Logging Amazon Account Management API calls using Amazon CloudTrail
The Amazon Account Management APIs are integrated with Amazon CloudTrail, a service that provides a record of actions taken by a user, role, or an Amazon service that calls an Account Management operation. CloudTrail captures all Account Management API calls as events. The calls captured include all calls to the Account Management operations. If you create a trail, you can turn on continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Account Management operations. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that called an Account Management operation, the IP address used to make the request, who made the request and when, and additional details.
To learn more about CloudTrail, see the Amazon CloudTrail User Guide.
Account Management information in CloudTrail
CloudTrail is turned on in your Amazon Web Services account when you create the account. When activity occurs with an Account Management operation, CloudTrail records that activity in a CloudTrail event along with other Amazon service events in Event history. You can view, search, and download recent events in your Amazon Web Services account. For more information, see Viewing Events with CloudTrail Event History.
For an ongoing record of events in your Amazon Web Services account, including events for Account Management operations, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the Amazon Web Services Management Console, the trail applies to all Amazon Web Services Regions. The trail logs events from all Regions in the Amazon partition and delivers the log files to the Amazon S3 bucket that you specify. You can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
Amazon CloudTrail logs all Account Management API operations found in the API
Reference section of this guide. For example, calls to the
CreateAccount, DeleteAlternateContact, and
PutAlternateContact operations generate entries in the CloudTrail log
files.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
-
Whether the request was made with root user or Amazon Identity and Access Management (IAM) user credentials
-
Whether the request was made with temporary security credentials for an IAM role or federated user
-
Whether the request was made by another Amazon service
For more information, see the CloudTrail userIdentity element.
Understanding the Account Management log entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested operation, the date and time of the operation, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
Example 1: The following example shows a CloudTrail log
entry for a call to the GetAlternateContact operation to retrieve the
current OPERATIONS alternate contact for an account. The values returned by
the operation aren't included in the logged information.
Example 1
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROA1234567890EXAMPLE:AccountAPITests", "arn":"arn:aws-cn:sts::123456789012:assumed-role/ServiceTestRole/AccountAPITests", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA1234567890EXAMPLE", "arn": "arn:aws-cn:iam::123456789012:role/ServiceTestRole", "accountId": "123456789012", "userName": "ServiceTestRole" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-04-30T19:25:53Z" } } }, "eventTime": "2021-04-30T19:26:15Z", "eventSource": "account.amazonaws.com", "eventName": "GetAlternateContact", "awsRegion": "us-east-1", "sourceIPAddress": "10.24.34.250", "userAgent": "Mozilla/5.0", "requestParameters": { "alternateContactType": "SECURITY" }, "responseElements": null, "requestID": "1a2b3c4d-5e6f-1234-abcd-111111111111", "eventID": "1a2b3c4d-5e6f-1234-abcd-222222222222", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012" }
Example 2: The following example shows a CloudTrail log
entry for a call to the PutAlternateContact operation to add a new
BILLING alternate contact to an account.
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROA1234567890EXAMPLE:AccountAPITests", "arn": "arn:aws-cn:sts::123456789012:assumed-role/ServiceTestRole/AccountAPITests", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA1234567890EXAMPLE", "arn": "arn:aws-cn:iam::123456789012:role/ServiceTestRole", "accountId": "123456789012", "userName": "ServiceTestRole" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-04-30T18:33:00Z" } } }, "eventTime": "2021-04-30T18:33:08Z", "eventSource": "account.amazonaws.com", "eventName": "PutAlternateContact", "awsRegion": "us-east-1", "sourceIPAddress": "10.24.34.250", "userAgent": "Mozilla/5.0", "requestParameters": { "name": "*Alejandro Rosalez*", "emailAddress": "alrosalez@example.com", "title": "CFO", "alternateContactType": "BILLING" }, "responseElements": null, "requestID": "1a2b3c4d-5e6f-1234-abcd-333333333333", "eventID": "1a2b3c4d-5e6f-1234-abcd-444444444444", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012" }
Example 3: The following example shows a CloudTrail log
entry for a call to the DeleteAlternateContact operation to delete the
current OPERATIONS alternate contact.
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROA1234567890EXAMPLE:AccountAPITests", "arn":"arn:aws-cn:sts::123456789012:assumed-role/ServiceTestRole/AccountAPITests", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROA1234567890EXAMPLE", "arn": "arn:aws-cn:iam::123456789012:role/ServiceTestRole", "accountId": "123456789012", "userName": "ServiceTestRole" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2021-04-30T18:33:00Z" } } }, "eventTime": "2021-04-30T18:33:16Z", "eventSource": "account.amazonaws.com", "eventName": "DeleteAlternateContact", "awsRegion": "us-east-1", "sourceIPAddress": "10.24.34.250", "userAgent": "Mozilla/5.0", "requestParameters": { "alternateContactType": "OPERATIONS" }, "responseElements": null, "requestID": "1a2b3c4d-5e6f-1234-abcd-555555555555", "eventID": "1a2b3c4d-5e6f-1234-abcd-666666666666", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "123456789012" }