AWS CloudTrail provides more granular control of data event logging through advanced event selectors

Posted on: Dec 4, 2020

AWS CloudTrail now provides more granular control of data event logging with advanced event selectors. Data events provide visibility into the data plane resource operations performed on or within a resource. You can currently log data events on two resource types: Amazon S3 object-level API activity (e.g. GetObject, DeleteObject, and PutObject API operations), and AWS Lambda function execution activity (the Invoke API). With advanced event selectors, you can include or exclude values on fields such as EventSource, EventName, and ResourceARN. Advanced event selectors also support including or excluding values with pattern matching on partial strings, similar to regular expressions, providing more control over which CloudTrail data events you want to log and pay for. For example, you can log S3 DeleteObject APIs to narrow the CloudTrail events you receive to only destructive actions, enabling you to identify security issues while controlling costs. If you detect unauthorized activity, you can also take immediate action to restrict access.

You can start using advanced event selectors with the AWS CloudTrail console, AWS CLI, and SDKs. When you create a new trail (recommended) or edit an existing trail, you can configure which events and resources you wish to capture. CloudTrail advanced event selectors are available in all in all commercial regions where AWS CloudTrail is available, except for regions in China. For more information, see the AWS Region table. To get started with advanced event selectors, see our documentation. Visit our product page for more information about AWS CloudTrail, and our pricing page to learn more about data event pricing.