How do I use CloudTrail to review what API calls and actions have occurred in my AWS account?

Last updated: 2022-01-11

How do I review actions that occurred in my AWS account, such as console logins or terminating an instance?

Short description

You can use AWS CloudTrail data to view and track API calls made to your account using the following:

Note: Not all AWS services have logs recorded and available with CloudTrail. For a list of AWS services integrated with CloudTrail, see AWS service topics for CloudTrail.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

CloudTrail Event history

Reviewing CloudTrail Event history using the CloudTrail console

You can view all supported services and integrations and event types (create, modify, delete, and non-mutable activities) from the past 90 days. You don't need to set up a trail to use CloudTrail Event history.

For instructions, see Viewing CloudTrail events in the CloudTrail console.

Reviewing CloudTrail Event history using the AWS CLI

Note: To search for events using the AWS CLI, you must have a trail created and configured to log to CloudWatch Logs. For more information, see Creating a trail. Also, Sending events to CloudWatch Logs.

Use the filter-log-events command to apply metric filters to search for specific terms, phrases, and values in your log events. Then, you can transform them into CloudWatch metrics and alarms.

For more information, see Filter and pattern syntax.

Note: To use the filter-log-events command at scale (for example, automation or a script), it's a best practice to use CloudWatch Logs subscription filters. This is because the filter-log-events API action has API limits. Subscription filters have no such limits. Subscription filters also provide the ability to process large amounts of log data in real time. For more information, see CloudWatch Logs quotas.

CloudTrail Lake

CloudTrail Lake allows you to aggregate, immutably store, and run SQL-based queries on your events. You can store even data in CloudTrail Lake for up to seven years, or 2,555 days.

For more information, see Working with AWS CloudTrail Lake.

Amazon CloudWatch Logs

Note: To use CloudWatch Logs, you must have a trail created and configured to log to CloudWatch Logs. For more information, see Creating a trail. Also, Sending events to CloudWatch Logs.

You can use CloudWatch Logs to search for operations that change the state of a resource (for example, StopInstances). You can also use CloudWatch Logs to search for operations that don't change the state of a resource (for example, DescribeInstances). For instructions, see View log data sent to CloudWatch Logs.

Keep in mind the following:

Amazon Athena queries

You can use Amazon Athena to view CloudTrail data events and management events stored in your Amazon S3 bucket.

For more information, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs? Also, Creating the table for CloudTrail logs in Athena using manual partitioning.

Amazon S3 archived log files

Note: To view Amazon S3 archived log files, you must have a trail created and configured to log to an S3 bucket. For more information, see Creating a trail.

You can see all events captured by CloudTrail in the Amazon S3 log files. You can also manually parse the log files from the S3 bucket Using the CloudTrail Processing Library, the AWS CLI, or send logs to AWS CloudTrail partners.

For instructions, see Amazon S3 CloudTrail events.

Note: You must have a trail activated to log to an S3 bucket.