Logging management events
By default, trails and event data stores log management events and don't include data or Insights events.
Additional
charges apply for data or Insights events. For more information, see Amazon CloudTrail Pricing
Contents
Management events
Management events provide visibility into management operations that are performed on resources in your Amazon account. These are also known as control plane operations. Example management events include:
-
Configuring security (for example, IAM
AttachRolePolicy
API operations) -
Registering devices (for example, Amazon EC2
CreateDefaultVpc
API operations) -
Configuring rules for routing data (for example, Amazon EC2
CreateSubnet
API operations) -
Setting up logging (for example, Amazon CloudTrail
CreateTrail
API operations)
Management events can also include non-API events that occur in your account. For
example, when a user logs in to your account, CloudTrail logs the ConsoleLogin
event. For more information, see Non-API events captured by CloudTrail.
By default, trails and event data stores are configured to log management events.
Note
The CloudTrail Event history feature supports only management events. You cannot exclude Amazon KMS events from Event history; settings that you apply to a trail do not apply to Event history. For more information, see Working with CloudTrail Event history.
Read and write events
When you configure your trail or event data store to log management events, you can specify whether you want read-only events, write-only events, or both.
-
Read
Read-only events include API operations that read your resources, but don't make changes. For example, read-only events include the Amazon EC2
DescribeSecurityGroups
andDescribeSubnets
API operations. These operations return only information about your Amazon EC2 resources and don't change your configurations. -
Write
Write-only events include API operations that modify (or might modify) your resources. For example, the Amazon EC2
RunInstances
andTerminateInstances
API operations modify your instances.
Example: Logging read and write events for separate trails
The following example shows how you can configure trails to split log activity for an account into separate S3 buckets: one bucket receives read-only events and a second bucket receives write-only events.
-
You create a trail and choose an S3 bucket named
amzn-s3-demo-bucket1
to receive log files. You then update the trail to specify that you want Read management events. -
You create a second trail and choose an S3 bucket named
amzn-s3-demo-bucket2
to receive log files. You then update the trail to specify that you want Write management events. -
The Amazon EC2
DescribeInstances
andTerminateInstances
API operations occur in your account. -
The
DescribeInstances
API operation is a read-only event and it matches the settings for the first trail. The trail logs and delivers the event toamzn-s3-demo-bucket1
. -
The
TerminateInstances
API operation is a write-only event and it matches the settings for the second trail. The trail logs and delivers the event toamzn-s3-demo-bucket2
.
Logging management events with the Amazon Web Services Management Console
This section describes how to update the management event settings for an existing trail or event data store.
Topics
Updating the management event settings for an existing trail
Use the following procedure to update the management event settings for an existing trail.
-
Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/
. -
Open the Trails page of the CloudTrail console and choose the trail name.
-
For Management events, choose Edit.
-
Choose if you want to log Read events, Write events, or both.
-
Choose Exclude Amazon KMS events to filter Amazon Key Management Service (Amazon KMS) events out of your traiL. The default setting is to include all Amazon KMS events.
The option to log or exclude Amazon KMS events is available only if you log management events on your trail. If you choose not to log management events, Amazon KMS events are not logged, and you cannot change Amazon KMS event logging settings.
Amazon KMS actions such as
Encrypt
,Decrypt
, andGenerateDataKey
typically generate a large volume (more than 99%) of events. These actions are now logged as Read events. Low-volume, relevant Amazon KMS actions such asDisable
,Delete
, andScheduleKey
(which typically account for less than 0.5% of Amazon KMS event volume) are logged as Write events.To exclude high-volume events like
Encrypt
,Decrypt
, andGenerateDataKey
, but still log relevant events such asDisable
,Delete
andScheduleKey
, choose to log Write management events, and clear the check box for Exclude Amazon KMS events.
-
-
Choose Save changes when you are finished.
Updating the management event settings for an existing event data store
-
Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/
. -
Open the Event data stores page of the CloudTrail console and choose the event data store name.
-
For Management events, choose Edit and then configure the following settings:
-
Choose between Simple event collection or Advanced event collection:
-
Choose Simple event collection if you want to log all events, log only read events, or log only write events. You can choose also to exclude Amazon Key Management Service and Amazon RDS Data API management events.
-
Choose Advanced event collection if you want to include or exclude management events based on the values of advanced event selector fields, including the
eventName
,eventType
,eventSource
, anduserIdentity.arn
fields.
-
-
If you selected Simple event collection, choose whether you want to log all events, log only read events, or log only write events. You can also choose to exclude Amazon KMS and Amazon RDS management events.
-
If you selected Advanced event collection, make the following selections:
-
In Log selector template, choose a template, or Custom to build a custom configuration based on advanced event selector field values.
-
(Optional) In Selector name, enter a name to identify your selector. The selector name is a descriptive name for an advanced event selector, such as "Log management events from Amazon Web Services Management Console sessions". The selector name is listed as
Name
in the advanced event selector and is viewable if you expand the JSON view. -
If you chose Custom, in Advanced event selectors build an expression based on advanced event selector field values.
-
Choose from the following fields.
-
readOnly
–readOnly
can be set to equals a value oftrue
orfalse
. When it is set tofalse
, the event data store logs Write-only management events. Read-only management events are events that do not change the state of a resource, such asGet*
orDescribe*
events. Write events add, change, or delete resources, attributes, or artifacts, such asPut*
,Delete*
, orWrite*
events. To log both Read and Write events, don't add areadOnly
selector. -
eventName
–eventName
can use any operator. You can use it to include or exclude any management event, such asCreateAccessPoint
orGetAccessPoint
. -
userIdentity.arn
– Include or exclude events for actions taken by specific IAM identities. For more information, see CloudTrail userIdentity element. -
sessionCredentialFromConsole
– Include or exclude events originating from an Amazon Web Services Management Console session. This field can be set to equals or not equals with a value oftrue
. -
eventSource
– You can use it to include or exclude specific event sources. TheeventSource
is typically a short form of the service name without spaces plus.amazonaws.com
. For example, you could seteventSource
equals toec2.amazonaws.com
to log only Amazon EC2 management events. -
eventType
– The eventType to include or exclude. For example, you can set this field to not equalsAwsServiceEvent
to exclude Amazon Web Services service events.
-
-
For each field, choose + Condition to add as many conditions as you need, up to a maximum of 500 specified values for all conditions.
For information about how CloudTrail evaluates multiple conditions, see How CloudTrail evaluates multiple conditions for a field.
Note
You can have a maximum of 500 values for all selectors on an event data store. This includes arrays of multiple values for a selector such as
eventName
. If you have single values for all selectors, you can have a maximum of 500 conditions added to a selector. -
Choose + Field to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields.
-
-
Optionally, expand JSON view to see your advanced event selectors as a JSON block.
-
-
Choose Enable Insights events capture to enable Insights. To enable Insights, you need to set up a destination event data store to collect Insights events based upon the management event activity in this event data store.
If you choose to enable Insights, do the following.
-
Choose the destination event store that will log Insights events. The destination event data store will collect Insights events based upon the management event activity in this event data store. For information about how to create the destination event data store, see To create a destination event data store that logs Insights events.
-
Choose the Insights types. You can choose API call rate, API error rate, or both. You must be logging Write management events to log Insights events for API call rate. You must be logging Read or Write management events to log Insights events for API error rate.
-
-
-
Choose Save changes when you are finished.
Logging management events with the Amazon CLI
You can configure your trails to log management events using the Amazon CLI.
Examples: Logging management events for trails
To view whether your trail is logging management events, run the
get-event-selectors
command.
aws cloudtrail get-event-selectors --trail-name
TrailName
The following example returns the default settings for a trail. By default, trails log all management events, log events from all event sources, and don't log data events.
{ "TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/
TrailName
", "AdvancedEventSelectors": [ { "Name": "Management events selector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ] }
You can use either basic or advanced event selectors to log management events. You cannot apply both event selectors and advanced event selectors to a trail. If you apply advanced event selectors to a trail, any existing basic event selectors are overwritten. The following sections provide examples of how to log management events using advanced event selectors and basic event selectors.
Topics
Examples: Logging management events for trails using advanced event selectors
The following example creates an advanced event selector for a trail named
TrailName
to include read-only and write-only
management events (by omitting the readOnly
selector), but to
exclude Amazon Key Management Service (Amazon KMS) events. Because Amazon KMS events are treated as management
events, and there can be a high volume of them, they can have a substantial
impact on your CloudTrail bill if you have more than one trail that captures
management events.
If you choose not to log management events, Amazon KMS events are not logged, and you cannot change Amazon KMS event logging settings.
To start logging Amazon KMS events to a trail again, remove the
eventSource
selector, and run the command again.
aws cloudtrail put-event-selectors --trail-name
TrailName
\ --advanced-event-selectors ' [ { "Name": "Log all management events except KMS events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] }, { "Field": "eventSource", "NotEquals": ["kms.amazonaws.com"] } ] } ]'
The example returns the advanced event selectors that are configured for the trail.
{ "AdvancedEventSelectors": [ { "Name": "Log all management events except KMS events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] }, { "Field": "eventSource", "NotEquals": [ "kms.amazonaws.com" ] } ] } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/
TrailName
" }
To start logging excluded events to a trail again, remove the
eventSource
selector, as shown in the following command.
aws cloudtrail put-event-selectors --trail-name
TrailName
\ --advanced-event-selectors ' [ { "Name": "Log all management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] } ] } ]'
The next example creates an advanced event selector for a trail named
TrailName
to include read-only and write-only
management events (by omitting the readOnly
selector), but to
exclude Amazon RDS Data API management events. To exclude Amazon RDS Data API management
events, specify the Amazon RDS Data API event source in the string value for the
eventSource
field: rdsdata.amazonaws.com
.
If you choose not to log management events, Amazon RDS Data API management events are not logged, and you cannot change Amazon RDS Data API event logging settings.
To start logging Amazon RDS Data API management events to a trail again, remove the
eventSource
selector, and run the command again.
aws cloudtrail put-event-selectors --trail-name
TrailName
\ --advanced-event-selectors ' [ { "Name": "Log all management events except Amazon RDS Data API management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] }, { "Field": "eventSource", "NotEquals": ["rdsdata.amazonaws.com"] } ] } ]'
The example returns the advanced event selectors that are configured for the trail.
{ "AdvancedEventSelectors": [ { "Name": "Log all management events except Amazon RDS Data API management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] }, { "Field": "eventSource", "NotEquals": [ "rdsdata.amazonaws.com" ] } ] } ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/
TrailName
" }
To start logging excluded events to a trail again, remove the
eventSource
selector, as shown in the following command.
aws cloudtrail put-event-selectors --trail-name
TrailName
\ --advanced-event-selectors ' [ { "Name": "Log all management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Management"] } ] } ]'
Examples: Logging management events for trails using basic event selectors
To configure your trail to log management events, run the
put-event-selectors
command. The following example shows how to
configure your trail to include all management events for two S3 objects. You can
specify from 1 to 5 event selectors for a trail. You can specify from 1 to 250 data
resources for a trail.
Note
The maximum number of S3 data resources is 250, regardless of the number of event selectors.
aws cloudtrail put-event-selectors --trail-name
TrailName
--event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::amzn-s3-demo-bucket/prefix", "arn:aws:s3:::amzn-s3-demo-bucket2/prefix2"] }] }]'
The following example returns the event selector configured for the trail.
{ "TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/
TrailName
", "EventSelectors": [ { "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [ { "Type": "AWS::S3::Object", "Values": [ "arn:aws:s3:::amzn-s3-demo-bucket/prefix", "arn:aws:s3:::amzn-s3-demo-bucket2/prefix2", ] } ], "ExcludeManagementEventSources": [] } ] }
To exclude Amazon Key Management Service (Amazon KMS) events from a trail's logs, run the
put-event-selectors
command and add the attribute
ExcludeManagementEventSources
with a value of
kms.amazonaws.com
. The following example creates an event selector for
a trail named TrailName
to include read-only and write-only
management events, but exclude Amazon KMS events. Because Amazon KMS can generate a high volume of
events, the user in this example might want to limit events to manage the cost of a
trail.
aws cloudtrail put-event-selectors --trail-name
TrailName
--event-selectors '[{"ReadWriteType": "All","ExcludeManagementEventSources": ["kms.amazonaws.com"],"IncludeManagementEvents": true}]'
The example returns the event selector configured for the trail.
{ "TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/
TrailName
", "EventSelectors": [ { "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [], "ExcludeManagementEventSources": [ "kms.amazonaws.com" ] } ] }
To exclude Amazon RDS Data API management events from a trail's logs, run the
put-event-selectors
command and add the attribute
ExcludeManagementEventSources
with a value of
rdsdata.amazonaws.com
. The following example creates an event selector
for a trail named TrailName
to include read-only and
write-only management events, but exclude Amazon RDS Data API management events. Because Amazon RDS Data API
can generate a high volume of management events, the user in this example might want to limit
events to manage the cost of a trail.
{ "TrailARN": "arn:aws:cloudtrail:us-east-1:111122223333:trail/
TrailName
", "EventSelectors": [ { "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [], "ExcludeManagementEventSources": [ "rdsdata.amazonaws.com" ] } ] }
To start logging Amazon KMS or Amazon RDS Data API management events to a trail again,
pass an empty string as the value of ExcludeManagementEventSources
, as
shown in the following command.
aws cloudtrail put-event-selectors --trail-name
TrailName
--event-selectors '[{"ReadWriteType": "All","ExcludeManagementEventSources": [],"IncludeManagementEvents": true}]'
To log relevant Amazon KMS events to a trail like Disable
, Delete
and ScheduleKey
, but exclude high-volume Amazon KMS events like
Encrypt
, Decrypt
, and GenerateDataKey
, log
write-only management events, and keep the default setting to log Amazon KMS events, as shown
in the following example.
aws cloudtrail put-event-selectors --trail-name
TrailName
--event-selectors '[{"ReadWriteType": "WriteOnly","ExcludeManagementEventSources": [],"IncludeManagementEvents": true}]'
Logging management events with the Amazon SDKs
Use the GetEventSelectors operation to see whether your trail is logging management events for a trail. You can configure your trails to log management events with the PutEventSelectors operation. For more information, see the Amazon CloudTrail API Reference.