What are the differences between data and management events in CloudTrail?

Last updated: 2020-06-11

I want to understand the differences between data and management events in AWS CloudTrail.

Resolution

CloudTrail data events

CloudTrail data events are disabled by default. You can enable logging at an additional cost. Data events are also known as data plane operations and are often high-volume activities. Data events aren't viewable in CloudTrail event history and are charged for all copies at a reduced rate compared to management events. For instructions to log data events to an Amazon Simple Storage Service (Amazon S3) bucket, see Logging Data Events with the AWS Management Console.

Note: You must have a trail enabled to log to an S3 bucket.

CloudTrail management events

CloudTrail records management events for the last 90 days free of charge, and are viewable in the Event History with the CloudTrail console. For Amazon S3 delivery of CloudTrail events, the first copy delivered is free. Additional copies of management events are charged. Management events are also known as control plane operations. For more information, see Viewing Events with CloudTrail Event History.

View CloudTrail data and management events beyond 90 days using Amazon Athena

You can use Athena to view CloudTrail data and management events beyond 90 days in log files stored in Amazon S3 buckets. For instructions, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?

-or-

Manually create the table for CloudTrail logs in Athena.

For information on the additional costs associated with data and management events, see AWS CloudTrail pricing.

For a list of supported logging events, see CloudTrail Supported Services and Integrations.

To review CloudTrail event history and query event logs, see How can I use CloudTrail to review what API calls and actions have occurred in my AWS account?


Did this article help you?

Anything we could improve?


Need more help?