridge, viewable with the AWS CLI `lookup-events` command, and delivered to trails, will not include the `eventContext` field.
**Since:** 1.11
**Optional:** True
**`edgeDeviceDetails`**
Shows information about edge devices that are targets of a request. Currently, [https://aws.amazon.com/s3/outposts/](https://aws.amazon.com/s3/outposts/) device events include this field. This field has a maximum size of 28 KB; content exceeding that limit is truncated. For event data stores configured to have a maximum event size of 1 MB, the field content is only truncated if the event payload exceeds 1 MB and the maximum field size is exceeded.
**Since:** 1.08
**Optional:** True
**`tlsDetails`**
Shows information about the Transport Layer Security (TLS) version, cipher suites, and the fully qualified domain name (FQDN) of the client-provided host name used in the service API call, which is typically the FQDN of the service endpoint. CloudTrail still logs partial TLS details if expected information is missing or empty. For example, if the TLS version and cipher suite are present, but the `HOST` header is empty, available TLS details are still logged in the CloudTrail event.
+ **`tlsVersion`** - The TLS version of a request.
+ **`cipherSuite`** - The cipher suite (combination of security algorithms used) of a request.
+ **`clientProvidedHostHeader`** - The client-provided host name used in the service API call, which is typically the FQDN of the service endpoint.
+ **`keyExchange`** - The key exchange method used in the TLS handshake. This field indicates whether the connection used classical cryptography or post-quantum cryptography. Example values include `X25519MLKEM768` for post-quantum TLS 1.3, `x25519` for classical TLS 1.3, and `secp256r1` for TLS 1.2.
There are some cases when the `tlsDetails` field is not present in an event record.
+ The `tlsDetails` field is not present if the API call was made by an AWS service on your behalf. The `invokedBy` field in the `userIdentity` element identifies the AWS service that made the API call.
+ If `sessionCredentialFromConsole` is present with a value of true, `tlsDetails` is present in an event record only if an external client was used to make the API call.
**Since:** 1.08
**Optional:** True
## Field truncation order for maximum event size of 1 MB
You can expand the maximum event size from 256 KB up to 1 MB when you create or update an event data store using the [CloudTrail console](query-event-data-store-cloudtrail.md), [AWS CLI](lake-cli-manage-eds.md#lake-cli-put-event-configuration), and SDKs.
Expanding the event size is helpful for analyzing and troubleshooting events because it allows you to see the full contents of fields that would normally get truncated or omitted.
When the event payload exceeds 1 MB, CloudTrail truncates fields in the following order:
+ `annotation`
+ `requestID`
+ `additionalEventData`
+ `serviceEventDetails`
+ `userAgent`
+ `errorCode`
+ `eventContext`
+ `responseElements`
+ `requestParameters`
+ `errorMessage`
If an event payload cannot be reduced to under 1 MB even after truncation, an error will occur.
## Example sharedEventID
The following is an example that describes how CloudTrail delivers two events for the same action:
1. Alice has AWS account (111111111111) and creates an AWS KMS key. She is the owner of this KMS key.
1. Bob has AWS account (222222222222). Alice gives Bob permission to use the KMS key.
1. Each account has a trail and a separate bucket.
1. Bob uses the KMS key to call the `Encrypt` API.
1. CloudTrail sends two separate events.
+ One event is sent to Bob. The event shows that he used the KMS key.
+ One event is sent to Alice. The event shows that Bob used the KMS key.
+ The events have the same `sharedEventID`, but the `eventID` and `recipientAccountID` are unique.
![\[How the sharedEventID field appears in logs\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/event-reference-sharedEventId.png)
# CloudTrail record contents for aggregated events
AWS CloudTrail aggregated event records include fields that are different from other CloudTrail events in their JSON payload. Aggregated events contain the following fields:
**`eventVersion`**
The version of the aggregated event.
**Since:** 1.0
**Optional:** False
**`accountId`**
The account ID that received this event.
**Since:** 1.0
**Optional:** False
**`eventId`**
A GUID generated by CloudTrail to uniquely identify each aggregated event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database.
**Since:** 1.0
**Optional:** False
**`eventCategory`**
Identifies the category of the event. For aggregated events, this value is always `Aggregated`. Use this field for filtering when you query events by category.
**Since:** 1.0
**Optional:** False
**`eventType`**
Identifies the type of aggregated event. For aggregated events, this value is `AwsAggregatedEvent`.
**Since:** 1.0
**Optional:** False
**`awsRegion`**
The AWS Region of the atomic CloudTrail events that were aggregated into this record, such as `ap-northeast-1`. This is typically the Region where the service API calls were made.
**Since:** 1.0
**Optional:** False
**`eventSource`**
The AWS service for which the underlying events were recorded.
**Since:** 1.0
**Optional:** False
**`timeWindow`**
The time interval over which atomic CloudTrail events were aggregated into this aggregated event record. The `timeWindow` field contains details such as window start time, window end time and window size.
**Since:** 1.0
**Optional:** False
**`windowStart`**
The start of the aggregation window, inclusive, in Universal Time (UTC), represented in ISO-8601 format.
**Since:** 1.0
**Optional:** False
**`windowEnd`**
The end of the aggregation window, exclusive, in UTC, represented in ISO-8601 format.
**Since:** 1.0
**Optional:** False
**`windowSize`**
The duration of the aggregation window. The difference `windowEnd − windowStart` should correspond to `windowSize`. The `windowSize` is represented in ISO-8601 format.
**Since:** 1.0
**Optional:** False
**`summary`**
An aggregation summary for the underlying atomic events, grouped by a primary dimension (for example, `eventName`, `resourceARN` or `userIdentity`) and optionally broken down by additional dimensions (for example, `userAgent`, `sourceIpAddress`, `errorCodes`).
**Since:** 1.0
**Optional:** False
The summary contains the following fields:
**`primaryDimension`**
The primary aggregation dimension for this `AwsAggregatedEvent`. This is the main view of the aggregated data. For instance, in the `API_ACTIVITY` aggregation template, the primary dimension is `eventName`; in the `RESOURCE_ACCESS` template, it is `resourceARN`; and in the `USER_ACTIONS` template, it is `userIdentity`.
**Since:** 1.0
**Optional:** False
**`details`**
Additional dimensions that provide more detail about aggregated atomic events. Each Detail object may provide an additional view of the same underlying events, such as `eventName`, `resourceARN`, `userIdentity`, `userAgent` and `sourceIpAddress` depending on the aggregation template.
**Since:** 1.0
**Optional:** False
Each detail provides the following information:
**`dimension`**
The name of the dimension used to group the aggregated events. Common values include:
+ `eventName`
+ `resourceARN`
+ `userIdentity`
+ `userAgent`
+ `sourceIpAddress`
**Since:** 1.0
**Optional:** False
**`statistics`**
A list of statistics for this dimension, where each entry represents one bucket (for example, one event name or one resource ARN) and its aggregated value.
**Since:** 1.0
**Optional:** False
Each entry in statistics contains the following information:
**`name`**
The bucket identifier or key for this statistic within the associated dimension.
**`value`**
The aggregated numeric value for the specified name in the given dimension.
**`aggregationType`**
The type of aggregation applied to compute `statistics.value` for this dimension. Allowed values:
+ `Count` – Number of events.
**Since:** 1.0
**Optional:** False
**`addendum`**
Carries metadata about delayed delivery or updates to an existing AggregatedEvent.
**Since:** 1.0
**Optional:** False
**`reason`**
The reason why an `AwsAggregatedEvent` was delayed, updated, or otherwise supplemented. Common values can include (non-exhaustive):
+ `DELIVERY_DELAY` – Delivery of aggregated data was delayed (for example, network issues or high volume).
+ `UPDATED_DATA` – Aggregated data was recomputed or corrected.
+ `SERVICE_OUTAGE` – Underlying service outage affected event availability.
**Since:** 1.0
**Optional:** True
## Example aggregated event
The following is an example of a CloudTrail aggregated event (`AwsAggregatedEvent`). In this example, CloudTrail aggregates `PutAuditEvents` calls to `cloudtrail-data.amazonaws.com` over a five-minute time window in the `us-east-1` Region. The summary block shows the primary aggregation dimension (`eventName`) and that 30 `PutAuditEvents` calls occurred during the time window. The details entries further break down those calls by `resourceARN`, `userIdentity`, `userAgent`, and `sourceIpAddress` to show how activity is distributed across resources, principals, and clients.
```
{
"eventVersion": "1.0",
"accountId": "111122223333",
"eventId": "4da798a8-1db6-4d17-8b51-4c33df06b56d",
"eventCategory": "Aggregated",
"eventType": "AwsAggregatedEvent",
"awsRegion": "us-east-1",
"eventSource": "cloudtrail-data.amazonaws.com",
"timeWindow":
{
"windowStart": "2025-10-30 23:45:00",
"windowEnd": "2025-10-30 23:50:00",
"windowSize": "PT5M"
},
"summary":
{
"primaryDimension":
{
"dimension": "eventName",
"statistics":
[
{
"name": "PutAuditEvents",
"value": 30
}
],
"aggregationType": "Count"
},
"details":
[
{
"dimension": "resourceARN",
"statistics":
[
{
"name": "arn:aws:cloudtrail:us-east-1:111122223333:channel/1234abcd-12ab-34cd-56ef-1234567890ab",
"value": 20
},
{
"name": "arn:aws:cloudtrail:us-east-1:111122223333:channel/6789abcd-12ab-34cd-56ef-6789012345ab",
"value": 10
}
],
"aggregationType": "Count"
},
{
"dimension": "userIdentity",
"statistics":
[
{
"name": "AWSAccount:111122223333",
"value": 20
},
{
"name": "AWSService:AWS Internal",
"value": 10
}
],
"aggregationType": "Count"
},
{
"dimension": "userAgent",
"statistics":
[
{
"name": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
"value": 20
},
{
"name": "AWS Internal",
"value":10
}
],
"aggregationType": "Count"
},
{
"dimension": "sourceIpAddress",
"statistics":
[
{
"name": "1.2.3.4",
"value": 20
},
{
"name": "AWS Internal",
"value": 10
}
],
"aggregationType": "Count"
}
]
}
}
```
# CloudTrail record contents for Insights events for trails
AWS CloudTrail Insights event records for trails include fields that are different from other CloudTrail events in their JSON structure, sometimes called *payload*. CloudTrail Insights events for trails contain the following fields:
+ **`eventVersion`** – The version of the event.
**Since:** 1.07
**Optional:** False
+ **`eventType`** – The event type. The value is always `AwsCloudTrailInsight` for Insights events.
**Since:** 1.07
**Optional:** False
+ **`eventID`** – GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database.
**Since:** 1.07
**Optional:** False
+ **`eventTime`** – The time the Insights event started or stopped, in coordinated universal time (UTC).
**Since:** 1.07
**Optional:** False
+ **`awsRegion`** – The AWS Region where the Insights event occurred, such as `us-east-2`.
**Since:** 1.07
**Optional:** False
+ **`recipientAccountId`** – Represents the account ID that received this event.
**Since:** 1.07
**Optional:** True
+ **`sharedEventID`** – A GUID that is generated by CloudTrail Insights to uniquely identify an Insights event. `sharedEventID` is common between the start and the end Insights events, and helps to connect both events to uniquely identify unusual activity. You can think of the `sharedEventID` as the overall Insights event ID.
**Since:** 1.07
**Optional:** False
+ **`insightDetails`** – A CloudTrail Insights event record for a trail includes an `insightDetails` block that contains information about the underlying triggers of an Insights event, such as event source, user identities, user agents, historical averages or *baselines*, statistics, API name, and whether the event is the start or end of the Insights event.
**Since:** 1.07
**Optional:** False
+ **`state`** – Whether the event is the starting or ending Insights event. The value can be `Start` or `End`.
**Since:** 1.07
**Optional:** False
+ **`eventSource`** – The AWS service that was the source of the unusual activity, such as `ec2.amazonaws.com`.
**Since:** 1.07
**Optional:** False
+ **`eventName`** – The name of the Insights event, typically the name of the API that was the source of the unusual activity.
**Since:** 1.07
**Optional:** False
+ **`insightType`** – The type of Insights event. This value can be `ApiCallRateInsight` or `ApiErrorRateInsight`.
**Since:** 1.07
**Optional:** False
+ **`errorCode`** – The error code of the unusual activity. See also `errorCode` in [CloudTrail record contents for management, data, and network activity events](cloudtrail-event-reference-record-contents.md).
**Since:** 1.07
**Optional:** True
+ **`insightContext`** – Information about the AWS tools (called *user agents*), IAM users and roles (called *user identities*), and error codes associated with the events that CloudTrail analyzed to generate the Insights event. This element also includes statistics that show how the unusual activity in an Insights event compares to *baseline*, or normal, activity.
**Since:** 1.07
**Optional:** False
+ **`statistics`** – Includes data about the *baseline*, or typical average rate of calls to or errors on the subject API by an account as measured during the baseline period, the average rate of calls or errors that triggered the Insights event, the duration, in minutes, of the Insights event, and the duration, in minutes, of the baseline measuring period.
**Since:** 1.07
**Optional:** False
+ **`baseline`** – The API calls or errors per minute during the baseline duration on the Insights event's subject API for the account, calculated over the seven days preceding the start of the Insights event.
**Since:** 1.07
**Optional:** False
+ **`average`** – The historic average of API calls or errors per minute during the seven days preceding the Insights activity start time.
**Since:** 1.07
**Optional:** False
+ **`insight`** – For a starting Insights event, this value is the average number of API calls or errors per minute during the start of the unusual activity. For an ending Insights event, this value is the average number of API calls or errors per minute over the duration of the unusual activity.
**Since:** 1.07
**Optional:** False
+ **`average`** – The average number of API calls or errors logged per minute during the unusual activity period.
**Since:** 1.07
**Optional:** False
+ **`insightDuration`** – The duration, in minutes, of an Insights event (the time period from the start to the end of unusual activity on the subject API). `insightDuration` occurs in both starting and ending Insights events.
**Since:** 1.07
**Optional:** False
+ **`baselineDuration`** – The duration, in minutes, of the baseline period (the time period that normal activity is measured on the subject API). `baselineDuration` is at minimum the seven days (10080 minutes) preceding an Insights event. This field occurs in both starting and ending Insights events. The ending time of `baselineDuration` measurement is always the start of an Insights event.
**Since:** 1.07
**Optional:** False
+ **`attributions`** – Includes information about the user identities, user agents, and error codes correlated with unusual and baseline activity. A maximum of five user identities, five user agents, and five error codes are captured in an Insights event `attributions` block, sorted by an average of the count of activity, in descending order from highest to lowest.
**Since:** 1.07
**Optional:** True
+ **`attribute`** – Contains the attribute type. Value can be `userIdentityArn`, `userAgent`, or `errorCode`. If present, these values will appear only once in an individual attribute. Different attribute values can have different `userIdentityArn`, `userAgent`, or `errorCode` values, but each attribute instance will contain only one value for `userIdentityArn`, `userAgent`, or `errorCode`.
**Since:** 1.07
**Optional:** False
+ **`insight`** – A block that shows up to the top five attribute values that contributed to the API calls or errors made during the unusual activity period, in descending order from largest number of API calls or errors to smallest. It also shows the average number of API calls or errors made by the attribute values during the unusual activity period.
**Since:** 1.07
**Optional:** False
+ **`value`** – The attribute that contributed to the API calls or errors made during the unusual activity period.
**Since:** 1.07
**Optional: False** False
+ **`average`** – The number of API calls or errors per minute during the unusual activity period for the attribute in the `value` field.
**Since:** 1.07
**Optional: False** False
+ **`baseline`** – A block that shows up to the top five attribute values that contributed the most to the API calls or errors during the normal activity period, in descending order from largest number of API calls or errors to smallest. It also shows the average number of API calls or errors made by the attribute values during the normal activity period.
**Since:** 1.07
**Optional: False** False
+ **`value`** – The attribute that contributed to the API calls or errors during the normal activity period.
**Since:** 1.07
**Optional: False** False
+ **`average`** – The historic average of API calls or errors per minute during the seven days preceding the Insights activity start time for the attribute in the `value` field.
**Since:** 1.07
**Optional:False** False
+ **`eventCategory`** – The category of the event. The value is always `Insight` for Insights events.
**Since:** 1.07
**Optional:** False
## Example `insightDetails` block
The following is an example of an Insights event `insightDetails` block for an Insights event that occurred when the Application Auto Scaling API `CompleteLifecycleAction` was called an unusual number of times. For an example of a full Insights event, see [Insights events](cloudtrail-events.md#cloudtrail-insights-events).
This example is from a starting Insights event, indicated by `"state": "Start"`. The top user identities that called the APIs associated with the Insights event, `CodeDeployRole1`, `CodeDeployRole2`, and `CodeDeployRole3`, are shown in the `attributions` block, along with their average API call rates for this Insights event, and the baseline for the `CodeDeployRole1` role. The `attributions` block also shows that the user agent is `codedeploy.amazonaws.com`, meaning the top user identities used the AWS CodeDeploy console to run the API calls.
Because there are no error codes associated with the events that were analyzed to generate the Insights event (the value is `null`), the `insight` average for the error code is the same as the overall `insight` average for the entire Insights event, shown in the `statistics` block.
```
"insightDetails": {
"state": "Start",
"eventSource": "autoscaling.amazonaws.com",
"eventName": "CompleteLifecycleAction",
"insightType": "ApiCallRateInsight",
"insightContext": {
"statistics": {
"baseline": {
"average": 0.0000882145
},
"insight": {
"average": 0.6
},
"insightDuration": 5,
"baselineDuration": 11336
},
"attributions": [
{
"attribute": "userIdentityArn",
"insight": [
{
"value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole1",
"average": 0.2
},
{
"value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole2",
"average": 0.2
},
{
"value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole3",
"average": 0.2
}
],
"baseline": [
{
"value": "arn:aws:sts::012345678901:assumed-role/CodeDeployRole1",
"average": 0.0000882145
}
]
},
{
"attribute": "userAgent",
"insight": [
{
"value": "codedeploy.amazonaws.com",
"average": 0.6
}
],
"baseline": [
{
"value": "codedeploy.amazonaws.com",
"average": 0.0000882145
}
]
},
{
"attribute": "errorCode",
"insight": [
{
"value": "null",
"average": 0.6
}
],
"baseline": [
{
"value": "null",
"average": 0.0000882145
}
]
}
]
}
}
```
# CloudTrail record contents for Insights events for event data stores
AWS CloudTrail Insights event records for event data stores include fields that are different from other CloudTrail events in their JSON structure, sometimes called *payload*. A CloudTrail Insights event record for an event data store includes the following fields:
**Note**
The `insightValue`, `insightAverage`, `baselineValue`, and `baselineAverage` fields within the `attributions` field of `insightContext` will begin to be deprecated on June 23, 2025.
+ **`eventVersion`** – The version of the log event format.
**Optional:** False
+ **`eventCategory`** – The category of the event. The value is always `Insight` for Insights events.
**Optional:** False
+ **`eventType`** – The event type. The value is always `AwsCloudTrailInsight` for Insights events.
**Optional:** False
+ **`eventID`** – GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database.
**Optional:** False
+ **`eventTime`** – The time the Insights event started or stopped, in coordinated universal time (UTC).
**Optional:** False
+ **`awsRegion`** – The AWS Region where the Insights event occurred, such as `us-east-2`.
**Optional:** False
+ **`recipientAccountId`** – Represents the account ID that received this event.
**Optional:** True
+ **`sharedEventID`** – A GUID that is generated by CloudTrail Insights to uniquely identify an Insights event. `sharedEventID` is common between the start and the end Insights events, and helps to connect both events to uniquely identify unusual activity. You can think of the `sharedEventID` as the overall Insights event ID.
**Optional:** False
+ **`addendum`** – If an event delivery was delayed, or additional information about an existing event becomes available after the event is logged, an addendum field shows information about why the event was delayed. If information was missing from an existing event, the addendum field includes the missing information and a reason for why it was missing. See also `addendum` in [CloudTrail record contents for management, data, and network activity events](cloudtrail-event-reference-record-contents.md).
**Optional:** True
+ **`insightSource`** – The source event data store that collected the management events that were analyzed.
**Optional:** False
+ **`insightState`** – Whether the event is the starting or ending Insights event. The value can be `Start` or `End`.
**Optional:** False
+ **`insightEventSource`** – The AWS service that was the source of the unusual activity, such as `ec2.amazonaws.com`.
**Optional:** False
+ **`insightEventName`** – The name of the Insights event, typically the name of the API that was the source of the unusual activity.
**Optional:** False
+ **`insightErrorCode`** – The error code of the unusual activity. See also `errorCode` in [CloudTrail record contents for management, data, and network activity events](cloudtrail-event-reference-record-contents.md).
**Optional:** True
+ **`insightType`** – The type of Insights event. This value can be `ApiCallRateInsight` or `ApiErrorRateInsight`.
**Optional:** False
+ **`insightContext`** – Contains information about the underlying trigger of an Insights event, such as user identity, user agent, historical average or *baseline*, and Insights duration and average.
**Optional:** False
+ **`baselineAverage`** – The average number of API calls or errors per minute during the baseline duration on the Insights event's subject API for the account, calculated over the seven days preceding the start of the Insights event.
**Optional:** False
+ **`insightAverage`** – For a starting Insights event, this value is the average number of API calls or errors per minute during the start of the unusual activity. For an ending Insights event, this value is the average number of API calls or errors per minute over the duration of the unusual activity.
**Optional:** False
+ **`baselineDuration`** – The duration, in minutes, of the baseline period (the time period that normal activity is measured on the subject API). `baselineDuration` is at minimum the seven days (10080 minutes) preceding an Insights event. This field occurs in both starting and ending Insights events. The ending time of `baselineDuration` measurement is always the start of an Insights event.
**Optional:** False
+ **`insightDuration`** – The duration, in minutes, of an Insights event (the time period from the start to the end of unusual activity on the subject API). `insightDuration` occurs in both starting and ending Insights events.
**Optional:** False
+ **`attributions`** – Includes information about the user identity, user agent, or error code correlated with unusual and baseline activity.
**Optional:** True
**Note**
The `insightValue`, `insightAverage`, `baselineValue`, and `baselineAverage` fields within the `attributions` field of `insightContext` will begin to be deprecated on June 23, 2025.
+ **`attribute`** – Contains the attribute type. Value can be `userIdentityArn`, `userAgent`, or `errorCode`. If present, these values will appear only once in an individual attribute. Different attribute values can have different `userIdentityArn`, `userAgent`, or `errorCode` values, but each attribute instance will contain only one value for `userIdentityArn`, `userAgent`, or `errorCode`.
**Optional:** False
+ **`insightValue`** – The top attribute value that occurred on the API calls or errors made during the unusual activity period.
**Optional:** False
+ **`insightAverage`** – The number of API calls or errors per minute during the unusual activity period for the attribute in the `insightValue` field.
**Optional:** False
+ **`baselineValue`** – The top attribute value that contributed to the API calls or errors logged during the normal activity period.
**Optional:** False
+ **`baselineAverage`** – The historic average of API calls or errors per minute during the seven days preceding the Insights activity start time for the attribute in the `baselineValue` field.
**Optional:** False
+ **`insight`** – The top five attribute values that contributed to the API calls or errors made during the unusual activity period. It also shows the average number of API calls or errors made by the attribute during the unusual activity period.
**Optional:** False
+ **`value`** – The attribute that contributed to the API calls or errors made during the unusual activity period.
**Optional:** False
+ **`average`** – The average number of API calls or errors per minute during the unusual activity period for the attribute in the `value` field.
**Optional:** False
+ **`baseline`** – The top five attribute values that contributed the most to the API calls or errors during the normal activity period. It also shows the average number of API calls or errors logged by the attribute value during the normal activity period.
**Optional:** False
+ **`value`** – The attribute that contributed to the API calls or errors during the normal activity period.
**Optional:** False
+ **`average`** – The historic average of API calls or errors per minute during the seven days preceding the Insights activity start time for the attribute in the `value` field.
**Optional:** False
# CloudTrail userIdentity element
AWS Identity and Access Management (IAM) provides different types of identities. The `userIdentity` element contains details about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the element shows how the credentials were obtained.
**Contents**
+ [
## Examples
](#cloudtrail-event-reference-user-identity-examples)
+ [
## Fields
](#cloudtrail-event-reference-user-identity-fields)
+ [
## Values for AWS STS APIs with SAML and web identity federation
](#STS-API-SAML-WIF)
+ [
## AWS STS source identity
](#STS-API-source-identity)
## Examples
**`userIdentity` with IAM user credentials**
The following example shows the `userIdentity` element of a simple request made with the credentials of the IAM user named `Alice`.
```
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAJ45Q7YFFAREXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "",
"userName": "Alice"
}
```
**`userIdentity` with temporary security credentials**
The following example shows a `userIdentity` element for a request made with temporary security credentials obtained by assuming an IAM role. The element contains additional details about the role that was assumed to get credentials.
```
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"accountId": "123456789012",
"accessKeyId": "",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIDPPEZS35WEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
"accountId": "123456789012",
"userName": "RoleToBeAssumed"
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "20131102T010628Z"
}
}
}
```
**`userIdentity` for a request made on behalf of an IAM Identity Center user**
The following example shows a `userIdentity` element for a request made on behalf of an IAM Identity Center user.
```
"userIdentity": {
"type": "IdentityCenterUser",
"accountId": "123456789012",
"onBehalfOf": {
"userId": "544894e8-80c1-707f-60e3-3ba6510dfac1",
"identityStoreArn": "arn:aws:identitystore::123456789012:identitystore/d-9067642ac7"
},
"credentialId": "EXAMPLEVHULjJdTUdPJfofVa1sufHDoj7aYcOYcxFVllWR_Whr1fEXAMPLE"
}
```
To learn more about how you can use `userId`, `identityStoreArn`, and `credentialId`, see [Identifying the user and session in IAM Identity Center user-initiated CloudTrail events](https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-cloudtrail-use-cases.html#user-session-iam-identity-center) in the *IAM Identity Center User Guide*.
**`userIdentity` with product provider-initiated request**
All actions performed by product providers using temporary delegated access are automatically logged in CloudTrail. This provides complete visibility and auditability of product provider activity in your AWS account. You can identify which actions were taken by product providers, when they occurred, and which product provider account performed them.
To help you distinguish between actions taken by your own IAM principals and those taken by product providers with delegated access, CloudTrail events include a new field called `invokedByDelegate` under the `userIdentity` element. This field contains the AWS account ID of the product provider, making it easy to filter and audit all delegated actions.
The following example shows a `userIdentity` element for an action performed by a product provider using temporary delegated access.
```
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAI...",
"arn": "arn:aws:sts::123456789012:assumed-role/Alice/Session",
"accountId": "123456789012",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAI...",
"arn": "arn:aws:iam::123456789012:role/Alice",
"accountId": "123456789012",
"userName": "Alice"
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "20131102T010628Z"
}
},
"invokedByDelegate": {
"accountId": "999999999999"
}
}
```
The `invokedByDelegate` field contains the AWS account ID of the product provider who performed the action using delegated access. In this example, account 999999999999 (the product provider) performed an action in account 123456789012 (the customer account).
## Fields
The following fields can appear in a `userIdentity` element.
**`type`**
The type of the identity. The following values are possible:
+ `Root` – The request was made with your AWS account credentials. If the `userIdentity` type is `Root`, and you set an alias for your account, the `userName` field contains your account alias. For more information, see [Your AWS account ID and its alias](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html).
+ `IAMUser` – The request was made with the credentials of an IAM user.
+ `AssumedRole` – The request was made with temporary security credentials that were obtained with a role by making a call to the AWS Security Token Service (AWS STS) [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API. This can include [roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) and cross-account API access.
+ `Role` – The request was made with a persistent IAM identity that has specific permissions. The issuer of the role sessions is always the role. For more information about roles, see [Roles terms and concepts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) in the *IAM User Guide*.
+ `FederatedUser` – The request was made with temporary security credentials obtained from a call to the AWS STS [https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html) API. The `sessionIssuer` element indicates if the API was called with root or IAM user credentials.
For more information about temporary security credentials, see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*.
+ `Directory` – The request was made to a directory service, and the type is unknown. Directory services include the following: Amazon WorkDocs and Amazon Quick.
+ `AWSAccount` – The request was made by another AWS account
+ `AWSService` – The request was made by an AWS account that belongs to an AWS service. For example, AWS Elastic Beanstalk assumes an IAM role in your account to call other AWS services on your behalf.
+ `IdentityCenterUser` – The request was made on behalf of an IAM Identity Center user.
+ `Unknown` – The request was made with an identity type that CloudTrail can't determine.
**Optional:** False
`AWSAccount` and `AWSService` appear for `type` in your logs when there is cross-account access using an IAM role that you own.
**Example: Cross-account access initiated by another AWS account**
1. You own an IAM role in your account.
1. Another AWS account switches to that role to assume the role for your account.
1. Because you own the IAM role, you receive a log that shows the other account assumed the role. The `type` is `AWSAccount`. For an example log entry, see [AWS STS API event in CloudTrail log file](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#stscloudtrailexample).
**Example: Cross-account access initiated by an AWS service**
1. You own an IAM role in your account.
1. An AWS account owned by an AWS service assumes that role.
1. Because you own the IAM role, you receive a log that shows the AWS service assumed the role. The `type` is `AWSService`.
**`userName`**
The friendly name of the identity that made the call. The value that appears in `userName` is based on the value in `type`. The following table shows the relationship between `type` and `userName`:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)
The `userName` field contains the string `HIDDEN_DUE_TO_SECURITY_REASONS` when the recorded event is a console sign-in failure caused by incorrect user name input. CloudTrail does not record the contents in this case because the text could contain sensitive information, as in the following examples:
+ A user accidentally types a password in the user name field.
+ A user clicks the link for one AWS account's sign-in page, but then types the account number for a different one.
+ A user accidentally types the account name of a personal email account, a bank sign-in identifier, or some other private ID.
**Optional:** True
**`principalId`**
A unique identifier for the entity that made the call. For requests made with temporary security credentials, this value includes the session name that is passed to the `AssumeRole`, `AssumeRoleWithWebIdentity`, or `GetFederationToken` API call.
**Optional:** True
**`arn`**
The Amazon Resource Name (ARN) of the principal that made the call. The last section of the arn contains the user or role that made the call.
**Optional:** True
**`accountId`**
The account that owns the entity that granted permissions for the request. If the request was made with temporary security credentials, this is the account that owns the IAM user or role used to obtain credentials.
If the request was made with an IAM Identity Center authorized access token, this is the account that owns the IAM Identity Center instance.
**Optional:** True
**`accessKeyId`**
The access key ID that was used to sign the request. If the request was made with temporary security credentials, this is the access key ID of the temporary credentials. For security reasons, `accessKeyId` might not be present, or might be displayed as an empty string.
**Optional:** True
**`sessionContext`**
If the request was made with temporary security credentials, `sessionContext` provides information about the session created for those credentials. You create a session when you call any API that returns temporary credentials. Users also create sessions when they work in the console and make requests with APIs that include [multi-factor authentication](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html). The following attributes can appear in `sessionContext`:
+ `sessionIssuer` – If a user make a request with temporary security credentials, `sessionIssuer` provides information about how the user obtained credentials. For example, if the they obtained temporary security credentials by assuming a role, this element provides information about the assumed role. If they obtained credentials with root or IAM user credentials to call AWS STS `GetFederationToken`, the element provides information about the root account or IAM user. This element has the following attributes:
+ `type` – The source of the temporary security credentials, such as `Root`, `IAMUser`, or `Role`.
+ `userName` – The friendly name of the user or role that issued the session. The value that appears depends on the `sessionIssuer` identity `type`. The following table shows the relationship between `sessionIssuer type` and `userName`:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)
+ `principalId` – The internal ID of the entity used to get credentials.
+ `arn` – The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials.
+ `accountId` – The account that owns the entity that was used to get credentials.
+ `webIdFederationData` – If the request was made with temporary security credentials obtained by [web identity federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html), `webIdFederationData` lists information about the identity provider.
This element has the following attributes:
+ `federatedProvider` – The principal name of the identity provider (for example, `www.amazon.com` for Login with Amazon or `accounts.google.com` for Google).
+ `attributes` – The application ID and user ID as reported by the provider (for example, `www.amazon.com:app_id` and `www.amazon.com:user_id` for Login with Amazon).
**Note**
The omission of this field or presence of this field with an empty value signifies that there is no information about the identity provider.
+ `assumedRoot` – The value is `true` for a temporary session when a management account or delegated administrator calls AWS STS [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html). For more information, see [Track privileged tasks in CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-track-privileged-tasks.html) in the *IAM User Guide*. This is an optional field.
+ `attributes` – The attributes for the session.
+ `creationDate` – The date and time when the temporary security credentials were issued. Represented in ISO 8601 basic notation.
+ `mfaAuthenticated` – The value is `true` if the root user or IAM user who used their credentials for the request also authenticated with an MFA device; otherwise, `false`.
+ `sourceIdentity` – See [AWS STS source identity](#STS-API-source-identity) in this topic. The `sourceIdentity` field occurs in events when users assume an IAM role to perform an action. `sourceIdentity` identifies the original user identity making the request, whether that user's identity is an IAM user, an IAM role, a user authenticated through SAML-based federation, or a user authenticated through OpenID Connect (OIDC)-compliant web identity federation. For more information about configuring AWS STS to collect source identity information, see [Monitor and control actions taken with assumed roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) in the *IAM User Guide*.
+ `ec2RoleDelivery` – The value is `1.0` if the credentials were provided by Amazon EC2 Instance Metadata Service Version 1 (IMDSv1). The value is `2.0` if the credentials were provided using the new IMDS scheme.
AWS credentials provided by the Amazon EC2 Instance Metadata Service (IMDS) include an ec2:RoleDelivery IAM context key. This context key makes it easy to enforce use of the new scheme on a service-by-service or resource-by-resource basis by using the context key as a condition in IAM policies, resource policies, or AWS Organizations service control policies. For more information, see [Instance metadata and user data](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide*.
**Optional:** True
**`invokedBy`**
The name of the AWS service that made the request, when a request is made by an AWS service such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk. This field is only present when a request is made by an AWS service. This includes requests made by services using forward access sessions (FAS), AWS service principals, service-linked roles, or service roles used by an AWS service.
**Optional:** True
**`invokedByDelegate`**
Tracks requests made by product providers using temporary delegated access in your AWS account. This field appears only when a product provider initiates an API request using delegated permissions. If present, `invokedByDelegate` provides information about the product provider account that made the request. This element has the following attribute:
+ `accountId` – The AWS account ID of the product provider that initiated the request.
For more information and a JSON example of delegated access in CloudTrail events, see [CloudTrail entries for temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/temporary-delegation-cloudtrail.html) in the *IAM User Guide*.
**Optional:** True
**`onBehalfOf`**
If the request was made by an IAM Identity Center caller, `onBehalfOf` provides information about the IAM Identity Center user ID and identity store ARN for which the call was made. This element has the following attributes:
+ `userId` – The ID of the IAM Identity Center user who the call was made on behalf of.
+ `identityStoreArn` – The ARN of the IAM Identity Center identity store that the call was made on behalf of.
**Optional:** True
**`inScopeOf`**
If the request was made in scope of an AWS service, such as Lambda or Amazon ECS, it provides information about the resource or credentials related to the request. This element can contain the following attributes:
+ `sourceArn` – The ARN of the resource that invoked the service-to-service request.
+ `sourceAccount` – The owner account ID for the `sourceArn`. It appears together with `sourceArn`.
+ `issuerType` – The resource type of `credentialsIssuedTo`. For example, `AWS::Lambda::Function`.
+ `credentialsIssuedTo` – The resource related to the environment where the credentials were issued.
**Optional:** True
**`credentialId`**
The credential ID for the request. This is only set when the caller uses a bearer token, such as an IAM Identity Center authorized access token.
**Optional:** True
## Values for AWS STS APIs with SAML and web identity federation
AWS CloudTrail supports logging AWS Security Token Service (AWS STS) API calls made with Security Assertion Markup Language (SAML) and web identity federation. When a user makes a call to the [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) and [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) APIs, CloudTrail records the call and delivers the event to your Amazon S3 bucket.
The `userIdentity` element for these APIs contains the following values.
**`type`**
The identity type.
+ `SAMLUser` – The request was made with SAML assertion.
+ `WebIdentityUser` – The request was made by a web identity federation provider.
**`principalId`**
A unique identifier for the entity that made the call.
+ For `SAMLUser`, this is a combination of the `saml:namequalifier` and `saml:sub` keys.
+ For `WebIdentityUser`, this is a combination of the issuer, application ID, and user ID.
**`userName`**
The name of the identity that made the call.
+ For `SAMLUser`, this is the `saml:sub` key.
+ For `WebIdentityUser`, this is the user ID.
**`identityProvider`**
The principal name of the external identity provider. This field appears only for `SAMLUser` or `WebIdentityUser` types.
+ For `SAMLUser`, this is the `saml:namequalifier` key for the SAML assertion.
+ For `WebIdentityUser`, this is the issuer name of the web identity federation provider. This can be a provider that you configured, such as the following:
+ `cognito-identity.amazon.com` for Amazon Cognito
+ `www.amazon.com` for Login with Amazon
+ `accounts.google.com` for Google
+ `graph.facebook.com` for Facebook
The following is an example `userIdentity` element for the `AssumeRoleWithWebIdentity` action.
```
"userIdentity": {
"type": "WebIdentityUser",
"principalId": "accounts.google.com:application-id.apps.googleusercontent.com:user-id",
"userName": "user-id",
"identityProvider": "accounts.google.com"
}
```
For example logs of how the `userIdentity` element appears for `SAMLUser` and `WebIdentityUser` types, see [ Logging IAM and AWS STS API calls with AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html).
## AWS STS source identity
An IAM administrator can configure AWS Security Token Service to require that users specify their identity when they use temporary credentials to assume roles. The `sourceIdentity` field occurs in events when users assume an IAM role or perform any actions with the assumed role.
The `sourceIdentity` field identifies the original user identity making the request, whether that user's identity is an IAM user, an IAM role, a user authenticated by using SAML-based federation, or a user authenticated by using OpenID Connect (OIDC)-compliant web identity federation. After the IAM administrator configures AWS STS, CloudTrail logs `sourceIdentity` information in the following events and locations within the event record:
+ The AWS STS `AssumeRole`, `AssumeRoleWithSAML`, or `AssumeRoleWithWebIdentity` calls that a user identity makes when it assumes a role. `sourceIdentity` is found in the `requestParameters` block of the AWS STS calls.
+ The AWS STS `AssumeRole`, `AssumeRoleWithSAML`, or `AssumeRoleWithWebIdentity` calls that a user identity makes if it uses a role to assume another role, known as [role chaining](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining). `sourceIdentity` is found in the `requestParameters` block of the AWS STS calls.
+ The AWS service API calls that the user identity makes while assuming a role and using the temporary credentials assigned by AWS STS. In service API events, `sourceIdentity` is found in the `sessionContext` block. For example, if a user identity creates a new S3 bucket, `sourceIdentity` occurs in the `sessionContext` block of the `CreateBucket` event.
For more information about how to configure AWS STS to collect source identity information, see [Monitor and control actions taken with assumed roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) in the *IAM User Guide*. For more information about AWS STS events that are logged to CloudTrail, see [Logging IAM and AWS STS API calls with AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html) in the *IAM User Guide*.
The following are example snippets of events that show the `sourceIdentity` field.
**Example `requestParameters` section**
In the following example event snippet, a user makes an AWS STS `AssumeRole` request, and sets a source identity, represented here by `source-identity-value-set`. The user assumes a role represented by the role ARN `arn:aws:iam::123456789012:role/Assumed_Role`. The `sourceIdentity` field is in the `requestParameters` block of the event.
```
"eventVersion": "1.05",
"userIdentity": {
"type": "AWSAccount",
"principalId": "AIDAJ45Q7YFFAREXAMPLE",
"accountId": "123456789012"
},
"eventTime": "2020-04-02T18:20:53Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.64",
"userAgent": "aws-cli/1.16.96 Python/3.6.0 Windows/10 botocore/1.12.86",
"requestParameters": {
"roleArn": "arn:aws:iam::123456789012:role/Assumed_Role",
"roleSessionName": "Test1",
"sourceIdentity": "source-identity-value-set",
},
```
**Example `responseElements` section**
In the following example event snippet, a user makes an AWS STS `AssumeRole` request to assume a role named `Developer_Role`, and sets a source identity, `Admin`. The user assumes a role represented by the role ARN `arn:aws:iam::111122223333:role/Developer_Role`. The `sourceIdentity` field is shown in both the `requestParameters` and `responseElements` blocks of the event. The temporary credentials used to assume the role, the session token string, and the assumed role ID, session name, and session ARN are shown in the `responseElements` block, along with the source identity.
```
"requestParameters": {
"roleArn": "arn:aws:iam::111122223333:role/Developer_Role",
"roleSessionName": "Session_Name",
"sourceIdentity": "Admin"
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"expiration": "Jan 22, 2021 12:46:28 AM",
"sessionToken": "XXYYaz...
EXAMPLE_SESSION_TOKEN
XXyYaZAz"
},
"assumedRoleUser": {
"assumedRoleId": "AROACKCEVSQ6C2EXAMPLE:Session_Name",
"arn": "arn:aws:sts::111122223333:assumed-role/Developer_Role/Session_Name"
},
"sourceIdentity": "Admin"
}
...
```
**Example `sessionContext` section**
In the following example event snippet, a user is assuming a role named `DevRole` to call an AWS service API. The user sets a source identity, represented here by *source-identity-value-set*. The `sourceIdentity` field is in the `sessionContext` block, within the `userIdentity` block of the event.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJ45Q7YFFAREXAMPLE: Dev1",
"arn": "arn: aws: sts: : 123456789012: assumed-role/DevRole/Dev1",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAJ45Q7YFFAREXAMPLE",
"arn": "arn: aws: iam: : 123456789012: role/DevRole",
"accountId": "123456789012",
"userName": "DevRole"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-02-21T23: 46: 28Z"
},
"sourceIdentity": "source-identity-value-set"
}
}
}
```
# Non-API events captured by CloudTrail
In addition to logging AWS API calls, CloudTrail captures other related events that might have a security or compliance impact on your AWS account or that might help you troubleshoot operational problems.
+ [AWS service events](non-api-aws-service-events.md) – CloudTrail supports logging non-API service events. These events are created by AWS services but are not directly triggered by a request to a public AWS API. For these events, the `eventType` field is `AwsServiceEvent`.
+ [AWS Management Console sign-in events](cloudtrail-event-reference-aws-console-sign-in-events.md) – CloudTrail logs attempts to sign in to the AWS Management Console, the AWS Discussion Forums, and the AWS Support Center. All IAM user and root user sign-in events, as well as all federated user sign-in events, generate records in CloudTrail. For sign-in events, the `eventType` field is `AwsConsoleSignIn`.
# AWS service events
CloudTrail supports logging non-API service events. These events are created by AWS services but are not directly triggered by a request to a public AWS API. For these events, the `eventType` field is `AwsServiceEvent`.
The following is an example scenario of an AWS service event when a customer managed key is automatically rotated in AWS Key Management Service (AWS KMS). For more information about rotating KMS keys, see [Rotating KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html).
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2021-01-14T01:41:59Z",
"eventSource": "kms.amazonaws.com",
"eventName": "RotateKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "a24b3967-ddad-417f-9b22-2332b918db06",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"rotationType": "AUTOMATIC",
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"eventCategory": "Management"
}
```
# AWS Management Console sign-in events
CloudTrail logs attempts to sign in to the AWS Management Console, the AWS Discussion Forums, and the AWS Support Center. All IAM user and root user sign-in events, as well as all federated user sign-in events, generate records in CloudTrail log files. For information about finding and viewing logs, see [Finding your CloudTrail log files](get-and-view-cloudtrail-log-files.md#cloudtrail-find-log-files) and [Downloading your CloudTrail log files](cloudtrail-read-log-files.md).
You can use [AWS User Notifications](https://docs.aws.amazon.com/notifications/latest/userguide/what-is.html) to set up delivery channels to get notified about AWS CloudTrail events. You receive a notification when an event matches a rule that you specify. You can receive notifications for events through multiple channels, including email, [Amazon Q Developer in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/what-is.html) chat notifications, or [AWS Console Mobile Application](https://docs.aws.amazon.com/consolemobileapp/latest/userguide/what-is-consolemobileapp.html) push notifications. You can also see notifications in the [Console Notifications Center](https://console.aws.amazon.com/notifications/). User Notifications supports aggregation, which can reduce the number of notifications you receive during specific events.
**Note**
The Region recorded in a `ConsoleLogin` event varies based on the user type and whether you use a global or regional endpoint to sign in.
If you sign in as the root user, CloudTrail records the event in us-east-1.
If you sign in with an IAM user and use the global endpoint, CloudTrail records the Region of the `ConsoleLogin` event as follows:
If an account alias cookie is present in the browser, CloudTrail records the `ConsoleLogin` event in one of the following regions: us-east-2, eu-north-1, or ap-southeast-2. This is because the console proxy redirects the user based on the latency from the user sign-in location.
If an account alias cookie is not present in the browser, CloudTrail records the `ConsoleLogin` event in us-east-1. This is because the console proxy redirects back to the global sign-in.
If you sign in with an IAM user and use a [Regional endpoint](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints), CloudTrail records the `ConsoleLogin` event in the appropriate Region for the endpoint. For more information about AWS Sign-In endpoints, see [AWS Sign-In endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/signin-service.html).
**Topics**
+ [
## Example event records for IAM users
](#cloudtrail-event-reference-aws-console-sign-in-events-iam-user)
+ [
## Example event records for root users
](#cloudtrail-event-reference-aws-console-sign-in-events-root)
+ [
## Example event records for federated users
](#cloudtrail-event-reference-aws-console-sign-in-events-federated-user)
## Example event records for IAM users
The following examples show event records for several IAM user sign-in scenarios.
**Topics**
+ [
### IAM user, successful sign-in without MFA
](#cloudtrail-aws-console-sign-in-events-iam-user-success)
+ [
### IAM user, successful sign-in with MFA
](#cloudtrail-aws-console-sign-in-events-iam-user-mfa)
+ [
### IAM user, unsuccessful sign-in
](#cloudtrail-aws-console-sign-in-events-iam-user-failure)
+ [
### IAM user, sign-in process checks for MFA (single MFA device type)
](#cloudtrail-aws-console-sign-in-requires-mfa)
+ [
### IAM user, sign-in process checks for MFA (multiple MFA device types)
](#cloudtrail-aws-console-sign-in-requires-mfa-multiple)
### IAM user, successful sign-in without MFA
The following record shows that a user named `Anaya` successfully signed in to the AWS Management Console without using multi-factor authentication (MFA).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::999999999999:user/Anaya",
"accountId": "999999999999",
"userName": "Anaya"
},
"eventTime": "2023-07-19T21:44:40Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplee9aba7f8",
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "e1bf1000-86a4-4a78-81d7-EXAMPLE83102",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "999999999999",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
}
}
```
### IAM user, successful sign-in with MFA
The following record shows that an IAM user named `Anaya` successfully signed in to the AWS Management Console using multi-factor authentication (MFA).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::999999999999:user/Anaya",
"accountId": "999999999999",
"userName": "Anaya"
},
"eventTime": "2023-07-19T22:01:30Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplebde32f3c9",
"MobileVersion": "No",
"MFAIdentifier": "arn:aws:iam::999999999999:mfa/mfa-device",
"MFAUsed": "Yes"
},
"eventID": "e1f76697-5beb-46e8-9cfc-EXAMPLEbde31",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "999999999999",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
}
}
```
### IAM user, unsuccessful sign-in
The following record shows an unsuccessful sign-in attempt from an IAM user named `Paulo`.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"accountId": "123456789012",
"accessKeyId": "",
"userName": "Paulo"
},
"eventTime": "2023-07-19T22:01:20Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
"errorMessage": "Failed authentication",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Failure"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplebde32f3c9",
"MobileVersion": "No",
"MFAUsed": "Yes"
},
"eventID": "66c97220-2b7d-43b6-a7a0-EXAMPLEbae9c",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
}
}
```
### IAM user, sign-in process checks for MFA (single MFA device type)
The following shows that the sign-process checked whether multi-factor authentication (MFA) is required for an IAM user during sign-in. In this example, the `mfaType` value is `U2F MFA`, which indicates that the IAM user enabled either a single MFA device or multiple MFA devices of the same type (`U2F MFA`).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"accountId": "123456789012",
"accessKeyId": "",
"userName": "Alice"
},
"eventTime": "2023-07-19T22:01:26Z",
"eventSource": "signin.amazonaws.com",
"eventName": "CheckMfa",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
"requestParameters": null,
"responseElements": {
"CheckMfa": "Success"
},
"additionalEventData": {
"MfaType": "Virtual MFA"
},
"eventID": "7d8a0746-b2e7-44f5-9917-EXAMPLEfb77c",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
}
}
```
### IAM user, sign-in process checks for MFA (multiple MFA device types)
The following shows that the sign-process checked whether multi-factor authentication (MFA) is required for an IAM user during sign-in. In this example, the `mfaType` value is `Multiple MFA Devices`, which indicates that the IAM user enabled multiple MFA device types.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"accountId": "123456789012",
"accessKeyId": "",
"userName": "Mary"
},
"eventTime": "2023-07-19T23:10:09Z",
"eventSource": "signin.amazonaws.com",
"eventName": "CheckMfa",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",
"requestParameters": null,
"responseElements": {
"CheckMfa": "Success"
},
"additionalEventData": {
"MfaType": "Multiple MFA Devices"
},
"eventID": "19bd1a1c-76b1-4806-9d8f-EXAMPLE02a96",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "signin.aws.amazon.com"
}
}
```
## Example event records for root users
The following examples show event records for several `root` user sign-in scenarios. When you sign-in using the root user, CloudTrail records the `ConsoleLogin` event in us-east-1.
**Topics**
+ [
### Root user, successful sign-in without MFA
](#cloudtrail-signin-root)
+ [
### Root user, successful sign-in with MFA
](#cloudtrail-signin-root-mfa)
+ [
### Root user, unsuccessful sign-in
](#cloudtrail-unsuccessful-signin-root)
+ [
### Root user, MFA changed
](#cloudtrail-signin-mfa-changed-root)
+ [
### Root user, password changed
](#cloudtrail-root-password-changed)
### Root user, successful sign-in without MFA
The following shows a successful sign-in event for a root user not using multi-factor authentication (MFA).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:root",
"accountId": "111122223333",
"accessKeyId": ""
},
"eventTime": "2023-07-12T13:35:31Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&nc2=h_ct&src=header-signin&state=hashArgsFromTB_ap-southeast-2_example80afacd389",
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "4217cc13-7328-4820-a90c-EXAMPLE8002e6",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "signin.aws.amazon.com"
}
}
```
### Root user, successful sign-in with MFA
The following shows a successful sign-in event for a root user using multi-factor authentication (MFA).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "444455556666",
"arn": "arn:aws:iam::444455556666:root",
"accountId": "444455556666",
"accessKeyId": ""
},
"eventTime": "2023-07-13T03:04:43Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://ap-southeast-1.console.aws.amazon.com/ec2/home?region=ap-southeast-1&state=hashArgs%23Instances%3Av%3D3%3B%24case%3Dtags%3Atrue%255C%2Cclient%3Afalse%3B%24regex%3Dtags%3Afalse%255C%2Cclient%3Afalse&isauthcode=true",
"MobileVersion": "No",
"MFAIdentifier": "arn:aws:iam::444455556666:mfa/root-account-mfa-device",
"MFAUsed": "Yes"
},
"eventID": "e0176723-ea76-4275-83a3-EXAMPLEf03fb",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "444455556666",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "signin.aws.amazon.com"
}
}
```
### Root user, unsuccessful sign-in
The following shows an unsuccessful sign-in event for a root user not using MFA.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "123456789012",
"arn": "arn:aws:iam::123456789012:root",
"accountId": "123456789012",
"accessKeyId": ""
},
"eventTime": "2023-07-16T04:33:40Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"errorMessage": "Failed authentication",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Failure"
},
"additionalEventData": {
"LoginTo": "https://us-east-1.console.aws.amazon.com/billing/home?region=us-east-1&state=hashArgs%23%2Faccount&isauthcode=true",
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "f28d4329-5050-480b-8de0-EXAMPLE07329",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "signin.aws.amazon.com"
}
}
```
### Root user, MFA changed
The following shows an example event for a root user changing multi-factor authentication (MFA) settings.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:root",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE4XX3IEV4PFQTH",
"userName": "AWS ROOT USER",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-15T03:51:12Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-15T04:37:08Z",
"eventSource": "iam.amazonaws.com",
"eventName": "EnableMFADevice",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"requestParameters": {
"userName": "AWS ROOT USER",
"serialNumber": "arn:aws:iam::111122223333:mfa/root-account-mfa-device"
},
"responseElements": null,
"requestID": "9b45cd4c-a598-41e7-9170-EXAMPLE535f0",
"eventID": "b4f18d55-d36f-49a0-afcb-EXAMPLEc026b",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
```
### Root user, password changed
The following shows an example event for a root user changing their password.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "444455556666",
"arn": "arn:aws:iam::444455556666:root",
"accountId": "444455556666",
"accessKeyId": "EXAMPLEAOTKEG44KPW5P",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-11-25T13:01:14Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-11-25T13:01:14Z",
"eventSource": "iam.amazonaws.com",
"eventName": "ChangePassword",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"requestParameters": null,
"responseElements": null,
"requestID": "c64254c2-e4ff-49c0-900e-EXAMPLE9e6d2",
"eventID": "d059176c-4f4d-4a9e-b8d7-EXAMPLE2b7b3",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "444455556666",
"eventCategory": "Management"
}
```
## Example event records for federated users
The following examples show event records for federated users. Federated users are given temporary security credentials to access AWS resources through an [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) request.
The following shows an example event for a federation encryption request. The original access key ID is provided in the `accessKeyId` field of the `userIdentity` element. The `accessKeyId` field in the `responseElements` contains a new access key ID if the requested `sessionDuration` is passed in the encryption request, otherwise it contains the value of the original access key ID.
**Note**
In this example, the `mfaAuthenticated` value is `false` and the `MFAUsed` value is `No` because the request was made by a federated user. These fields will only be set to true if the request was made by an IAM user or root user using MFA.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLEUU4MH7OYK5ZCOA:JohnDoe",
"arn": "arn:aws:sts::123456789012:assumed-role/roleName/JohnDoe",
"accountId": "123456789012",
"accessKeyId": "originalAccessKeyID",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EXAMPLEUU4MH7OYK5ZCOA",
"arn": "arn:aws:iam::123456789012:role/roleName",
"accountId": "123456789012",
"userName": "roleName"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-25T21:30:39Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-09-25T21:30:39Z",
"eventSource": "signin.amazonaws.com",
"eventName": "GetSigninToken",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Java/1.8.0_382",
"requestParameters": null,
"responseElements": {
"credentials": {
"accessKeyId": "accessKeyID"
},
"GetSigninToken": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "1d66615b-a417-40da-a38e-EXAMPLE8c89b",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
}
}
```
The following shows a successful sign-in event for a federated user; not using multi-factor authentication (MFA).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLEPHCNW7ZCASLJOH:JohnDoe",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleName/JohnDoe",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EXAMPLEPHCNW7ZCASLJOH",
"arn": "arn:aws:iam::123456789012:role/RoleName",
"accountId": "123456789012",
"userName": "RoleName"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-22T16:15:47Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-09-22T16:15:47Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "b73f1ec6-c064-4cd3-ba83-EXAMPLE441d7",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
}
}
```