How do I know which user made a particular change to my AWS infrastructure?

Last updated: 2021-11-10

I want to track which users are changing my AWS resources and infrastructure.

Resolution

You can use AWS CloudTrail to track which users are changing your AWS resources and infrastructure. CloudTrail is turned on by default for your AWS account. For an ongoing record of events in your AWS account, create a trail. Using a trail, CloudTrail creates logs of API calls made on your account and then delivers those logs to an Amazon Simple Storage Service (Amazon S3) bucket that you specify.

To view your log files, do the following:

  1. Open the CloudTrail console.
  2. In the navigation pane, choose Trails.
  3. Select the S3 bucket value for the trail you want to view. The Amazon S3 console opens and shows that bucket, at the top level for the log files.
  4. Choose the folder for the AWS Region where you want to review log files.
  5. Navigate the bucket folder structure to the year, the month, and the day where you want to review logs of activity in that Region.
  6. Select the file name, and then choose Download.
  7. Unzip the file, and then use your favorite JSON file view to see the log.

The log file contains the AWS Identity and Access Management (IAM) user, date and time of login, and if the login was successful. For additional information on the content and structure of the CloudTrail log files, see CloudTrail log event reference.

For additional instructions on using CloudTrail to analyze your account activity, see Working with CloudTrail.