Viewing audit logs in Amazon CloudTrail - Amazon Managed Workflows for Apache Airflow
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing audit logs in Amazon CloudTrail

Amazon CloudTrail is enabled on your Amazon account when you create it. CloudTrail logs the activity taken by an IAM entity or an Amazon service, such as Amazon Managed Workflows for Apache Airflow, which is recorded as a CloudTrail event. You can view, search, and download the past 90 days of event history in the CloudTrail console. CloudTrail captures all events on the Amazon MWAA console and all calls to Amazon MWAA APIs. It doesn't capture read-only actions, such as GetEnvironment, or the PublishMetrics action. This page describes how to use CloudTrail to monitor events for Amazon MWAA.

Creating a trail in CloudTrail

You need to create a trail to view an ongoing record of events in your Amazon account, including events for Amazon MWAA. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. If you do not create a trail, you can still view available event history in the CloudTrail console. For example, using the information collected by CloudTrail, you can determine the request that was made to Amazon MWAA, the IP address from which the request was made, who made the request, when it was made, and additional details. To learn more, see the Creating a trail for your Amazon account.

Viewing events with CloudTrail Event History

You can troubleshoot operational and security incidents over the past 90 days in the CloudTrail console by viewing event history. For example, you can view events related to the creation, modification, or deletion of resources (such as IAM users or other Amazon resources) in your Amazon account on a per-region basis. To learn more, see the Viewing Events with CloudTrail Event History.

  1. Open the CloudTrail console.

  2. Choose Event history.

  3. Select the events you want to view, and then choose Compare event details.

Example trail for CreateEnvironment

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify.

CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, such as the date and time of the action, or request parameters. CloudTrail log files are not an ordered stack trace of the public API calls, and don't appear in any specific order. The following example is a log entry for the CreateEnvironment action that is denied due to lacking permissions. The values in AirflowConfigurationOptions have been redacted for privacy.

{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "00123456ABC7DEF8HIJK", "arn": "arn:aws:sts::012345678901:assumed-role/root/myuser", "accountId": "012345678901", "accessKeyId": "", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "00123456ABC7DEF8HIJK", "arn": "arn:aws:iam::012345678901:role/user", "accountId": "012345678901", "userName": "user" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-10-07T15:51:52Z" } } }, "eventTime": "2020-10-07T15:52:58Z", "eventSource": "", "eventName": "CreateEnvironment", "awsRegion": "us-west-2", "sourceIPAddress": "", "userAgent": "PostmanRuntime/7.26.5", "errorCode": "AccessDenied", "requestParameters": { "SourceBucketArn": "arn:aws:s3:::my-bucket", "ExecutionRoleArn": "arn:aws:iam::012345678901:role/AirflowTaskRole", "AirflowConfigurationOptions": "***", "DagS3Path": "", "NetworkConfiguration": { "SecurityGroupIds": [ "sg-01234567890123456" ], "SubnetIds": [ "subnet-01234567890123456", "subnet-65432112345665431" ] }, "Name": "test-cloudtrail" }, "responseElements": { "message": "Access denied." }, "requestID": "RequestID", "eventID": "EventID", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "012345678901" }

What's next?