What are the differences between data events and management events in CloudTrail?

Last updated: 2022-01-10

I want to understand the differences between data events and management events in AWS CloudTrail. How are the two types of CloudTrail events different?

Resolution

CloudTrail data events

CloudTrail data events (also known as "data plane operations") show the resource operations performed on or within a resource in your AWS account. These operations are often high-volume activities.

Example data events

  • Amazon Simple Storage Service (Amazon S3) object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations)
  • AWS Lambda function invocation activity (for example, InvokeFunction API operations)
  • Amazon DynamoDB object-level API activity on tables (for example, PutItem, DeleteItem, and UpdateItem API operations)

Viewing data events

By default, trails don't log data events, and data events aren't viewable in CloudTrail Event history. To activate data event logging, you must explicitly add the supported resources or resource types to a trail.

For instructions to activate data event logging, see Logging data events for trails.

For instructions to view data events, see Getting and viewing your CloudTrail log files.

Note: Additional charges apply for logging data events. For more information, see AWS CloudTrail pricing.

CloudTrail management events

CloudTrail management events (also known as "control plane operations") show management operations that are performed on resources in your AWS account.

Example management events

  • Creating an Amazon Simple Storage Service (Amazon S3) bucket
  • Creating and managing AWS Identity and Access Management (IAM) resources
  • Registering devices
  • Configuring routing table rules
  • Setting up logging

Viewing management events

By default, trails log management events across AWS services and is available for free. You can review and download the most recent 90-day history of your account's management events using CloudTrail Event history or the LookupEvents API.

For more information, see Logging management events for trails.

Note: You can deliver one copy of your ongoing management events to Amazon S3 for free by creating trails. Creating trails lets you store events in Amazon S3 for up to 90 days. Additional copies of management events incur a charge. For more information, see AWS CloudTrail pricing.

To view CloudTrail data events and management events stored in your Amazon S3 bucket after 90 days

You can use Amazon Athena to view CloudTrail data events and management events stored in your Amazon S3 bucket.

For instructions, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs? Also, Creating the table for CloudTrail logs in Athena using manual partitioning.