Viewing events with CloudTrail Event history - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Viewing events with CloudTrail Event history

You can troubleshoot operational and security incidents over the past 90 days in the CloudTrail console by viewing Event history. The Event history provides a read-only view of the last 90 days of recorded API activity (management events) in an Amazon Web Services Region.

You can look up events related to creation, modification, or deletion of resources (such as IAM users or Amazon EC2 instances) in your Amazon account on a per-region basis. Events can be viewed and downloaded by using the Amazon CloudTrail console. You can customize the view of event history in the console by selecting which columns are displayed and which are hidden. You can programmatically look up events by using the Amazon SDKs or Amazon Command Line Interface. You can also compare the details of events in Event history side-by-side.


Over time, Amazon services might add additional events. CloudTrail will record these events in Event history, but a full 90-day record of activity that includes added events will not be available until 90 days after the events are added.

This section describes how to look up events by using the CloudTrail console and the Amazon CLI. It also describes how to download a file of events. For information on using the LookupEvents API to retrieve information from CloudTrail events, see the Amazon CloudTrail API Reference.

For information on creating a trail so that you have a record of events that extends past 90 days, see Creating a trail and Getting and viewing your CloudTrail log files.