Creating a trail - Amazon CloudTrail
Creating a trail in the console (basic event selectors)Creating a trail in the console (advanced event selectors)Next steps
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a trail

Follow the procedure to create a trail that applies to all Regions. A trail that applies to all Regions delivers log files from all Regions to an S3 bucket. After you create the trail, Amazon CloudTrail automatically starts logging the events that you specified.

Note

After you create a trail, you can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see CloudTrail supported services and integrations.

Creating a trail in the console (basic event selectors)

In the console, you create a trail that logs events in all Amazon Regions that you have enabled. This is a recommended best practice. To log events in a single Region (not recommended), use the Amazon CLI.

Use the following procedure if you have not yet enabled advanced event selectors. If you have advanced event selectors enabled, see Creating a trail in the console (advanced event selectors) to configure data event logging on your trail.

To create a CloudTrail trail with the Amazon Web Services Management Console

  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. On the CloudTrail service home page, the Trails page, or the Trails section of the Dashboard page, choose Create trail.

  3. On the Create Trail page, for Trail name, type a name for your trail. For more information, see Naming requirements.

  4. If this is an Amazon Organizations organization trail, you can enable the trail for all accounts in your organization. To see this option, you must sign in to the console with a user or role in the management or delegated administrator account. To successfully create an organization trail, be sure that the user or role has sufficient permissions. For more information, see Creating a trail for an organization.

  5. For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies.

    Note

    If you chose Use existing S3 bucket, specify a bucket in Trail log bucket name, or choose Browse to choose a bucket. The bucket policy must grant CloudTrail permission to write to it. For information about manually editing the bucket policy, see Amazon S3 bucket policy for CloudTrail.

    To make it easier to find your logs, create a new folder (also known as a prefix) in an existing bucket to store your CloudTrail logs. Enter the prefix in Prefix.

  6. For Log file SSE-KMS encryption, choose Enabled if you want to encrypt your log files using SSE-KMS encryption instead of SSE-S3 encryption. The default is Enabled. If you don't enable SSE-KMS encryption, your logs are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see Using server-side encryption with Amazon Key Management Service (SSE-KMS). For more information about SSE-S3 encryption, see Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

    If you enable SSE-KMS encryption, choose a New or Existing Amazon KMS key. In Amazon KMS Alias, specify an alias, in the format alias/MyAliasName. For more information, see Updating a resource to use your KMS key. CloudTrail also supports Amazon KMS multi-Region keys. For more information about multi-Region keys, see Using multi-Region keys in the Amazon Key Management Service Developer Guide.

    Note

    You can also type the ARN of a key from another account. The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see Configure Amazon KMS key policies for CloudTrail.

  7. In Additional settings, configure the following.

    1. For Log file validation, choose Enabled to have log digests delivered to your S3 bucket. You can use the digest files to verify that your log files did not change after CloudTrail delivered them. For more information, see Validating CloudTrail log file integrity.

    2. For SNS notification delivery, choose Enabled to be notified each time a log is delivered to your bucket. CloudTrail stores multiple events in a log file. SNS notifications are sent for every log file, not for every event. For more information, see Configuring Amazon SNS notifications for CloudTrail.

      If you enable SNS notifications, for Create a new SNS topic, choose New to create a topic, or choose Existing to use an existing topic. If you are creating a trail that applies to all Regions, SNS notifications for log file deliveries from all Regions are sent to the single SNS topic that you create.

      If you choose New, CloudTrail specifies a name for the new topic for you, or you can type a name. If you choose Existing, choose an SNS topic from the drop-down list. You can also enter the ARN of a topic from another Region or from an account with appropriate permissions. For more information, see Amazon SNS topic policy for CloudTrail.

      If you create a topic, you must subscribe to the topic to be notified of log file delivery. You can subscribe from the Amazon SNS console. Due to the frequency of notifications, we recommend that you configure the subscription to use an Amazon SQS queue to handle notifications programmatically. For more information, see the Amazon Simple Notification Service Getting Started Guide.

  8. Optionally, configure CloudTrail to send log files to CloudWatch Logs by choosing Enabled in CloudWatch Logs. For more information, see Sending events to CloudWatch Logs.

    1. If you enable integration with CloudWatch Logs, choose New to create a new log group, or Existing to use an existing one. If you choose New, CloudTrail specifies a name for the new log group for you, or you can type a name.

    2. If you choose Existing, choose a log group from the drop-down list.

    3. Choose New to create a new IAM role for permissions to send logs to CloudWatch Logs. Choose Existing to choose an existing IAM role from the drop-down list. The policy statement for the new or existing role is displayed when you expand Policy document. For more information about this role, see Role policy document for CloudTrail to use CloudWatch Logs for monitoring.

      Note

      When you configure a trail, you can choose an S3 bucket and SNS topic that belong to another account. However, if you want CloudTrail to deliver events to a CloudWatch Logs log group, you must choose a log group that exists in your current account.

  9. For Tags, add one or more custom tags (key-value pairs) to your trail. Tags can help you identify both your CloudTrail trails and the Amazon S3 buckets that contain CloudTrail log files. You can then use resource groups for your CloudTrail resources. For more information, see Amazon Resource Groups and Why use tags for trails?.

  10. On the Choose log events page, choose the event types that you want to log. For Management events, do the following.

    1. For API activity, choose if you want your trail to log Read events, Write events, or both. For more information, see Management events.

    2. Choose Exclude Amazon KMS events to filter Amazon Key Management Service (Amazon KMS) events out of your trail. The default setting is to include all Amazon KMS events.

      The option to log or exclude Amazon KMS events is available only if you log management events on your trail. If you choose not to log management events, Amazon KMS events are not logged, and you cannot change Amazon KMS event logging settings.

      Amazon KMS actions such as Encrypt, Decrypt, and GenerateDataKey typically generate a large volume (more than 99%) of events. These actions are now logged as Read events. Low-volume, relevant Amazon KMS actions such as Disable, Delete, and ScheduleKey (which typically account for less than 0.5% of Amazon KMS event volume) are logged as Write events.

      To exclude high-volume events like Encrypt, Decrypt, and GenerateDataKey, but still log relevant events such as Disable, Delete and ScheduleKey, choose to log Write management events, and clear the check box for Exclude Amazon KMS events.

  11. For Data events, you can specify logging data events for Amazon S3 buckets, Amazon Lambda functions, Amazon DynamoDB tables, and many other resource types. By default, trails don't log data events. Additional charges apply for logging data events. For more information, see Data events. For CloudTrail pricing, see Amazon CloudTrail Pricing. More data event types are available if you use advanced event selectors; for more information, see Creating a trail in the console (advanced event selectors) in this topic.

    For Amazon S3 buckets:

    1. For Data event source, choose S3.

    2. You can choose to log All current and future S3 buckets, or you can specify individual buckets or functions. By default, data events are logged for all current and future S3 buckets.

      Note

      Keeping the default All current and future S3 buckets option enables data event logging for all buckets currently in your Amazon account and any buckets you create after you finish creating the trail. It also enables logging of data event activity performed by any IAM identity in your Amazon account, even if that activity is performed on a bucket that belongs to another Amazon account.

      If you are creating a trail for a single Region (done by using the Amazon CLI), choosing All current and future S3 buckets enables data event logging for all buckets in the same Region as your trail and any buckets you create later in that Region. It will not log data events for Amazon S3 buckets in other Regions in your Amazon account.

    3. If you leave the default, All current and future S3 buckets, choose to log Read events, Write events, or both.

    4. To select individual buckets, empty the Read and Write check boxes for All current and future S3 buckets. In Individual bucket selection, browse for a bucket on which to log data events. Find specific buckets by typing a bucket prefix for the bucket you want. You can select multiple buckets in this window. Choose Add bucket to log data events for more buckets. Choose to log Read events, such as GetObject, Write events, such as PutObject, or both.

      This setting takes precedence over individual settings you configure for individual buckets. For example, if you specify logging Read events for all S3 buckets, and then choose to add a specific bucket for data event logging, Read is already selected for the bucket you added. You cannot clear the selection. You can only configure the option for Write.

      To remove a bucket from logging, choose X.

  12. To add another data type on which to log data events, choose Add data event type.

  13. For Lambda functions:

    1. For Data event source, choose Lambda.

    2. In Lambda function, choose All regions to log all Lambda functions, or Input function as ARN to log data events on a specific function.

      To log data events for all Lambda functions in your Amazon account, select Log all current and future functions. This setting takes precedence over individual settings you configure for individual functions. All functions are logged, even if all functions are not displayed.

      Note

      If you are creating a trail for all Regions, this selection enables data event logging for all functions currently in your Amazon account, and any Lambda functions you might create in any Region after you finish creating the trail. If you are creating a trail for a single Region (done by using the Amazon CLI), this selection enables data event logging for all functions currently in that Region in your Amazon account, and any Lambda functions you might create in that Region after you finish creating the trail. It does not enable data event logging for Lambda functions created in other Regions.

      Logging data events for all functions also enables logging of data event activity performed by any IAM identity in your Amazon account, even if that activity is performed on a function that belongs to another Amazon account.

    3. If you choose Input function as ARN, enter the ARN of a Lambda function.

      Note

      If you have more than 15,000 Lambda functions in your account, you cannot view or select all functions in the CloudTrail console when creating a trail. You can still select the option to log all functions, even if they are not displayed. If you want to log data events for specific functions, you can manually add a function if you know its ARN. You can also finish creating the trail in the console, and then use the Amazon CLI and the put-event-selectors command to configure data event logging for specific Lambda functions. For more information, see Managing trails with the Amazon CLI.

  14. For DynamoDB tables:

    1. For Data event source, choose DynamoDB.

    2. In DynamoDB table selection, choose Browse to select a table, or paste in the ARN of a DynamoDB table to which you have access. A DynamoDB table ARN uses the following format:

      arn:partition:dynamodb:region:account_ID:table/table_name

      To add another table, choose Add row, and browse for a table or paste in the ARN of a table to which you have access.

  15. Choose Insights events if you want your trail to log CloudTrail Insights events.

    In Event type, select Insights events. In Insights events, choose API call rate, API error rate, or both. You must be logging Write management events to log Insights events for API call rate. You must be logging Read or Write management events to log Insights events for API error rate.

    CloudTrail Insights analyzes management events for unusual activity, and logs events when anomalies are detected. By default, trails don't log Insights events. For more information about Insights events, see Logging Insights events for trails. Additional charges apply for logging Insights events. For CloudTrail pricing, see Amazon CloudTrail Pricing.

    Insights events are delivered to a different folder named /CloudTrail-Insightof the same S3 bucket that is specified in the Storage location area of the trail details page. CloudTrail creates the new prefix for you. For example, if your current destination S3 bucket is named S3bucketName/AWSLogs/CloudTrail/, the S3 bucket name with a new prefix is named S3bucketName/AWSLogs/CloudTrail-Insight/.

  16. When you are finished choosing event types to log, choose Next.

  17. On the Review and create page, review your choices. Choose Edit in a section to change the trail settings shown in that section. When you are ready to create the trail, choose Create trail.

  18. The new trail appears on the Trails page. The Trails page shows the trails in your account from all Regions. In about 5 minutes, CloudTrail publishes log files that show the Amazon API calls made in your account. You can see the log files in the S3 bucket that you specified. It can take up to 36 hours for CloudTrail to deliver the first Insights event, if you have enabled Insights event logging, and unusual activity is detected.

Note

CloudTrail typically delivers logs within an average of about 5 minutes of an API call. This time is not guaranteed.

Creating a trail in the console (advanced event selectors)

In the console, you create a trail that logs events in all Amazon Regions. This is a recommended best practice. To log events in a single Region (not recommended), use the Amazon CLI.

Use the following procedure if you have enabled advanced event selectors. If you prefer to use basic data event selectors, see Creating a trail in the console (basic event selectors) to configure data event logging on your trail.

To create a CloudTrail trail with the Amazon Web Services Management Console

  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. On the CloudTrail service home page, the Trails page, or the Trails section of the Dashboard page, choose Create trail.

  3. On the Create Trail page, for Trail name, type a name for your trail. For more information, see Naming requirements.

  4. If this is an Amazon Organizations organization trail, you can enable the trail for all accounts in your organization. To see this option, you must sign in to the console with a user or role in the management or delegated administrator account. To successfully create an organization trail, be sure that the user or role has sufficient permissions. For more information, see Creating a trail for an organization.

  5. For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies.

    Note

    If you chose Use existing S3 bucket, specify a bucket in Trail log bucket name, or choose Browse to choose a bucket. The bucket policy must grant CloudTrail permission to write to it. For information about manually editing the bucket policy, see Amazon S3 bucket policy for CloudTrail.

    To make it easier to find your logs, create a new folder (also known as a prefix) in an existing bucket to store your CloudTrail logs. Enter the prefix in Prefix.

  6. For Log file SSE-KMS encryption, choose Enabled if you want to encrypt your log files using SSE-KMS encryption instead of SSE-S3 encryption. The default is Enabled. If you don't enable SSE-KMS encryption, your logs are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see Using server-side encryption with Amazon Key Management Service (SSE-KMS). For more information about SSE-S3 encryption, see Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

    If you enable SSE-KMS encryption, choose a New or Existing Amazon KMS key. In Amazon KMS Alias, specify an alias, in the format alias/MyAliasName. For more information, see Updating a resource to use your KMS key. CloudTrail also supports Amazon KMS multi-Region keys. For more information about multi-Region keys, see Using multi-Region keys in the Amazon Key Management Service Developer Guide.

    Note

    You can also type the ARN of a key from another account. For more information, see Updating a resource to use your KMS key. The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see Configure Amazon KMS key policies for CloudTrail.

  7. In Additional settings, configure the following.

    1. For Log file validation, choose Enabled to have log digests delivered to your S3 bucket. You can use the digest files to verify that your log files did not change after CloudTrail delivered them. For more information, see Validating CloudTrail log file integrity.

    2. For SNS notification delivery, choose Enabled to be notified each time a log is delivered to your bucket. CloudTrail stores multiple events in a log file. SNS notifications are sent for every log file, not for every event. For more information, see Configuring Amazon SNS notifications for CloudTrail.

      If you enable SNS notifications, for Create a new SNS topic, choose New to create a topic, or choose Existing to use an existing topic. If you are creating a trail that applies to all Regions, SNS notifications for log file deliveries from all Regions are sent to the single SNS topic that you create.

      If you choose New, CloudTrail specifies a name for the new topic for you, or you can type a name. If you choose Existing, choose an SNS topic from the drop-down list. You can also enter the ARN of a topic from another Region or from an account with appropriate permissions. For more information, see Amazon SNS topic policy for CloudTrail.

      If you create a topic, you must subscribe to the topic to be notified of log file delivery. You can subscribe from the Amazon SNS console. Due to the frequency of notifications, we recommend that you configure the subscription to use an Amazon SQS queue to handle notifications programmatically. For more information, see the Amazon Simple Notification Service Getting Started Guide.

  8. Optionally, configure CloudTrail to send log files to CloudWatch Logs by choosing Enabled in CloudWatch Logs. For more information, see Sending events to CloudWatch Logs.

    1. If you enable integration with CloudWatch Logs, choose New to create a new log group, or Existing to use an existing one. If you choose New, CloudTrail specifies a name for the new log group for you, or you can type a name.

    2. If you choose Existing, choose a log group from the drop-down list.

    3. Choose New to create a new IAM role for permissions to send logs to CloudWatch Logs. Choose Existing to choose an existing IAM role from the drop-down list. The policy statement for the new or existing role is displayed when you expand Policy document. For more information about this role, see Role policy document for CloudTrail to use CloudWatch Logs for monitoring.

      Note

      When you configure a trail, you can choose an S3 bucket and SNS topic that belong to another account. However, if you want CloudTrail to deliver events to a CloudWatch Logs log group, you must choose a log group that exists in your current account.

  9. For Tags, add one or more custom tags (key-value pairs) to your trail. Tags can help you identify both your CloudTrail trails and the Amazon S3 buckets that contain CloudTrail log files. You can then use resource groups for your CloudTrail resources. For more information, see Amazon Resource Groups and Why use tags for trails?.

  10. On the Choose log events page, choose the event types that you want to log. For Management events, do the following.

    1. For API activity, choose if you want your trail to log Read events, Write events, or both. For more information, see Management events.

    2. Choose Exclude Amazon KMS events to filter Amazon Key Management Service (Amazon KMS) events out of your trail. The default setting is to include all Amazon KMS events.

      The option to log or exclude Amazon KMS events is available only if you log management events on your trail. If you choose not to log management events, Amazon KMS events are not logged, and you cannot change Amazon KMS event logging settings.

      Amazon KMS actions such as Encrypt, Decrypt, and GenerateDataKey typically generate a large volume (more than 99%) of events. These actions are now logged as Read events. Low-volume, relevant Amazon KMS actions such as Disable, Delete, and ScheduleKey (which typically account for less than 0.5% of Amazon KMS event volume) are logged as Write events.

      To exclude high-volume events like Encrypt, Decrypt, and GenerateDataKey, but still log relevant events such as Disable, Delete and ScheduleKey, choose to log Write management events, and clear the check box for Exclude Amazon KMS events.

    3. Choose Exclude Amazon RDS Data API events to filter Amazon Relational Database Service Data API events out of your trail. The default setting is to include all Amazon RDS Data API events. For more information about Amazon RDS Data API events, see Logging Data API calls with Amazon CloudTrail in the Amazon RDS User Guide for Aurora.

  11. To log data events, choose Data events.

  12. For Data event type, choose the resource type on which you want to log data events.

    Note

    To log data events for Amazon Glue tables created by Lake Formation, choose Lake Formation.

  13. Choose a log selector template. CloudTrail includes predefined templates that log all data events for the resource type. To build a custom log selector template, choose Custom.

    Note

    Choosing a predefined template for S3 buckets enables data event logging for all buckets currently in your Amazon account and any buckets you create after you finish creating the trail. It also enables logging of data event activity performed by any IAM identity in your Amazon account, even if that activity is performed on a bucket that belongs to another Amazon account.

    If the trail applies only to one Region, choosing a predefined template that logs all S3 buckets enables data event logging for all buckets in the same Region as your trail and any buckets you create later in that Region. It will not log data events for Amazon S3 buckets in other Regions in your Amazon account.

    If you are creating a trail for all Regions, choosing a predefined template for Lambda functions enables data event logging for all functions currently in your Amazon account, and any Lambda functions you might create in any Region after you finish creating the trail. If you are creating a trail for a single Region (done by using the Amazon CLI), this selection enables data event logging for all functions currently in that Region in your Amazon account, and any Lambda functions you might create in that Region after you finish creating the trail. It does not enable data event logging for Lambda functions created in other Regions.

    Logging data events for all functions also enables logging of data event activity performed by any IAM identity in your Amazon account, even if that activity is performed on a function that belongs to another Amazon account.

  14. (Optional) In Selector name, enter a name to identify your selector. The selector name is a descriptive name for an advanced event selector, such as "Log data events for only two S3 buckets". The selector name is listed as Name in the advanced event selector and is viewable if you expand the JSON view.

  15. In Advanced event selectors, build an expression for the specific resources on which you want to log data events. You can skip this step if you are using a predefined log template.

    1. Choose from the following fields. For fields that accept an array (more than one value), CloudTrail adds an OR between values.

      • readOnly - readOnly can be set to Equals a value of true or false. Read-only data events are events that do not change the state of a resource, such as Get* or Describe* events. Write events add, change, or delete resources, attributes, or artifacts, such as Put*, Delete*, or Write* events. To log both read and write events, don't add a readOnly selector.

      • eventName - eventName can use any operator. You can use it to include or exclude any data event logged to CloudTrail, such as PutBucket, PutItem, or GetSnapshotBlock. You can have multiple values for this field, separated by commas.

      • resources.ARN - You can use any operator with resources.ARN, but if you use Equals or NotEquals, the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type.

        The following table shows the valid ARN format for each resources.type.

        resources.type resources.ARN
        AWS::DynamoDB::Table 
        arn:partition:dynamodb:region:account_ID:table/table_name
        AWS::Lambda::Function 
        arn:partition:lambda:region:account_ID:function:function_name

        AWS::S3::Object1

        		 
        arn:partition:s3:::bucket_name/
arn:partition:s3:::bucket_name/object_or_file_name/
        AWS::CloudTrail::Channel 
        arn:partition:cloudtrail:region:account_ID:channel/channel_UUID
        AWS::CodeWhisperer::Profile 
        arn:partition:codewhisperer:region:account_ID:profile/profile_ID
        AWS::Cognito::IdentityPool 
        arn:partition:cognito-identity:region:account_ID:identitypool/identity_pool_ID
        AWS::DynamoDB::Stream 
        arn:partition:dynamodb:region:account_ID:table/table_name/stream/date_time
        AWS::EC2::Snapshot 
        arn:partition:ec2:region::snapshot/snapshot_ID
        AWS::EMRWAL::Workspace 
        arn:partition:emrwal:region::workspace/workspace_name
        AWS::FinSpace::Environment 
        arn:partition:finspace:region:account_ID:environment/environment_ID
        AWS::Glue::Table 
        arn:partition:glue:region:account_ID:table/database_name/table_name
        AWS::GuardDuty::Detector 
        arn:partition:guardduty:region:account_ID:detector/detector_ID
        AWS::KendraRanking::ExecutionPlan 
        arn:partition:kendra-ranking:region:account_ID:rescore-execution-plan/rescore_execution_plan_ID
        AWS::KinesisVideo::Stream 
        arn:partition:kinesisvideo:region:account_ID:stream/stream_name/creation_time
        AWS::ManagedBlockchain::Network 
        arn:partition:managedblockchain:::networks/network_name
        AWS::ManagedBlockchain::Node 
        arn:partition:managedblockchain:region:account_ID:nodes/node_ID
        AWS::MedicalImaging::Datastore 
        arn:partition:medical-imaging:region:account_ID:datastore/data_store_ID
        AWS::PCAConnectorAD::Connector 
        arn:partition:pca-connector-ad:region:account_ID:connector/connector_ID
        AWS::SageMaker::Endpoint 
        arn:partition:sagemaker:region:account_ID:endpoint/endpoint_name
        AWS::SageMaker::ExperimentTrialComponent 
        arn:partition:sagemaker:region:account_ID:experiment-trial-component/experiment_trial_component_name
        AWS::SageMaker::FeatureGroup 
        arn:partition:sagemaker:region:account_ID:feature-group/feature_group_name

        AWS::S3::AccessPoint2

        		 
        arn:partition:s3:region:account_ID:accesspoint/access_point_name
        AWS::S3ObjectLambda::AccessPoint 
        arn:partition:s3-object-lambda:region:account_ID:accesspoint/access_point_name
        AWS::S3Outposts::Object 
        arn:partition:s3-outposts:region:account_ID:object_path
        AWS::SSMMessages::ControlChannel 
        arn:partition:ssmmessages:region:account_ID:control-channel/control_channel_ID
        AWS::VerifiedPermissions::PolicyStore 
        arn:partition:verifiedpermissions:region:account_ID:policy-store/policy_store_ID

        1 To log all data events for all objects in a specific S3 bucket, use the StartsWith operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it.

        2 To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the StartsWith or NotStartsWith operators.

      For more information about the ARN formats of data event resources, see Actions, resources, and condition keys in the Amazon Identity and Access Management User Guide.

    2. For each field, choose + Conditions to add as many conditions as you need, up to a maximum of 500 specified values for all conditions. For example, to exclude data events for two S3 buckets from data events that are logged on your trail, you can set the field to resources.ARN, set the operator for NotStartsWith, and then either paste in an S3 bucket ARN, or browse for the S3 buckets for which you do not want to log events.

      To add the second S3 bucket, choose + Conditions, and then repeat the preceding instruction, pasting in the ARN for or browsing for a different bucket.

      Note

      You can have a maximum of 500 values for all selectors on a trail. This includes arrays of multiple values for a selector such as eventName. If you have single values for all selectors, you can have a maximum of 500 conditions added to a selector.

      If you have more than 15,000 Lambda functions in your account, you cannot view or select all functions in the CloudTrail console when creating a trail. You can still log all functions with a predefined selector template, even if they are not displayed. If you want to log data events for specific functions, you can manually add a function if you know its ARN. You can also finish creating the trail in the console, and then use the Amazon CLI and the put-event-selectors command to configure data event logging for specific Lambda functions. For more information, see Managing trails with the Amazon CLI.

    3. Choose + Field to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields. For example, do not specify an ARN in one selector to be equal to a value, then specify that the ARN not equal the same value in another selector.

    4. Save changes to your custom selector template by choosing Next. Do not choose another log selector template, or leave this page, or your custom selectors will be lost.

  16. To add another data type on which to log data events, choose Add data event type. Repeat steps 12 through this step to configure advanced event selectors for the data event type.

  17. Choose Insights events if you want your trail to log CloudTrail Insights events.

    In Event type, select Insights events. You must be logging Write management events to log Insights events for API call rate. You must be logging Read or Write management events to log Insights events for API error rate.

    CloudTrail Insights analyzes management events for unusual activity, and logs events when anomalies are detected. By default, trails don't log Insights events. For more information about Insights events, see Logging Insights events for trails. Additional charges apply for logging Insights events. For CloudTrail pricing, see Amazon CloudTrail Pricing.

    Insights events are delivered to a different folder named /CloudTrail-Insightof the same S3 bucket that is specified in the Storage location area of the trail details page. CloudTrail creates the new prefix for you. For example, if your current destination S3 bucket is named S3bucketName/AWSLogs/CloudTrail/, the S3 bucket name with a new prefix is named S3bucketName/AWSLogs/CloudTrail-Insight/.

  18. When you are finished choosing event types to log, choose Next.

  19. On the Review and create page, review your choices. Choose Edit in a section to change the trail settings shown in that section. When you are ready to create the trail, choose Create trail.

  20. The new trail appears on the Trails page. The Trails page shows the trails in your account from all Regions. In about 5 minutes, CloudTrail publishes log files that show the Amazon API calls made in your account. You can see the log files in the S3 bucket that you specified. It can take up to 36 hours for CloudTrail to deliver the first Insights event, if you have enabled Insights event logging, and unusual activity is detected.

    Note

    CloudTrail typically delivers logs within an average of about 5 minutes of an API call. This time is not guaranteed.

Next steps

After you create your trail, you can return to the trail to make changes: