Query Amazon CloudTrail logs - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Query Amazon CloudTrail logs

Amazon CloudTrail is a service that records Amazon API calls and events for Amazon Web Services accounts.

CloudTrail logs include details about any API calls made to your Amazon Web Services services, including the console. CloudTrail generates encrypted log files and stores them in Amazon S3. For more information, see the Amazon CloudTrail User Guide.

Note

If you want to perform SQL queries on CloudTrail event information across accounts, regions, and dates, consider using CloudTrail Lake. CloudTrail Lake is an Amazon alternative to creating trails that aggregates information from an enterprise into a single, searchable event data store. Instead of using Amazon S3 bucket storage, it stores events in a data lake, which allows richer, faster queries. You can use it to create SQL queries that search events across organizations, regions, and within custom time ranges. Because you perform CloudTrail Lake queries within the CloudTrail console itself, using CloudTrail Lake does not require Athena. For more information, see the CloudTrail Lake documentation.

Using Athena with CloudTrail logs is a powerful way to enhance your analysis of Amazon Web Services service activity. For example, you can use queries to identify trends and further isolate activity by attributes, such as source IP address or user.

A common application is to use CloudTrail logs to analyze operational activity for security and compliance. For information about a detailed example, see the Amazon Big Data Blog post, Analyze security, compliance, and operational activity using Amazon CloudTrail and Amazon Athena.

You can use Athena to query these log files directly from Amazon S3, specifying the LOCATION of log files. You can do this one of two ways:

  • By creating tables for CloudTrail log files directly from the CloudTrail console.

  • By manually creating tables for CloudTrail log files in the Athena console.

Topics