Why aren't Amazon S3 object-level API actions appearing in my CloudTrail Event history?

Last updated: 2022-03-03

I activated AWS CloudTrail object-level event logging for an Amazon Simple Storage Service (Amazon S3) bucket. Why aren't Amazon S3 object-level API actions appearing in my CloudTrail Event history?

Short description

Amazon S3 object-level API actions are CloudTrail data events. By default, trails don't log data events, and data events aren't viewable in CloudTrail Event history.

To view Amazon S3 object-level API actions after you've activated data event logging, you must query your CloudTrail logs.

To query CloudTrail logs for object-level API actions, you can use either of the following AWS services and features:

For more information, see Logging Amazon S3 API calls using AWS CloudTrail.

Note: If you have other data sources configured for the same S3 bucket as your trail, then the logs are combined with CloudTrail events.

Resolution

To use CloudWatch logs filter patterns to view object-level API actions

Follow the instructions in Search log data using filter patterns.

Example CloudWatch Logs filter syntax for the DeleteBucket API action

{$.eventName = "DeleteBucket"}

To use Athena queries to view object-level API actions

Note: To use Athena to query CloudTrail logs, you must have a trail configured to log to an Amazon S3 bucket. You can use Athena to query CloudTrail logs over the last 90 days.

Follow the instructions in How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?

Example query for the GetBucketAcl API action

Note: Replace example-cloudtrail-log with your CloudTrail log's name.

SELECT *
FROM example-cloudtrail-log
WHERE eventname = 'GetBucketAcl';