Working with CloudTrail Event history - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with CloudTrail Event history

CloudTrail is enabled by default for your Amazon account and you automatically have access to the CloudTrail Event history. The Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an Amazon Web Services Region. These events capture activity made through the Amazon Web Services Management Console, Amazon Command Line Interface, and Amazon SDKs and APIs. The Event history records events in the Amazon Web Services Region where the event happened. There are no CloudTrail charges for viewing the Event history.

You can look up events related to the creation, modification, or deletion of resources (such as IAM users or Amazon EC2 instances) in your Amazon Web Services account on a by-Region basis in the CloudTrail console by viewing the Event history page. You can also look up these events by running the aws cloudtrail lookup-events command or by using the LookupEvents API.

You can use the Event history page in the CloudTrail console to view, search, download, archive, analyze, and respond to account activity across your Amazon infrastructure. You can customize the view of the Event history in the console by selecting how many events to display on each page and which columns to display or hide. You can also compare the details of events in Event history side-by-side. You can programmatically look up events by using the Amazon SDKs or Amazon Command Line Interface.


Over time, Amazon Web Services might add additional events. CloudTrail records these events in Event history, but a full 90-day record of activity that includes added events won't be available until 90 days after it adds the events.

The Event history is separate from any trails that you create for your account. Settings you apply to your trails do not affect the Event history.

The sections which follow describe how to look up recent management events by using the CloudTrail console and the Amazon CLI, and describe how to download a file of events. For information about using the LookupEvents API to retrieve information from CloudTrail events, see LookupEvents in the Amazon CloudTrail API Reference.


Limitations of Event history

The following limitations apply to the Event history.

  • The Event history page on the CloudTrail console only shows management events. It does not show data events or Insights events.

  • The Event history is limited to the past 90 days of events. For an ongoing record of events in your Amazon Web Services account, create a trail.

  • When you download events from the Event history page on the CloudTrail console, you can download up to 200,000 events in a single file. If you reach the 200,000 event limit, the CloudTrail console will provide the option to download additional files.

  • The Event history doesn't provide organization level event aggregation. To record events across your organization, create a trail.

  • An Event history search is limited to a single Amazon Web Services account, only returns events from a single Amazon Web Services Region, and cannot query multiple attributes. You can only apply one attribute filter and a time range filter.

  • You cannot exclude Amazon KMS events from Event history ; settings that you apply to a trail do not apply to Event history. For more information, see Working with CloudTrail Event history.