I need to review actions that have occurred to my AWS account, such as console logins or terminating an instance.

AWS CloudTrail enables you to view and track API calls made to your account.

CloudTrail data can be accessed with the AWS Management Console, the AWS CLI, Windows PowerShell, and directly through APIs.

API activity history in the Amazon CloudWatch console

In the API activity history pane of the Amazon CloudWatch console, you can view operations that change the state of a resource (create, modify, or delete) from the last 7 days, such as creating an IAM user or terminating an EC2 instance, plus console logins. Static API actions and activity older than 7 days is not displayed, but these are available in the configured CloudTrail S3 bucket. This option is available after creating a trail in the AWS CloudTrail console.

CloudWatch Logs

With CloudWatch Logs, you can search for operations that change the state of a resource, such as StopInstance, as well as operations that do not, such as DescribeInstances. For information about how to set up and configure CloudWatch Logs, see Sending CloudTrail Events to CloudWatch Logs. After you have configured the logs, navigate to the Amazon CloudWatch console, choose Logs in left navigation pane, and then select the name of the configured log group (the default name is CloudTrail/DefaultLogGroup). Keep these things in mind:

  • You must explicitly configure CloudTrail to send logs to CloudWatch Logs, even if the trail is already enabled.
  • There can be multiple log streams, depending on the size and volume of events. To search across all streams, choose the button Search Log Group before selecting an individual stream.
  • Because CloudWatch Logs has an event size limitation of 256 KB, CloudTrail does not send events larger than 256 KB to CloudWatch Logs.

S3 archived log files

You can see all events captured by CloudTrail in the Amazon S3 log files. You can manually parse the log files from the S3 bucket by using the CloudTrail Processing Library, the AWS CLI, or send logs to an AWS CloudTrail Partner.

Note: As an alternative to searching for events in the CloudWatch console, you can use the AWS CLI command filter-log-events. You can also use metric filters to search for and match terms, phrases, or values in your log events.

CloudTrail, CloudWatch, CloudWatch Logs, audit, logs, search, events

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-09-27

Updated: 2016-10-11