How can I use CloudTrail to review what API calls and actions have occurred in my AWS account?
Last updated: 2019-08-23
How do I review actions that occurred to my AWS account, such as console logins or terminating an instance?
You can use AWS CloudTrail data to view and track API calls made to your account using:
- Event history in the CloudTrail console.
- Amazon CloudWatch Logs.
- Amazon Athena queries.
- Amazon Simple Storage Service (Amazon S3) archived log files.
Note: Not all AWS services have logs recorded and available with CloudTrail. For a list of AWS services integrated with CloudTrail, see AWS Service Topics for CloudTrail.
Event history in the CloudTrail console
You can view all supported services and integrations and event types (create, modify, delete, and non-mutable activities) from the past 90 days. You don't need to set up a trail to use event history. For instructions, see Viewing CloudTrail Events in the CloudTrail Console.
As an alternative to searching for events in the CloudWatch console, you can use the AWS Command Line Interface (AWS CLI) command filter-log-events. You can also use metric filters to search for and match terms, phrases, values in your log events. Then, you can transform them into CloudWatch metrics and alarms. For more information, see Filter and Pattern Syntax.
Note: If you are using the AWS CLI and are planning to use filter-log-events on a large scale (for example, automation or a script), it's a best practice to use CloudWatch Logs subscription filters. This is because filter-log-events has API limits. Subscription filters have no such limits, and subscription filters provide the ability to process large amounts of log data in real time. For more information about filter-log-events and its limitations, see CloudWatch Logs Limits.
Amazon CloudWatch Logs
With CloudWatch Logs, you can search for operations that change the state of a resource, such as StopInstances, as well as operations that don't, such as DescribeInstances. These instructions assume that you already created a trail and configured it to send events to CloudWatch Logs.
Consider the following:
- You must explicitly configure CloudTrail to send events to CloudWatch Logs, even if you already created a trail.
- This method works for future events—you can't review activity from before the logs were configured.
- There can be multiple log streams, depending on the size and volume of events. To search across all streams, choose Search Log Group before selecting an individual stream.
- Because CloudWatch Logs has an event size limitation of 256 KB, CloudTrail doesn't send events larger than 256 KB to CloudWatch Logs.
For instructions, see View Log Data Sent to CloudWatch Logs.
You can search through a large collection of CloudTrail logs using Athena to run a query. For more information, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?
Amazon S3 archived log files
You can see all events captured by CloudTrail in the Amazon S3 log files. You can also manually parse the log files from the S3 bucket Using the CloudTrail Processing Library, the AWS CLI, or send logs to AWS CloudTrail partners.
Note: You must have a trail enabled to log to an S3 bucket.