# Log AWS Secrets Manager events with AWS CloudTrail
AWS CloudTrail records all API calls for Secrets Manager as events, including calls from the Secrets Manager console, as well as several other events for rotation and secret version deletion. For a list of the log entries in Secrets Manager records, see [CloudTrail entries](cloudtrail_log_entries.md).
You can use the CloudTrail console to view the last 90 days of recorded events. For an ongoing record of events in your AWS account, including events for Secrets Manager, create a trail so that CloudTrail delivers log files to an Amazon S3 bucket. See [Creating a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html). You can also configure CloudTrail to receive CloudTrail log files from [multiple AWS accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html) and [AWS Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html).
You can configure other AWS services to further analyze and act upon the data collected in CloudTrail logs. See [AWS service integrations with CloudTrail logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations). You can also get notifications when CloudTrail publishes new log files to your Amazon S3 bucket. See [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html).
**To retrieve Secrets Manager events from CloudTrail logs (console)**
1. Open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. Ensure that the console points to the Region where your events occurred. The console shows only those events that occurred in the selected Region. Choose the Region from the drop-down list in the upper-right corner of the console.
1. In the left-hand navigation pane, choose **Event history**.
1. Choose **Filter** criteria and/or a **Time range** to help you find the event that you're looking for. For example:
1. To see all Secrets Manager events, for **Lookup attributes**, choose **Event source**. Then, for **Enter event source**, choose **secretsmanager.amazonaws.com**.
1. To see all events for a secret, for **Lookup attributes**, choose **Resource name**. Then, for **Enter a resource name**, enter the name of the secret.
1. To see additional details, choose the expand arrow next to the event. To see all of the information available, choose **View event**.
## AWS CLI
**Example Retrieve Secrets Manager events from CloudTrail logs**
The following [https://docs.aws.amazon.com//cli/latest/reference/cloudtrail/lookup-events.html](https://docs.aws.amazon.com//cli/latest/reference/cloudtrail/lookup-events.html) example looks up Secrets Manager events.
```
aws cloudtrail lookup-events \
--region us-east-1 \
--lookup-attributes AttributeKey=EventSource,AttributeValue=secretsmanager.amazonaws.com
```
# AWS CloudTrail entries for Secrets Manager
AWS Secrets Manager writes entries to your AWS CloudTrail log for all Secrets Manager operations and for other events related to rotation and deletion. For information about taking action on these events, see [Match Secrets Manager events with EventBridge](monitoring-eventbridge.md).
**Topics**
+ [Log entries for Secrets Manager operations](#cloudtrail_log_entries_operations)
+ [Log entries for deletion](#cloudtrail_log_entries_deletion)
+ [Log entries for replication](#cloudtrail_log_entries_replication)
+ [Log entries for rotation](#cloudtrail_log_entries_rotation)
## Log entries for Secrets Manager operations
Events that are generated by calls to Secrets Manager operations have `"detail-type": ["AWS API Call via CloudTrail"]`.
**Note**
Before February 2024, some Secrets Manager operations reported events that contained "aRN" instead of "arn" for the secret ARN. For more information, see [AWS re:Post](https://repost.aws/knowledge-center/secrets-manager-arn).
The following are CloudTrail entries generated when you or a service call Secrets Manager operations through the API, SDK, or CLI.
**BatchGetSecretValue**
Generated by the [BatchGetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html) operation. For information about retrieving secrets, see [Get secrets from AWS Secrets Manager](retrieving-secrets.md).
**CancelRotateSecret**
Generated by the [CancelRotateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CancelRotateSecret.html) operation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**CreateSecret**
Generated by the [CreateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html) operation. For information about creating secrets, see [Manage secrets with AWS Secrets Manager](managing-secrets.md).
**DeleteResourcePolicy**
Generated by the [DeleteResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteResourcePolicy.html) operation. For information about permissions, see [Authentication and access control for AWS Secrets Manager](auth-and-access.md).
**DeleteSecret**
Generated by the [DeleteSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html) operation. For information about deleting secrets, see [Delete an AWS Secrets Manager secret](manage_delete-secret.md).
**DescribeSecret**
Generated by the [DescribeSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html) operation.
**GetRandomPassword**
Generated by the [GetRandomPassword](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html) operation.
**GetResourcePolicy**
Generated by the [GetResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetResourcePolicy.html) operation. For information about permissions, see [Authentication and access control for AWS Secrets Manager](auth-and-access.md).
**GetSecretValue**
Generated by the [GetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html) and [BatchGetSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html) operations. For information about retrieving secrets, see [Get secrets from AWS Secrets Manager](retrieving-secrets.md).
**ListSecrets**
Generated by the [ListSecrets](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecrets.html) operation. For information about listing secrets, see [Find secrets in AWS Secrets Manager](manage_search-secret.md).
**ListSecretVersionIds**
Generated by the [ListSecretVersionIds](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecretVersionIds.html) operation.
**PutResourcePolicy**
Generated by the [PutResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutResourcePolicy.html) operation. For information about permissions, see [Authentication and access control for AWS Secrets Manager](auth-and-access.md).
**PutSecretValue**
Generated by the [PutSecretValue](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutSecretValue.html) operation. For information about updating a secret, see [Modify an AWS Secrets Manager secret](manage_update-secret.md).
**RemoveRegionsFromReplication**
Generated by the [RemoveRegionsFromReplication](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RemoveRegionsFromReplication.html) operation. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**ReplicateSecretToRegions**
Generated by the [ReplicateSecretToRegions](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ReplicateSecretToRegions.html) operation. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**RestoreSecret**
Generated by the [RestoreSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RestoreSecret.html) operation. For information about restoring a deleted secret, see [Restore an AWS Secrets Manager secret](manage_restore-secret.md).
**RotateSecret**
Generated by the [RotateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html) operation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**StopReplicationToReplica**
Generated by the [StopReplicationToReplica](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_StopReplicationToReplica.html) operation. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**TagResource**
Generated by the [TagResource](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_TagResource.html) operation. For information about tagging a secret, see [Tagging secrets in AWS Secrets Manager](managing-secrets_tagging.md).
**UntagResource**
Generated by the [UntagResource](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UntagResource.html) operation. For information about untagging a secret, see [Tagging secrets in AWS Secrets Manager](managing-secrets_tagging.md).
**UpdateSecret**
Generated by the [UpdateSecret](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UpdateSecret.html) operation. For information about updating a secret, see [Modify an AWS Secrets Manager secret](manage_update-secret.md).
**UpdateSecretVersionStage**
Generated by the [UpdateSecretVersionStage](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UpdateSecretVersionStage.html) operation. For information about version stages, see [Secret versions](whats-in-a-secret.md#term_version).
**ValidateResourcePolicy**
Generated by the [ValidateResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ValidateResourcePolicy.html) operation. For information about permissions, see [Authentication and access control for AWS Secrets Manager](auth-and-access.md).
## Log entries for deletion
In addition to events for Secrets Manager operations, Secrets Manager generates the following events related to deletion. These events have `"detail-type": ["AWS Service Event via CloudTrail"]`.
**CancelSecretVersionDelete**
Generated by the Secrets Manager service. If you call `DeleteSecret` on a secret that has versions, and then later call `RestoreSecret`, Secrets Manager logs this event for each secret version that was restored. For information about restoring a deleted secret, see [Restore an AWS Secrets Manager secret](manage_restore-secret.md).
**EndSecretVersionDelete**
Generated by the Secrets Manager service when a secret version is deleted. For more information, see [Delete an AWS Secrets Manager secret](manage_delete-secret.md).
**StartSecretVersionDelete**
Generated by the Secrets Manager service when Secrets Manager starts deletion for a secret version. For information about deleting secrets, see [Delete an AWS Secrets Manager secret](manage_delete-secret.md).
**SecretVersionDeletion**
Generated by the Secrets Manager service when Secrets Manager deletes a deprecated secret version. For more information, see [Secret versions](whats-in-a-secret.md#term_version).
## Log entries for replication
In addition to events for Secrets Manager operations, Secrets Manager generates the following events related to replication. These events have `"detail-type": ["AWS Service Event via CloudTrail"]`.
**ReplicationFailed**
Generated by the Secrets Manager service when replication fails. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**ReplicationStarted**
Generated by the Secrets Manager service when Secrets Manager starts replicating a secret. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
**ReplicationSucceeded**
Generated by the Secrets Manager service when a secret is successfully replicated. For information about replicating a secret, see [Replicate AWS Secrets Manager secrets across Regions](replicate-secrets.md).
## Log entries for rotation
In addition to events for Secrets Manager operations, Secrets Manager generates the following events related to rotation. These events have `"detail-type": ["AWS Service Event via CloudTrail"]`.
**RotationStarted**
Generated by the Secrets Manager service when Secrets Manager starts rotating a secret. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**RotationAbandoned**
Generated by the Secrets Manager service when Secrets Manager abandons a rotation attempt and removes the `AWSPENDING` label from an existing version of a secret. Secrets Manager abandons rotation when you create a new version of a secret during rotation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**RotationFailed**
Generated by the Secrets Manager service when rotation fails. For information about rotation, see [Troubleshoot AWS Secrets Manager rotation](troubleshoot_rotation.md).
**RotationSucceeded**
Generated by the Secrets Manager service when a secret is successfully rotated. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**TestRotationStarted**
Generated by the Secrets Manager service when Secrets Manager starts testing rotation for a secret that is not scheduled for immediate rotation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**TestRotationSucceeded**
Generated by the Secrets Manager service when Secrets Manager successfully tests rotation for a secret that is not scheduled for immediate rotation. For information about rotation, see [Rotate AWS Secrets Manager secrets](rotating-secrets.md).
**TestRotationFailed**
Generated by the Secrets Manager service when Secrets Manager tests rotation for a secret that is not scheduled for immediate rotation and rotation failed. For information about rotation, see [Troubleshoot AWS Secrets Manager rotation](troubleshoot_rotation.md).