Amazon service events delivered via Amazon CloudTrail
Amazon CloudTrail is a service that automatically records events such as Amazon API calls. You can create EventBridge rules that use the information from CloudTrail. For more information about CloudTrail, see What is Amazon CloudTrail?.
CloudTrail sends the following types of events to the default EventBridge event bus. In each case, the detail-type value of the event is the listed event type:
AWS API Call via CloudTrailEvents that represent a request to a public Amazon service API.
For more information, see Understanding CloudTrail events in the Amazon CloudTrail User Guide.
AWS Console Signin via CloudTrailAttempts to sign in to the Amazon Management Console, the Amazon Discussion Forums, and the Amazon Support Center.
For more information, see Amazon Management Console sign-in events in the Amazon CloudTrail User Guide.
AWS Console Action via CloudTrailActions that were taken in the console that were not an API calls.
For more information, see Amazon Management Console sign-in events in the Amazon CloudTrail User Guide.
AWS Service Event via CloudTrailEvents created by Amazon services but are not directly triggered by a request to a public Amazon service API.
For more information, see Amazon service events in the Amazon CloudTrail User Guide.
AWS Insight via CloudTrailInsights events are triggered by CloudTrail when customer enables the CloudTrail Insight feature.
For more information, see CloudTrail Insights in the Amazon CloudTrail User Guide.
AWS Network Activity Event via CloudTrailNetwork activity events capture API calls made through VPC endpoints from private VPCs. These events require a trail configured with network activity event selectors for the relevant event source.
For more information, see Logging network activity events in the Amazon CloudTrail User Guide.
To record events with one of the CloudTrail detail-type values, you must enable a CloudTrail trail with logging. For more information, see
Working with CloudTrail trails
in the Amazon CloudTrail User Guide.
Note
All CloudTrail events are delivered to the default event bus only. To process CloudTrail events on a custom event bus, create a rule on the default bus that forwards matching events to your custom bus.
The rule state controls which event categories are matched:
Write (mutating) management events — Matched by rules in the default
ENABLEDstate. No special configuration needed beyond an active trail.Read-only management events — Matched only by rules with state set to
ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS. For more information, see Receiving read-only management events from Amazon services.Data events — Matched by rules in the default
ENABLEDstate. The trail must be configured to capture the specific data event types. For more information, see Logging data events in the Amazon CloudTrail User Guide.Network activity events — Matched by rules in the default
ENABLEDstate. The trail must be configured with network activity event selectors for the relevant event source, and the API call must be made through a VPC endpoint.
Some occurrences in Amazon services can be reported to EventBridge both by the service itself and by CloudTrail. For example, an Amazon EC2 API call that starts an instance generates multiple events:
EC2 Instance State-change Notificationevents sent directly from Amazon EC2 to EventBridge, as the instance enters thependingand thenrunningstates. For example:{ . . . "detail-type":"EC2 Instance State-change Notification", "source":"aws.ec2", . . . "detail":{ "instance-id":"i-abcd1111", "state":"pending" } }An
AWS API Call via CloudTrailevent sent from CloudTrail to EventBridge that represents the API call itself. For example:{ . . . "detail-type":"AWS API Call via CloudTrail", "source":"aws.ec2", . . . ], "detail": { "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances" } }
Note
For more information about the services that CloudTrail supports, see CloudTrail supported services and integrations in the CloudTrail User Guide.