Logging Amazon Shield network security director API calls with Amazon CloudTrail - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
network security director information in CloudTrailnetwork security director API operations logged by CloudTrailUnderstanding network security director log file entriesMonitoring CloudTrail logs with Amazon CloudWatchBest practices for CloudTrail with network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the console.

Logging Amazon Shield network security director API calls with Amazon CloudTrail

Amazon Shield network security director integrates with Amazon CloudTrail to record all API calls as events. This integration captures calls made from the network security director console, programmatic calls to network security director APIs, and calls made from other Amazon services.

With CloudTrail, you can view recent events in the Event history or create a trail to deliver ongoing logs to an Amazon Simple Storage Service bucket. These logs provide details about each request, including the identity of the caller, the time, the request parameters, and the response.

To learn more about CloudTrail, see the Amazon CloudTrail User Guide.

network security director information in CloudTrail

CloudTrail is automatically enabled on your Amazon account. When activity occurs in network security director, it's recorded as an event in CloudTrail. For an ongoing record of events, create a trail that delivers log files to an Amazon S3 bucket.

For more information about creating and managing trails, see:

network security director API operations logged by CloudTrail

All network security director API operations are logged by CloudTrail and documented in the API Reference. The following operations are included:

  • ListResources: Lists resources available in the service

  • GetResource: Retrieves detailed information about a specific resource

  • ListFindings: Lists security findings

  • GetFinding: Retrieves detailed information about a specific finding

  • UpdateFinding: Updates the status or other attributes of a finding

  • ListRemediations: Lists remediation recommendations for a finding

  • ListInsights: Lists insights based on findings and resources

  • ListAccountSummaries: Lists account summaries for an organization

Understanding network security director log file entries

CloudTrail log entries contain information about who made the request, when it was made, and what parameters were used. Here's an example of a ListAccountSummaries action:


{
  "eventVersion": "1.11",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AIDACKCEVSQ6C2EXAMPLE",
    "arn": "arn:aws:iam::111122223333:user/janedoe",
    "accountId": "111122223333",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AIDACKCEVSQ6C2EXAMPLE",
        "arn": "arn:aws:iam::111122223333:user/janedoe",
        "accountId": "111122223333",
        "userName": "janedoe"
      },
      "attributes": {
        "creationDate": "2025-11-11T02:57:20Z",
        "mfaAuthenticated": "false"
      }
    }
  },
  "eventTime": "2025-11-11T02:59:53Z",
  "eventSource": "network-security-director.amazonaws.com",
  "eventName": "ListAccountSummaries",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "192.0.2.0",
  "userAgent": "aws-cli/1.18.147 Python/2.7.18 Linux/5.10.244-220.970.amzn2int.x86_64 botocore/1.18.6",
  "requestParameters": {
    "status": "ACTIVE",
    "sortBy": "SEVERITY",
    "maxResults": 2
  },
  "responseElements": null,
  "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
  "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
  "readOnly": true,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "111122223333",
  "eventCategory": "Management"
}

Monitoring CloudTrail logs with Amazon CloudWatch

You can use Amazon CloudWatch to monitor and alert on specific API activity in CloudTrail logs. This helps you detect unauthorized access attempts, configuration changes, or unusual activity patterns.

To set up CloudWatch monitoring:

  1. Configure your CloudTrail trail to send logs to CloudWatch Logs

  2. Create metric filters to extract specific information from log events

  3. Create alarms based on these metrics

For detailed instructions, see Monitoring CloudTrail Log Files with Amazon CloudWatch Logs.

Best practices for CloudTrail with network security director

To maximize security and auditability with CloudTrail:

  • Enable CloudTrail in all regions for comprehensive coverage

  • Enable log file integrity validation to detect unauthorized modifications

  • Use IAM to control access to CloudTrail logs following least privilege principles

  • Set up alerts for critical events using CloudWatch alarms

  • Regularly review CloudTrail logs to identify unusual activity