How can I use CloudTrail to review what API calls and actions have occurred in my AWS account?
Last updated: 2018-08-30
How do I review actions that have occurred to my AWS account, such as console logins or terminating an instance?
AWS CloudTrail enables you to view and track API calls made to your account.
Note: Not all AWS services have logs recorded and available with CloudTrail. For a list of AWS services integrated with CloudTrail, see AWS Service Topics for CloudTrail.
Event history in the AWS CloudTrail console
In the Event history section of the AWS CloudTrail console, you can view all supported management events and event types (create, modify, delete, and non-mutable activities) from the past 90 days. For more, see Viewing Events with CloudTrail Event History.
Amazon CloudWatch Logs
With CloudWatch Logs, you can search for operations that change the state of a resource, such as StopInstances, as well as operations that do not, such as DescribeInstances. For information about how to set up and configure CloudWatch Logs, see Sending CloudTrail Events to CloudWatch Logs.
Consider the following:
- You must explicitly configure CloudTrail to send logs to CloudWatch Logs, even if the trail is already enabled.
- There can be multiple log streams, depending on the size and volume of events. To search across all streams, choose Search Log Group before selecting an individual stream.
- Because CloudWatch Logs has an event size limitation of 256 KB, CloudTrail does not send events larger than 256 KB to CloudWatch Logs.
After you configure CloudWatch Logs, perform these steps:
- Navigate to the Amazon CloudWatch console.
- Choose Logs in the navigation pane, and then select the name of the configured log group (the default name is CloudTrail/DefaultLogGroup).
You can search through a large collection of CloudTrail logs using Athena to run a query. For more information, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?
Amazon Simple Storage Service (Amazon S3) archived log files
You can see all events captured by CloudTrail in the Amazon S3 log files. You can manually parse the log files from the S3 bucket by using the CloudTrail Processing Library, the AWS CLI, or send logs to an AWS CloudTrail Partner.
As an alternative to searching for events in the CloudWatch console, you can use the AWS CLI command filter-log-events. You can also use metric filters to search for and match terms, phrases, and values in your log events, and transform the terms, phrases, and values into CloudWatch metrics and alarms. For more information, see Filter and Pattern Syntax.
Note: If you are using AWS CLI and are planning to use filter-log-events on a large scale (for example, automation or a script), consider using subscription filters, because filter-log-events has API limits. For more information about filter-log-events and its limitations, see CloudWatch Logs Limits. Subscription filters have no such limitation, and they provide the ability to process large amounts of log data in real time.