AWS CloudTrail Lake announces enhanced event filtering

Posted on: Nov 11, 2024

AWS enhances event filtering in AWS CloudTrail Lake, a managed data lake that helps you capture, immutably store, access, and analyze your activity logs, as well as AWS Config configuration items. Enhanced event filtering expands upon existing filtering capabilities, giving you even greater control over which CloudTrail events are ingested into your event data stores. This enhancement increases the efficiency and precision of your security, compliance, and operational investigations while helping reduce costs.

You can now filter both management and data events by the following new attributes:

  • eventSource: The service that the request was made to
  • eventType: Type of event that generated the event record (e.g., AwsApiCall, AwsServiceEvent, etc)
  • userIdentity.arn: IAM entity that made the request
  • sessionCredentialFromConsole: Whether the event originated from an AWS Management Console session or not

For management events, you can additionally filter by eventName which identifies the requested API action.

For each of these attributes, you can specify values to include or exclude. For example, you can now filter CloudTrail events based on the userIdentity.arn attribute to exclude events generated by specific IAM roles or users. You can exclude a dedicated IAM role used by a service that performs frequent API calls for monitoring purposes. This allows you to significantly reduce the volume of CloudTrail events ingested into CloudTrail Lake, lowering costs while maintaining visibility into relevant user and system activities.

Enhanced event filtering is available in all AWS Regions where AWS CloudTrail Lake is supported, at no additional charge. To learn more, visit the AWS CloudTrail documentation.