CloudTrail concepts - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

CloudTrail concepts

This section summarizes basic concepts related to CloudTrail.

CloudTrail events

An event in CloudTrail is the record of an activity in an Amazon account. This activity can be an action taken by an IAM identity, or service that is monitorable by CloudTrail. CloudTrail events provide a history of both API and non-API account activity made through the Amazon Web Services Management Console, Amazon SDKs, command line tools, and other Amazon services.

CloudTrail logs three types of events:

All event types use a CloudTrail JSON log format.

By default, trails and event data stores log management events, but not data or Insights events.

For information about how Amazon Web Services integrate with CloudTrail, see Amazon service topics for CloudTrail.

Management events

Management events provide information about management operations that are performed on resources in your Amazon account. These are also known as control plane operations.

Example management events include:

  • Configuring security (for example, Amazon Identity and Access Management AttachRolePolicy API operations).

  • Registering devices (for example, Amazon EC2 CreateDefaultVpc API operations).

  • Configuring rules for routing data (for example, Amazon EC2 CreateSubnet API operations).

  • Setting up logging (for example, Amazon CloudTrail CreateTrail API operations).

Management events can also include non-API events that occur in your account. For example, when a user signs in to your account, CloudTrail logs the ConsoleLogin event. For more information, see Non-API events captured by CloudTrail.

By default, CloudTrail trails and CloudTrail Lake event data stores log management events. For more information about logging management events, see Logging management events.

Data events

Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities.

Example data events include:

The following table shows the data event types available for trails. The Data event type (console) column shows the appropriate selection in the console. The resources.type value column shows the resources.type value that you would specify to include data events of that type in your trail using the Amazon CLI or CloudTrail APIs.

For trails, you can use basic or advanced event selectors to log data events for Amazon S3 objects, Lambda functions, and DynamoDB tables (shown in the first three rows of the table). You can use only advanced event selectors to log the data event types shown in the remaining rows.

Amazon Web Service Description Data event type (console) resources.type value
Amazon DynamoDB

Amazon DynamoDB item-level API activity on tables (for example, PutItem, DeleteItem, and UpdateItem API operations).

Note

For tables with streams enabled, the resources field in the data event contains both AWS::DynamoDB::Stream and AWS::DynamoDB::Table. If you specify AWS::DynamoDB::Table for the resources.type, it will log both DynamoDB table and DynamoDB streams events by default. To exclude streams events, add a filter on the eventName field.

DynamoDB

AWS::DynamoDB::Table

Amazon Lambda

Amazon Lambda function execution activity (the Invoke API).

Lambda AWS::Lambda::Function
Amazon S3

Amazon S3 object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations) on objects in S3 buckets.

S3 AWS::S3::Object
Amazon AppConfig

Amazon AppConfig API activity for configuration operations such as calls to StartConfigurationSession and GetLatestConfiguration.

Amazon AppConfig AWS::AppConfig::Configuration
Amazon B2B Data Interchange

B2B Data Interchange API activity for Transformer operations such as calls to GetTransformerJob and StartTransformerJob.

B2B Data Interchange AWS::B2BI::Transformer
Amazon Bedrock Amazon Bedrock API activity on an agent alias. Bedrock agent alias AWS::Bedrock::AgentAlias
Amazon Bedrock API activity on a knowledge base. Bedrock knowledge base AWS::Bedrock::KnowledgeBase
Amazon CloudFront

CloudFront API activity on a KeyValueStore.

CloudFront KeyValueStore AWS::CloudFront::KeyValueStore
Amazon Cloud Map Amazon Cloud Map API activity on a namespace. Amazon Cloud Map namespace AWS::ServiceDiscovery::Namespace
Amazon Cloud Map API activity on a service. Amazon Cloud Map service AWS::ServiceDiscovery::Service
Amazon CloudTrail

CloudTrail PutAuditEvents activity on a CloudTrail Lake channel that is used to log events from outside Amazon.

CloudTrail channel AWS::CloudTrail::Channel
Amazon CodeWhisperer Amazon CodeWhisperer API activity on a customization. CodeWhisperer customization AWS::CodeWhisperer::Customization
Amazon CodeWhisperer API activity on a profile. CodeWhisperer AWS::CodeWhisperer::Profile
Amazon Cognito

Amazon Cognito API activity on Amazon Cognito identity pools.

Cognito Identity Pools AWS::Cognito::IdentityPool
Amazon DynamoDB

Amazon DynamoDB API activity on streams.

DynamoDB Streams AWS::DynamoDB::Stream
Amazon Elastic Block Store

Amazon Elastic Block Store (EBS) direct APIs, such as PutSnapshotBlock, GetSnapshotBlock, and ListChangedBlocks on Amazon EBS snapshots.

Amazon EBS direct APIs AWS::EC2::Snapshot
Amazon EMR Amazon EMR API activity on a write-ahead log workspace. EMR write-ahead log workspace AWS::EMRWAL::Workspace
Amazon FinSpace

Amazon FinSpace API activity on environments.

FinSpace AWS::FinSpace::Environment
Amazon Glue

Amazon Glue API activity on tables that were created by Lake Formation.

Note

Amazon Glue data events for tables are currently supported only in the following regions:

  • US East (N. Virginia)

  • US East (Ohio)

  • US West (Oregon)

  • Europe (Ireland)

  • Asia Pacific (Tokyo) Region

Lake Formation AWS::Glue::Table
Amazon GuardDuty

Amazon GuardDuty API activity for a detector.

GuardDuty detector AWS::GuardDuty::Detector
Amazon HealthImaging

Amazon HealthImaging API activity on data stores.

Medical Imaging data store AWS::MedicalImaging::Datastore
Amazon IoT

Amazon IoT API activity on certificates.

IoT certificate AWS::IoT::Certificate

Amazon IoT API activity on things.

IoT thing AWS::IoT::Thing
Amazon IoT Greengrass Version 2

Greengrass API activity from a Greengrass core device on a component version.

Note

Greengrass doesn't log access denied events.

IoT Greengrass component version AWS::GreengrassV2::ComponentVersion

Greengrass API activity from a Greengrass core device on a deployment.

Note

Greengrass doesn't log access denied events.

IoT Greengrass deployment AWS::GreengrassV2::Deployment
Amazon IoT SiteWise

IoT SiteWise API activity on assets.

IoT SiteWise asset AWS::IoTSiteWise::Asset

IoT SiteWise API activity on time series.

IoT SiteWise time series AWS::IoTSiteWise::TimeSeries
Amazon IoT TwinMaker

IoT TwinMaker API activity on an entity.

IoT TwinMaker entity AWS::IoTTwinMaker::Entity

IoT TwinMaker API activity on a workspace.

IoT TwinMaker workspace AWS::IoTTwinMaker::Workspace
Amazon Kendra Intelligent Ranking

Amazon Kendra Intelligent Ranking API activity on rescore execution plans.

Kendra Ranking AWS::KendraRanking::ExecutionPlan
Amazon Keyspaces (for Apache Cassandra) Amazon Keyspaces API activity on a table. Cassandra table AWS::Cassandra::Table
Amazon Kinesis Amazon Kinesis API activity on video streams, such as calls to GetMedia and PutMedia. Kinesis video stream AWS::KinesisVideo::Stream
Amazon Managed Blockchain

Amazon Managed Blockchain API activity on a network.

Managed Blockchain network AWS::ManagedBlockchain::Network

Amazon Managed Blockchain JSON-RPC calls on Ethereum nodes, such as eth_getBalance or eth_getBlockByNumber.

Managed Blockchain AWS::ManagedBlockchain::Node
Amazon Neptune Graph

Data API activities, for example queries, algorithms, or vector search, on a Neptune Graph.

Neptune Graph AWS::NeptuneGraph::Graph
Amazon Private CA

Amazon Private CA Connector for Active Directory API activity.

Amazon Private CA Connector for Active Directory AWS::PCAConnectorAD::Connector
Amazon Q Apps

Data API activity on Amazon Q Apps.

Amazon Q Apps AWS::QApps:QApp
Amazon Q Business

Amazon Q Business API activity on an application.

Amazon Q Business application AWS::QBusiness::Application

Amazon Q Business API activity on a data source.

Amazon Q Business data source AWS::QBusiness::DataSource

Amazon Q Business API activity on an index.

Amazon Q Business index AWS::QBusiness::Index

Amazon Q Business API activity on a web experience.

Amazon Q Business web experience AWS::QBusiness::WebExperience
Amazon RDS

Amazon RDS API activity on a DB Cluster.

RDS Data API - DB Cluster AWS::RDS::DBCluster
Amazon S3

Amazon S3 API activity on access points.

S3 Access Point AWS::S3::AccessPoint

Amazon S3 Object Lambda access points API activity, such as calls to CompleteMultipartUpload and GetObject.

S3 Object Lambda AWS::S3ObjectLambda::AccessPoint
Amazon S3 on Outposts

Amazon S3 on Outposts object-level API activity.

S3 Outposts AWS::S3Outposts::Object
Amazon SageMaker Amazon SageMaker InvokeEndpointWithResponseStream activity on endpoints. SageMaker endpoint AWS::SageMaker::Endpoint

Amazon SageMaker API activity on feature stores.

SageMaker feature store AWS::SageMaker::FeatureGroup

Amazon SageMaker API activity on experiment trial components.

SageMaker metrics experiment trial component AWS::SageMaker::ExperimentTrialComponent
Amazon SNS

Amazon SNS Publish API operations on platform endpoints.

SNS platform endpoint AWS::SNS::PlatformEndpoint

Amazon SNS Publish and PublishBatch API operations on topics.

SNS topic AWS::SNS::Topic
Amazon SQS

Amazon SQS API activity on messages.

SQS AWS::SQS::Queue
Amazon Step Functions

Step Functions API activity on a state machine.

Step Functions state machine AWS::StepFunctions::StateMachine
Amazon Supply Chain

Amazon Supply Chain API activity on an instance.

Supply Chain AWS::SCN::Instance
Amazon SWF

Amazon SWF API activity on domains.

SWF domain AWS::SWF::Domain
Amazon Systems Manager Systems Manager API activity on control channels. Systems Manager AWS::SSMMessages::ControlChannel
Systems Manager API activity on managed nodes. Systems Manager managed node AWS::SSM::ManagedNode
Amazon Timestream Amazon Timestream Query API activity on databases. Timestream database AWS::Timestream::Database
Amazon Timestream Query API activity on tables. Timestream table AWS::Timestream::Table
Amazon Verified Permissions

Amazon Verified Permissions API activity on a policy store.

Amazon Verified Permissions AWS::VerifiedPermissions::PolicyStore
Amazon WorkSpaces Thin Client WorkSpaces Thin Client API activity on a Device. Thin Client Device AWS::ThinClient::Device
WorkSpaces Thin Client API activity on an Environment. Thin Client Environment AWS::ThinClient::Environment
Amazon X-Ray

X-Ray API activity on traces.

X-Ray trace AWS::XRay::Trace

Data events are not logged by default when you create a trail or event data store. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity. For more information about logging data events, see Logging data events.

Additional charges apply for logging data events. For CloudTrail pricing, see Amazon CloudTrail Pricing.

Insights events

CloudTrail Insights events capture unusual API call rate or error rate activity in your Amazon account by analyzing CloudTrail management activity. Insights events provide relevant information, such as the associated API, error code, incident time, and statistics, that help you understand and act on unusual activity. Unlike other types of events captured in a CloudTrail trail or event data store, Insights events are logged only when CloudTrail detects changes in your account's API usage or error rate logging that differ significantly from the account's typical usage patterns.

Examples of activity that might generate Insights events include:

  • Your account typically logs no more than 20 Amazon S3 DeleteBucket API calls per minute, but your account starts to log an average of 100 DeleteBucket API calls per minute. An Insights event is logged at the start of the unusual activity, and another Insights event is logged to mark the end of the unusual activity.

  • Your account typically logs 20 calls per minute to the Amazon EC2 AuthorizeSecurityGroupIngress API, but your account starts to log zero calls to AuthorizeSecurityGroupIngress. An Insights event is logged at the start of the unusual activity, and ten minutes later, when the unusual activity ends, another Insights event is logged to mark the end of the unusual activity.

  • Your account typically logs less than one AccessDeniedException error in a seven-day period on the Amazon Identity and Access Management API, DeleteInstanceProfile. Your account starts to log an average of 12 AccessDeniedException errors per minute on the DeleteInstanceProfile API call. An Insights event is logged at the start of the unusual error rate activity, and another Insights event is logged to mark the end of the unusual activity.

These examples are provided for illustration purposes only. Your results may vary depending on your use case.

To log CloudTrail Insights events, you must explicitly enable Insights events on a new or existing trail or event data store. For more information about logging Insights events, see Logging Insights events.

Additional charges apply for Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see Amazon CloudTrail Pricing.

Viewing Insights events for trails and event data stores

CloudTrail supports Insights events for both trails and event data stores, however, there are some differences in how you view and access Insights events.

Viewing Insights events for trails

If you have Insights events enabled on a trail, and CloudTrail detects unusual activity, Insights events are logged to a different folder or prefix in the destination S3 bucket for your trail. You can also see the type of insight and the incident time period when you view Insights events on the CloudTrail console. For more information, see Viewing CloudTrail Insights events for trails in the CloudTrail console.

Viewing Insights events for event data stores

To log Insights events in CloudTrail Lake, you need a destination event data store that logs Insights events and a source event data store that enables Insights and logs management events. For more information, see Create an event data store for CloudTrail Insights events with the console.

If you have CloudTrail Insights enabled on a source event data store and CloudTrail detects unusual activity, CloudTrail delivers Insights events to your destination event data store. You can then query your destination event data store to get information about your Insights events and can optionally save the query results to an S3 bucket. For more information, see Create or edit a query and View sample queries in the CloudTrail console.

You can view the Insights Events dashboard to visualize the Insights events in your destination event data store. For more information, see View CloudTrail Lake dashboards.

Event history

CloudTrail event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of CloudTrail management events in an Amazon Web Services Region. You can use this history to gain visibility into actions taken in your Amazon account in the Amazon Web Services Management Console, Amazon SDKs, command line tools, and other Amazon services. You can customize your view of event history in the CloudTrail console by selecting which columns are displayed. For more information, see Working with CloudTrail Event history.

Trails

A trail is a configuration that enables delivery of CloudTrail events to an S3 bucket, with optional delivery to CloudWatch Logs and Amazon EventBridge. You can use a trail to choose the CloudTrail events you want delivered, encrypt your CloudTrail event log files with an Amazon KMS key, and set up Amazon SNS notifications for log file delivery. For more information about how to create and manage a trail, see Creating a trail for your Amazon Web Services account.

Multi-Region and single-Region trails

You can create two types of trails for an Amazon Web Services account: multi-Region trails and single-Region trails.

Multi-Region trails

When you create a multi-Region trail, CloudTrail records events in all Amazon Web Services Regions in the Amazon partition in which you are working and delivers the CloudTrail event log files to an S3 bucket that you specify. If an Amazon Web Services Region is added after you create a multi-Region trail, that new Region is automatically included, and events in that Region are logged. Creating a multi-Region trail is a recommended best practice since you capture activity in all Regions in your account. All trails you create using the CloudTrail console are multi-Region. You can convert a single-Region trail to a multi-Region trail by using the Amazon CLI. For more information, see Creating a trail in the console and Converting a trail that applies to one Region to apply to all Regions.

Single-Region trails

When you create a single-Region trail, CloudTrail records the events in that Region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify. You can only create a single-Region trail by using the Amazon CLI. If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same S3 bucket or to separate buckets. This is the default option when you create a trail using the Amazon CLI or the CloudTrail API. For more information, see Creating, updating, and managing trails with the Amazon CLI.

Note

For both types of trails, you can specify an Amazon S3 bucket from any Region.

A multi-Region trail has the following advantages:

  • The configuration settings for the trail apply consistently across all Amazon Web Services Regions.

  • You receive CloudTrail events from all Amazon Web Services Regions in a single Amazon S3 bucket and, optionally, in a CloudWatch Logs log group.

  • You manage trail configuration for all Amazon Web Services Regions from one location.

When you apply a trail to all Amazon Regions, CloudTrail uses the trail that you create in a particular Region to create trails with identical configurations in all other Regions in the Amazon partition in which you are working.

This has the following effects:

  • CloudTrail delivers log files for account activity from all Amazon Regions to the single Amazon S3 bucket that you specify, and, optionally, to a CloudWatch Logs log group.

  • If you configured an Amazon SNS topic for the trail, SNS notifications about log file deliveries in all Amazon Regions are sent to that single SNS topic.

Regardless of whether a trail is multi-Region or single-Region, events sent to Amazon EventBridge are received in each Region's event bus, rather than in one single event bus.

Multiple trails per Region

If you have different but related user groups, such as developers, security personnel, and IT auditors, you can create multiple trails per Region. This allows each group to receive its own copy of the log files.

CloudTrail supports five trails per Region. A multi-Region trail counts as one trail per Region.

The following is an example of a Region with five trails:

  • You create two trails in the US West (N. California) Region that apply to this Region only.

  • You create two more multi-Region trails in US West (N. California) Region.

  • You create another multi-Region trail in the Asia Pacific (Sydney) Region. This trail also exists as a trail in the US West (N. California) Region.

You can view a list of trails in an Amazon Web Services Region in the Trails page of the CloudTrail console. For more information, see Updating a trail. For CloudTrail pricing, see Amazon CloudTrail Pricing.

Organization trails

An organization trail is a configuration that enables delivery of CloudTrail events in the management account and all member accounts in an Amazon Organizations organization to the same Amazon S3 bucket, CloudWatch Logs, and Amazon EventBridge. Creating an organization trail helps you define a uniform event logging strategy for your organization.

All organization trails created using the console are multi-Region organization trails that log events from the enabled Amazon Web Services Regions in each member account in the organization. To log events in all Amazon partitions in your organization, create a multi-Region organization trail in each partition. You can create either a single-Region or multi-Region organization trail by using the Amazon CLI. If you create a single-Region trail, you log activity only in the trail's Amazon Web Services Region (also referred to as the Home Region).

Although most Amazon Web Services Regions are enabled by default for your Amazon Web Services account, you must manually enable certain Regions (also referred to as opt-in Regions). For information about which Regions are enabled by default, see Considerations before enabling and disabling Regions in the Amazon Account Management Reference Guide. For the list of Regions CloudTrail supports, see CloudTrail supported Regions.

When you create an organization trail, a copy of the trail with the name that you give it is created in the member accounts that belongs to your organization.

  • If the organization trail is for a single-Region and the trail's home Region is not an opt-Region, a copy of the trail is created in the organization trail's home Region in each member account.

  • If the organization trail is for a single-Region and the trail's home Region is an opt-Region, a copy of the trail is created in the organization trail's home Region in the member accounts that have enabled that Region.

  • If the organization trail is multi-Region and the trail's home Region is not an opt-in Region, a copy of the trail is created in each enabled Amazon Web Services Region in each member account. When a member account enables an opt-in Region, a copy of the multi-Region trail is created in the newly opted in Region for the member account after activation of that Region is complete.

  • If the organization trail is multi-Region and the home Region is an opt-in Region, member accounts will not send activity to the organization trail unless they opt into the Amazon Web Services Region where the multi-Region trail was created. For example, if you create a multi-Region trail and choose the Europe (Spain) Region as the home Region for the trail, only member accounts that enabled the Europe (Spain) Region for their account will send their account activity to the organization trail.

Note

CloudTrail creates organization trails in member accounts even if a resource validation fails. Examples of validation failures include:

  • an incorrect Amazon S3 bucket policy

  • an incorrect Amazon SNS topic policy

  • inability to deliver to a CloudWatch Logs log group

  • insufficient permission to encrypt using a KMS key

A member account with CloudTrail permissions can see any validation failures for an organization trail by viewing the trail's details page on the CloudTrail console, or by running the Amazon CLI get-trail-status command.

Users with CloudTrail permissions in member accounts will be able to see organization trails (including the trail ARN) when they log into the Amazon CloudTrail console from their Amazon accounts, or when they run Amazon CLI commands such as describe-trails (although member accounts must use the ARN for the organization trail, and not the name, when using the Amazon CLI). However, users in member accounts will not have sufficient permissions to delete organization trails, turn logging on or off, change what types of events are logged, or otherwise alter organization trails in any way. For more information about Amazon Organizations, see Organizations Terminology and Concepts. For more information about creating and working with organization trails, see Creating a trail for an organization.

CloudTrail Insights

CloudTrail Insights help Amazon users identify and respond to unusual volumes of API calls or errors logged on API calls by continuously analyzing CloudTrail management events. An Insights event is a record of unusual levels of write management API activity, or unusual levels of errors returned on management API activity. By default, trails and event data stores don't log CloudTrail Insights events. In the console, you can choose to log Insights events when you create or update a trail or event data store. When you use the CloudTrail API, you can log Insights events by editing the settings of an existing trail or event data store with the PutInsightSelectors API. Additional charges apply for logging CloudTrail Insights events. You will be charged separately if you enable Insights for both trails and event data stores. For more information, see Logging Insights events and Amazon CloudTrail Pricing.

Tags

A tag is a customer-defined key and optional value that can be assigned to Amazon resources, such as CloudTrail trails, event data stores, and channels, S3 buckets used to store CloudTrail log files, Amazon Organizations organizations and organizational units, and many more. By adding the same tags to trails and to the S3 buckets you use to store log files for trails, you can make it easier to manage, search for, and filter these resources with Amazon Resource Groups. You can implement tagging strategies to help you consistently, effectively, and easily find and manage your resources. For more information, see Best Practices for Tagging Amazon Resources.

Amazon Security Token Service and CloudTrail

Amazon Security Token Service (Amazon STS) is a service that has a global endpoint and also supports Region-specific endpoints. An endpoint is a URL that is the entry point for web service requests. For example, https://cloudtrail.us-west-2.amazonaws.com is the US West (Oregon) regional entry point for the Amazon CloudTrail service. Regional endpoints help reduce latency in your applications.

When you use an Amazon STS Region-specific endpoint, the trail in that Region delivers only the Amazon STS events that occur in that Region. For example, if you are using the endpoint sts.us-west-2.amazonaws.com, the trail in us-west-2 delivers only the Amazon STS events that originate from us-west-2. For more information about Amazon STS regional endpoints, see Activating and Deactivating Amazon STS in an Amazon Region in the IAM User Guide.

For a complete list of Amazon regional endpoints, see Amazon Regions and Endpoints in the Amazon Web Services General Reference. For details about events from the global Amazon STS endpoint, see Global service events.

Global service events

Important

As of November 22, 2021, Amazon CloudTrail makes Amazon CloudFront events available only in the Region where the event was processed, China (Ningxia) Region, cn-northwest-1.

For trails monitoring global service events, be sure to convert single-Region trails in China (Beijing) Region, cn-north-1, to multi-Region trails, to include events from China (Ningxia) Region, cn-northwest-1. For more information about capturing CloudFront events, see Enabling and disabling global service event logging later in this section.

For most services, events are recorded in the Region where the action occurred. For global services such as Amazon Identity and Access Management (IAM), Amazon STS, and Amazon CloudFront, events are delivered to any trail that includes global services.

For most global services, events are logged as occurring in the China (Beijing) Region, but some global service events are logged as occurring in the China (Ningxia) Region.

To avoid receiving duplicate global service events, remember the following:

  • Global service events are delivered by default to trails that are created using the CloudTrail console. Events are delivered to the bucket for the trail.

  • If you have multiple single Region trails, consider configuring your trails so that global service events are delivered in only one of the trails. For more information, see Enabling and disabling global service event logging.

  • If you change the configuration of a trail from logging all Regions to logging a single Region, global service event logging is turned off automatically for that trail. Similarly, if you change the configuration of a trail from logging a single Region to logging all Regions, global service event logging is turned on automatically for that trail.

    For more information about changing global service event logging for a trail, see Enabling and disabling global service event logging.

Example:

  1. You create a trail in the CloudTrail console. By default, this trail logs global service events.

  2. You have multiple single Region trails.

  3. You do not need to include global services for the single Region trails. Global service events are delivered for the first trail. For more information, see Creating, updating, and managing trails with the Amazon CLI.

Note

When you create or update a trail with the Amazon CLI, Amazon SDKs, or CloudTrail API, you can specify whether to include or exclude global service events for trails. You cannot configure global service event logging from the CloudTrail console.