What are the differences between data and management events in CloudTrail?
Last updated: 2020-06-11
I want to understand the differences between data and management events in AWS CloudTrail.
CloudTrail data events
CloudTrail data events are disabled by default. You can enable logging at an additional cost. Data events are also known as data plane operations and are often high-volume activities. Data events aren't viewable in CloudTrail event history and are charged for all copies at a reduced rate compared to management events. For instructions to log data events to an Amazon Simple Storage Service (Amazon S3) bucket, see Logging Data Events with the AWS Management Console.
Note: You must have a trail enabled to log to an S3 bucket.
CloudTrail management events
CloudTrail records management events for the last 90 days free of charge, and are viewable in the Event History with the CloudTrail console. For Amazon S3 delivery of CloudTrail events, the first copy delivered is free. Additional copies of management events are charged. Management events are also known as control plane operations. For more information, see Viewing Events with CloudTrail Event History.
View CloudTrail data and management events beyond 90 days using Amazon Athena
You can use Athena to view CloudTrail data and management events beyond 90 days in log files stored in Amazon S3 buckets. For instructions, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?
For information on the additional costs associated with data and management events, see AWS CloudTrail pricing.
For a list of supported logging events, see CloudTrail Supported Services and Integrations.
To review CloudTrail event history and query event logs, see How can I use CloudTrail to review what API calls and actions have occurred in my AWS account?