Logging Feature Store operations by using Amazon CloudTrail

Amazon SageMaker Feature Store is integrated with Amazon CloudTrail, a service that provides a record of actions taken by a user, role, or an Amazon service in Feature Store. CloudTrail captures all of the API calls for Feature Store listed on this page. The logged events include API calls from Feature Store resource management and data operations. When you create a trail, you activate continuous delivery of CloudTrail events from Feature Store to an Amazon S3 bucket. Using the information collected by CloudTrail, you can determine the request that was made to Feature Store, the IP address from which the request was made, who made the request, when it was made, and additional details.

To learn more about CloudTrail, see the Amazon CloudTrail User Guide.

Management events

Management events capture operations performed on Feature Store resources in your Amazon account. For example, the log generated from the management events provides visibility if a user creates or deletes a Feature Store. The following APIs log management events with Amazon SageMaker Feature Store.

CreateFeatureGroup
DeleteFeatureGroup
DescribeFeatureGroup
UpdateFeatureGroup

Amazon SageMaker API calls and management events are logged by default when you create the account, as described in Logging Amazon SageMaker AI API calls using Amazon CloudTrail. For more information, see Logging management events for trails.

Data events

Data events capture data plane operations performed using the Feature Store resources in your Amazon account. For example, the log generated from the data events provides visibility if a user adds or deletes a record within a feature group. The following APIs log data events with Amazon SageMaker Feature Store.

BatchGetRecord
DeleteRecord
GetRecord
PutRecord

Data events are not logged by CloudTrail trails by default. To activate logging of data events, turn on logging of data plane API activity in CloudTrail. For more information, see CloudTrail's Logging data events for trails.

The following is an example CloudTrail event for a PutRecord API call:


{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "USERPRINCIPALID",
        "arn": "arn:aws:iam::123456789012:user/user",
        "accountId": "123456789012",
        "accessKeyId": "USERACCESSKEYID",
        "userName": "your-user-name"
    },
    "eventTime": "2023-01-01T01:00:00Z",
    "eventSource": "sagemaker.amazonaws.com",
    "eventName": "PutRecord",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.0.2.0",
    "userAgent": "your-user-agent",
    "requestParameters": {
        "featureGroupName": "your-feature-group-name"
    },
    "responseElements": null,
    "requestID": "request-id",
    "eventID": "event-id",
    "readOnly": false,
    "resources": [
        {
            "accountId": "123456789012",
            "type": "AWS::SageMaker::FeatureGroup",
            "ARN": "arn:aws:sagemaker:us-east-1:123456789012:feature-group/your-feature-group-name"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": false,
    "recipientAccountId": "123456789012",
    "eventCategory": "Data",
    "tlsDetails": {
        ...
    }
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Security and access control

Quotas, naming rules and data types