Viewing recent CloudTrail management events in the CloudTrail console - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing recent CloudTrail management events in the CloudTrail console

You can use the Event history page in the CloudTrail console to view the last 90 days of management events in an Amazon Web Services Region. You can also download a file with that information, or a subset of information based on the filter and time range you choose. You can customize your view of Event history by selecting how many events to display on each page and choosing which columns to display in the console. You can also look up and filter events by the resource types available for a particular service. You can select up to five events in Event history and compare their details side-by-side.

After 90 days, events are no longer shown in Event history. You cannot manually delete events from Event history.

You can learn more about the specifics of how CloudTrail logs events for a specific service by consulting the documentation for that service. For more information, see Amazon service topics for CloudTrail.

Note

For an ongoing record of activity and events, create a trail.

Creating an event data store enables you to take advantage of the following features:

Creating a trail enables you to take advantage of the following integrations:

  • A trail lets you log CloudTrail Insights events, which can help you identify and respond to unusual activity associated with write management API calls. For more information, see Logging Insights events.

  • Analyze your Amazon service activity with queries in Amazon Athena. For more information, see Creating a Table for CloudTrail Logs in the CloudTrail Console in the Amazon Athena User Guide, or choose the option to create a table directly from Event history in the CloudTrail console.

  • Monitor your trail logs and be notified when specific activity occurs with Amazon CloudWatch Logs. For more information, see Monitoring CloudTrail Log Files with Amazon CloudWatch Logs.

  • A trail lets you exclude Amazon Key Management Service (Amazon KMS) or Amazon Relational Database Service Data API events. Amazon KMS actions such as Encrypt, Decrypt, and GenerateDataKey typically generate a large volume (more than 99%) of events. Events cannot be excluded from Event history.

To view recent CloudTrail events in the console
  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/home/.

  2. In the navigation pane, choose Event history.

    A filtered list of events appears in the content pane with the latest event first. Scroll down to see more events.

  3. To compare events, select up to five events by filling their check boxes in the left margin of the Event history table. View details for selected events side-by-side in the Compare event details table.

The default display of events in Event history uses an attribute filter to exclude read-only events from the list of displayed events. To remove this filter, or to apply other filters, change the filter settings. For more information, see Filtering CloudTrail events.

You can navigate between pages in the Event history by choosing the page you want to view. You can also view the next and previous page in Event history.

Choose < to view the previous page of Event history.

Choose > to view the next page of Event history.

Customizing the display

You can customize the view of Event history in the CloudTrail console by selecting from the following preferences.

  • Page size - Choose whether you want to display 10, 25, or 50 events on each page.

  • Wrap lines - Wrap text so you can see all text for each event.

  • Striped rows - Shade every other row in the table.

  • Event time display - Choose whether to display the event time in UTC or the local time zone.

  • Select visible columns - Select which columns to display. By default, the following columns are displayed:

    • Event name

    • Event time

    • User name

    • Event source

    • Resource type

    • Resource name

    Note

    You cannot change the order of the columns, or manually delete events from Event history.

To customize the display
  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. In the navigation pane, choose Event history.

  3. Choose the gear icon.

  4. For Page size, choose the number of events to display on a page.

  5. Choose Wrap lines to see all text for each event.

  6. Choose Striped rows to shade every other row in the table.

  7. For Event time display, choose whether to display the event time in UTC or the local time zone. By default, UTC is selected.

  8. In Select visible columns, select the columns you want to display. Turn off columns you do not want to display.

  9. When you have finished making your changes, choose Confirm.

Filtering CloudTrail events

The default display of events in Event history uses an attribute filter to exclude read-only events from the list of displayed events. This attribute filter is named Read-only, and it is set to false. You can remove this filter to display both read and write events. To view only Read events, you can change the filter value to true. You can also filter events by other attributes. You can additionally filter by time range.

Note

You can only apply one attribute filter and a time range filter. You cannot apply multiple attribute filters.

Amazon access key

The Amazon access key ID that was used to sign the request. If the request was made with temporary security credentials, this is the access key ID of the temporary credentials.

Event ID

The CloudTrail ID of the event. Each event has a unique ID.

Event name

The name of the event. For example, you can filter on IAM events, such as CreatePolicy, or Amazon EC2 events, such as RunInstances.

Event source

The Amazon service to which the request was made, such as iam.amazonaws.com or s3.amazonaws.com. You can scroll through a list of event sources after you choose the Event source filter.

Read only

The read type of the event. Events are categorized as read events or write events. If set to false, read events are not included in the list of displayed events. By default, this attribute filter is applied and the value is set to false.

Resource name

The name or ID of the resource referenced by the event. For example, the resource name might be "auto-scaling-test-group" for an Auto Scaling group or "i-12345678910" for an EC2 instance.

Resource type

The type of resource referenced by the event. For example, a resource type can be Instance for EC2 or DBInstance for RDS. Resource types vary for each Amazon service.

Time range

The time range in which you want to filter events. You can choose either a Relative range or an Absolute range. You can filter events for the last 90 days.

User name

The identity referenced by the event. For example, this can be a user, a role name, or a service role.

If there are no events logged for the attribute or time that you choose, the results list is empty. You can apply only one attribute filter in addition to the time range. If you choose a different attribute filter, your specified time range is preserved.

The following steps describe how to filter by attribute.

To filter by attribute
  1. To filter the results by an attribute, choose an attribute from the Lookup attributes drop-down list, and then type or choose a value for the attribute in the text box.

  2. To remove an attribute filter, choose the X at the right of the attribute filter box.

The following steps describe how to filter by a start and end date and time.

To filter by a start and end date and time
  1. To narrow the time range for the events that you want to see, choose a time range in the time range bar. You can choose either a Relative range or an Absolute range.

    Choose Relative range to select from a preset value or choose a custom range. Preset values are 30 minutes, 1 hour, 12 hours, or 1 day. To specify a custom time range, choose Custom.

    Choose Absolute range to specify a specific start and end time. You can also choose between the local time zone or UTC.

  2. To remove a time range filter, choose Clear and dismiss in the time range bar.

Viewing details for an event

  1. Choose an event in the results list to show its details.

  2. Resources referenced in the event are shown in the Resources referenced table on the event details page.

  3. Some referenced resources have links. Choose the link to open the console for that resource.

  4. Scroll to Event record on the details page to see the JSON event record, also called the event payload.

  5. Choose Event history in the page breadcrumb to close the event details page and return to Event history.

Downloading events

You can download recorded event history as a file in CSV or JSON format. You can download up to 200,000 events in a single file. If you reach the 200,000 event limit, the CloudTrail console will provide the option to download additional files. Use filters and time ranges to reduce the size of the file you download.

Note

CloudTrail event history files are data files that contain information (such as resource names) that can be configured by individual users. Some data can potentially be interpreted as commands in programs used to read and analyze this data (CSV injection). For example, when CloudTrail events are exported to CSV and imported to a spreadsheet program, that program might warn you about security concerns. You should choose to disable this content to keep your system secure. Always disable links or macros from downloaded event history files.

  1. Add a filter and time range for events in Event history that you want to download. For example, you can specify the event name, StartInstances, and specify a time range for the last three days of activity.

  2. Choose Download events, and then choose Download as CSV or Download as JSON. The download starts immediately.

    Note

    Your download might take some time to complete. For faster results, before you start the download process, use a more specific filter or a shorter time range to narrow the results. You can cancel a download. If you cancel a download, a partial download including only some event data might be on your local computer. To download the full event history, restart the download.

  3. After your download is complete, open the file to view the events that you specified.

  4. To cancel your download, choose Cancel, and then confirm by choosing Cancel download. If you need to restart a download, wait until the earlier download is finished canceling.

Viewing resources referenced with Amazon Config

Amazon Config records configuration details, relationships, and changes to your Amazon resources.

On the Resources referenced pane, choose the 
                    Amazon Config timeline icon
                in the Amazon Config resource timeline column to view the resource in the Amazon Config console.

If the 
                    Amazon Config timeline
                icon is gray, Amazon Config isn't turned on, or it's not recording the resource type. Choose the icon to go to the Amazon Config console to turn on the service or start recording that resource type. For more information, see Set Up Amazon Config Using the Console in the Amazon Config Developer Guide.

If Link not available appears in the column, the resource can't be viewed for one of the following reasons:

  • Amazon Config doesn't support the resource type. For more information, see Supported Resources, Configuration Items, and Relationships in the Amazon Config Developer Guide.

  • Amazon Config recently added support for the resource type, but it's not yet available from the CloudTrail console. You can look up the resource in the Amazon Config console to see the timeline for the resource.

  • The resource is owned by another Amazon Web Services account.

  • The resource is owned by another Amazon Web Service, such as a managed IAM policy.

  • The resource was created and then deleted immediately.

  • The resource was recently created or updated.

To grant users read-only permission to view resources in the Amazon Config console, see Granting permission to view Amazon Config information on the CloudTrail console.

For more information about Amazon Config, see the Amazon Config Developer Guide.