AWS CloudTrail FAQs
Page topics
- General 
                     3
- Getting started 
                     8
- Services and Region support 
                     3
- Applying a trail to all Regions 
                     6
- Multiple trails 
                     3
- Security and expiration 
                     3
- Event message, timeliness, and delivery frequency 
                     7
- Data events 
                     4
- Network activity events 
                     2
- Delegated administrator 
                     3
- CloudTrail Insights 
                     6
- CloudTrail Lake 
                     22
- Log file aggregation 
                     1
- Integration with CloudWatch Logs 
                     7
- CloudTrail log file encryption using AWS KMS 
                     4
- CloudTrail log file integrity validation 
                     7
- CloudTrail Processing Library 
                     3
- Pricing 
                     5
- Partners 
                     2
- Other 
                     1
General
Open allWhat is AWS CloudTrail?
CloudTrail enables auditing, security monitoring, and operational troubleshooting by tracking user activity and API usage. CloudTrail logs, continuously monitors, and retains account activity related to actions across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.
What are the benefits of CloudTrail?
CloudTrail helps you prove compliance, improve security posture, and consolidate activity records across Regions and accounts. CloudTrail provides visibility into user activity by recording actions taken on your account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service. This information helps you track changes made to your AWS resources and troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards. For more details, refer to the AWS compliance whitepaper Security at Scale: Logging in AWS .
Who should use CloudTrail?
Use CloudTrail if you need to audit activity, monitor security, or troubleshoot operational issues.
Getting started
Open allIf I am a new AWS customer or existing AWS customer and don’t have CloudTrail set up, do I need to enable or set up anything to view my account activity?
No, nothing is required to begin viewing your account activity. You can visit the AWS CloudTrail console or AWS CLI and begin viewing up to the past 90 days of account activity.
Does the CloudTrail Event History show all account activity within my account?
AWS CloudTrail will only show the results of the CloudTrail Event history for the current Region you are viewing for the last 90 days, and supports a range of AWS services . These events are limited to management events that create, modify, and delete API calls and account activity. For a complete record of account activity, including all management events, data events, and read-only activity, you must configure a CloudTrail trail.
What search filters can I use to view my account activity?
You can specify Time range and one of the following attributes: event name, user name, resource name, event source, event ID, and resource type.
Can I use the lookup-events CLI command even if I don’t have a trail configured?
Yes, you can visit the CloudTrail console or use the CloudTrail API/CLI and begin viewing the past 90 days of account activity.
What additional CloudTrail features are available after creating a trail?
Set up a CloudTrail trail to deliver your CloudTrail events to Amazon Simple Storage Service (Amazon S3), Amazon CloudWatch Logs, and Amazon CloudWatch Events. This helps you use features to archive, analyze, and respond to changes in your AWS resources.
Can I restrict user access from viewing the CloudTrail Event History?
Yes, CloudTrail integrates with AWS Identity and Access Management (IAM), which helps you control access to CloudTrail and to other AWS resources that CloudTrail requires. This includes the ability to restrict permissions to view and search account activity. Remove the "cloudtrail:LookupEvents" from the Users IAM policy to prevent that IAM user from viewing account activity.
Is there any cost associated with CloudTrail Event History being enabled on my account upon creation?
There is no cost for viewing or searching account activity with CloudTrail Event History.
Can I turn off CloudTrail Event History for my account?
For any CloudTrail trails created, you can stop logging or delete the trails. This will also stop account activity delivery to the Amazon S3 bucket you designated as part of your trail configuration and delivery to CloudWatch Logs if configured. Account activity for the past 90 days will still be collected and visible within the CloudTrail console and through the AWS Command Line Interface (AWS CLI).
Services and Region support
Open allWhat services are supported by CloudTrail?
CloudTrail records account activity and service events from most AWS services. For the list of supported services, see CloudTrail Supported Services in the CloudTrail User Guide.
Are API calls made from the AWS Management Console recorded?
Yes. CloudTrail records API calls made from any client. The AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services call AWS API operations, so these calls are recorded.
Where are my log files stored and processed before they are delivered to my S3 bucket?
Activity information for services with Regional endpoints (such as Amazon Elastic Compute Cloud [Amazon EC2] or Amazon Relational Database Service [Amazon RDS]) is captured and processed in the same Region as the action is made. It is then delivered to the Region associated with your S3 bucket. Activity information for services with single endpoints such as IAM and AWS Security Token Service (AWS STS) is captured in the Region where the endpoint is located. It is then processed in the Region where the CloudTrail trail is configured and delivered to the Region associated with your S3 bucket.
Applying a trail to all Regions
Open allWhat does it mean to apply a trail to all AWS Regions?
Applying a trail to all AWS Regions refers to creating a trail that will record AWS account activity across all Regions in which your data is stored. This setting also applies to any new Regions added. For more details on Regions and partitions, refer to the Amazon Resource Names and AWS Service Namespaces page .
What are the benefits of applying a trail to all Regions?
You can create and manage a trail across all Regions in the partition in one API call or a few selections. You will receive a record of account activity made in your AWS account across all Regions to one S3 bucket or CloudWatch Logs group. When AWS launches a new Region, you will receive the log files containing event history for the new Region without taking any action.
How do I apply a trail to all Regions?
In the CloudTrail console, you select yes to apply to all Regions in the trail configuration page. If you are using the SDKs or AWS CLI, you set the IsMultiRegionTrail to true.
What happens when I apply a trail to all Regions?
Once you apply a trail in all Regions, CloudTrail will create a new trail by replicating the trail configuration. CloudTrail will record and process the log files in each Region and deliver log files containing account activity across all Regions to a single S3 bucket and a single CloudWatch Logs log group. If you specified an optional Amazon Simple Notification Service (Amazon SNS) topic, CloudTrail will deliver Amazon SNS notifications for all log files delivered to a single SNS topic.
Can I apply an existing trail to all Regions?
Yes. You can apply an existing trail to all Regions. When you apply an existing trail to all Regions, CloudTrail will create a new trail for you in all Regions. If you previously created trails in other Regions, you can view, edit, and delete those trails from the CloudTrail console .
How long will it take for CloudTrail to replicate the trail configuration to all Regions?
Typically, it will take less than 30 seconds to replicate the trail configuration to all Regions.
Multiple trails
Open allHow many trails can I create in a Region?
You can create up to five trails in a Region. A trail that applies to all Regions exists in each Region and is counted as one trail in each Region.
What is the benefit of creating multiple trails in a Region?
With multiple trails, different stakeholders such as security administrators, software developers, and IT auditors can create and manage their own trails. For example, a security administrator can create a trail that applies to all Regions and configure encryption using one Amazon Key Management Service (Amazon KMS) key. A developer can create a trail that applies to one Region for troubleshooting operational issues.
Does CloudTrail support resource-level permissions?
Yes. Using resource-level permissions, you can write granular access control policies to allow or deny access to specific users for a particular trail. For more details, go to CloudTrail documentation .
Security and expiration
Open allHow can I secure my CloudTrail log files?
By default, CloudTrail log files are encrypted using S3 server-side encryption (SSE) and placed into your S3 bucket. You can control access to log files by applying IAM or S3 bucket policies. You can add an additional layer of security by enabling S3 multi-factor authentication (MFA) Delete on your S3 bucket. For more details on creating and updating a trail, see the CloudTrail documentation .
Where can I download a sample S3 bucket policy and an SNS topic policy?
You can download a sample S3 bucket policy and an SNS topic policy from the CloudTrail S3 bucket. You must update the sample policies with your information before you apply them to your S3 bucket or SNS topic.
How long can I store my activity log files?
You control the retention policies for your CloudTrail log files. By default, log files are stored indefinitely. You can use S3 Object lifecycle management rules to define your own retention policy. For example, you might want to delete old log files or archive them to Amazon Simple Storage Service Glacier (Amazon S3 Glacier).
Event message, timeliness, and delivery frequency
Open allWhat information is available in an event?
An event contains information about the associated activity: who made the request, the services used, the actions performed, the parameters for the action, and the response elements returned by the AWS service. For more details, see the CloudTrail Event Reference section of the user guide.
How long does it take CloudTrail to deliver an event for an API call?
Typically, CloudTrail delivers an event within 5 minutes of the API call. For more information on how CloudTrail works, see here .
How often will CloudTrail deliver log files to my S3 bucket?
CloudTrail delivers log files to your S3 bucket approximately every five minutes. CloudTrail does not deliver log files if no API calls are made on your account.
Can I be notified when new log files are delivered to my S3 bucket?
Yes. You can turn on Amazon SNS notifications to take immediate action on delivery of new log files.
I believe one of my log files has multiple duplicate events. How do I know which events are unique?
Although uncommon, you may receive log files that contain one or more duplicate events. Duplicate events will have the same eventID. For more information about the eventID field, see CloudTrail record contents .
What happens if CloudTrail is turned on for my account but my S3 bucket is not configured with the correct policy?
CloudTrail log files are delivered in accordance with the S3 bucket policies that you have in place. If the bucket policies are misconfigured, CloudTrail will not be able to deliver log files.
Is it possible to receive duplicate events?
CloudTrail is designed to support at least one delivery of subscribed events to customer S3 buckets. In some situations, it is possible that CloudTrail could deliver the same event more than once. As a result, customers may notice duplicated events.
Data events
Open allWhat are data events?
Data events provide insights into the resource (data plane) operations performed on or within the resource itself. Data events are often high-volume activities and include operations such as S3 object level API operations and AWS Lambda function invoke API. Data events are deactivated by default when you configure a trail. To record CloudTrail data events, you must explicitly add the supported resources or resource types you want to collect activity on. Unlike management events, data events incur additional costs. For more information, see CloudTrail pricing .
How can I consume data events?
Data events that are recorded by CloudTrail are delivered to S3, similar to management events. Once enabled, these events are also available in Amazon CloudWatch Events.
What are S3 data events? How do I record them?
S3 data events represent API activity on S3 Objects. To get CloudTrail to record these actions, you specify a S3 bucket in the data events section when creating a new trail or modifying an existing one. Any API actions on the Objects within the specified S3 bucket are recorded by CloudTrail.
What are Lambda data events? How do I record them?
Lambda data events record runtime activity of your Lambda functions. With Lambda data events, you can get details on Lambda function runtime. Examples of Lambda function runtime include which IAM user or service made the Invoke API call, when the call was made, and which function was applied. All Lambda data events are delivered to an S3 bucket and CloudWatch Events. You can turn on logging for Lambda data events using the CLI or CloudTrail console and select which Lambda functions get logged by creating a new trail or editing an existing trail.
Network activity events
Open allWhat are network activity events?
Network activity events record AWS API actions made using VPC endpoints from a private VPC to the AWS service and help you meet your network security investigations use cases. This includes AWS API calls that have successfully passed the VPC endpoint policy and those that were denied access. For example, as the VPC endpoint owner, you can view logs of actions that were denied due to VPC endpoint policies or determine if an actor outside of your data perimeter is trying to access the data in your S3 buckets. Unlike management and data events that are delivered to both the API caller and the owner of the resource, network activity events are only delivered to the owner of the VPC endpoint.
To record network activity events, you must explicitly enable them when configuring your trail or event data store and choose event source(s) of the AWS service(s) you want to collect activity on. You may also add additional filters such as filtering by VPC endpoint ID or logging only the Access Denied errors. Network activity events incur additional charges. For more information, see CloudTrail pricing.
How are network activity events for VPC endpoints different from VPC Flow Logs?
VPC Flow Logs enable you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Data Firehose. Network activity events for VPC endpoints capture the AWS API actions made using VPC endpoints from a private VPC to the AWS service. This provides you details of who is accessing resources within your network giving you greater ability to identify and respond to unintended actions in your data perimeter. You can view logs of actions that were denied due to VPC endpoint policies or use these events to validate the impact of updating existing policies.
Delegated administrator
Open allCan I add a delegated administrator to my organization?
Yes, CloudTrail now supports adding up to three delegated administrators per organization.
Who is the owner of an organization trail or event data store at the organizational level created by a delegated admin?
The management account will remain the owner of any organization trails or event datastores created at organization level, regardless of whether it was created by a delegated admin account or by a management account.
In which Regions is delegated administrator support available?
Currently, delegated administrator support for CloudTrail is available in all Regions where AWS CloudTrail is available. For more information, see the AWS Regions table.
CloudTrail Insights
Open allWhat are CloudTrail Insights events?
CloudTrail Insights events help you identify unusual activity in your AWS accounts such as spikes in resource provisioning, bursts of AWS Identity and Access Management (IAM) actions, or gaps in periodic maintenance activity. CloudTrail Insights uses machine learning (ML) models that continually monitor CloudTrail write management events for abnormal activity.
When abnormal activity is detected, CloudTrail Insights events are shown in the console, and delivered to CloudWatch Events, your S3 bucket, and optionally to the CloudWatch Logs group. This makes it easier to create alerts and integrate with existing event management and workflow systems.
What type of activity does CloudTrail Insights help identify?
CloudTrail Insights detects unusual activity by analyzing CloudTrail write management events within an AWS account and a Region. An unusual or abnormal event is defined as the volume of AWS API calls that deviates from what is expected from a previously established operating pattern or baseline. CloudTrail Insights adapts to changes in your normal operating patterns by considering time-based trends in your API calls and applying adaptive baselines as workloads change.
CloudTrail Insights can help you detect misbehaving scripts or applications. Sometimes a developer changes a script or application that begins a repeating loop or makes a large number of calls to unintended resources such as databases, data stores, or other functions. Often this behavior isn't noticed until the month-end billing cycle when costs have increased unexpectedly or an actual outage or disruption occurs. CloudTrail Insights events can make you aware of these changes in your AWS account so that you can take corrective action quickly.
How does CloudTrail Insights work with other AWS services that use anomaly detection?
CloudTrail Insights identifies unusual operational activity in your AWS accounts that helps you address operational issues, minimizing operational and business impact. Amazon GuardDuty focuses on improving security in your account, providing threat detection by monitoring account activity. Amazon Macie is designed to improve data protection in your account by discovering, classifying, and protecting sensitive data. These services provide complementary protections against different types of problems that could arise in your account.
Do I need to have CloudTrail set up in order for CloudTrail Insights to work?
Yes. CloudTrail Insights events are configured on individual trails, so you must have at least one trail set up. When you turn on CloudTrail Insights events for a trail, CloudTrail starts monitoring the write management events captured by that trail for unusual patterns. If CloudTrail Insights detects unusual activity, a CloudTrail Insights event is logged to the delivery destination specified in the trail definition.
What kinds of events does CloudTrail Insights monitor?
CloudTrail Insights tracks unusual activity for write management API operations.
How do I get started?
You can enable CloudTrail Insights events on individual trails in your account by using the console, the CLI, or the SDK. You can also enable CloudTrail Insights events across your organization by using an Organizational trail configured in your AWS Organizations management account. You can turn on CloudTrail Insights events by choosing the radio button in your trail definition.
CloudTrail Lake
Open allWhy should I use CloudTrail Lake?
CloudTrail Lake helps you examine incidents by querying all actions logged by CloudTrail, configuration items recorded by AWS Config, evidence from Audit Manager, or events from non-AWS sources. It simplifies incident logging by helping remove operational dependencies and provides tools that can help reduce your reliance on complex data process pipelines that span across teams. CloudTrail Lake does not require you to move and ingest CloudTrail logs elsewhere, which helps maintain data fidelity and decreases dealing with low-rate limits that throttle your logs. It also provides near real-time latencies as it is fine-tuned to process high-volume structured logs, making them available for incident investigation. It provides a familiar, multi-attribute query experience using SQL, with the ability to schedule and handle multiple concurrent queries. For users less experienced with SQL, natural language query generation is available to help create SQL queries, simplifying data analysis. The ability to summarize query results using AI (in preview) further enhances your capacity to derive meaningful insights from your activity logs and efficiently investigate incidents. Additionally, pre-curated and custom dashboards offer intuitive ways to visualize and analyze your data stored in event data stores directly within the CloudTrail console. By combining these features, CloudTrail Lake empowers you to efficiently investigate incidents and gain deeper insights into your AWS environment, all while simplifying your data management processes.
How does this feature relate to and work with other AWS services?
CloudTrail is the canonical source of logs for user activity and API usage across AWS services. You can use CloudTrail Lake to examine activity across AWS services once the logs are available in CloudTrail. You can query and analyze user activity and impacted resources, and use that data to address issues such as identifying bad actors and baselining permissions.
How can I ingest events from sources outside of AWS, such as custom applications, third-party applications, or other public clouds?
You can find and add partner integrations to start receiving activity events from these applications in a few steps using the CloudTrail console, without having to build and maintain custom integrations. For sources other than the available partner integrations, you can use the new CloudTrail Lake APIs to set up your own integrations and push events to CloudTrail Lake. To get started, see Working with CloudTrail Lake in the CloudTrail User Guide .
When do you recommend using AWS Config advanced query instead of CloudTrail Lake for querying configuration items from AWS Config?
AWS Config advanced query is recommended for customers who want to aggregate and query on current state AWS Config configuration items (CI). This helps customers with inventory management, security and operational intelligence, cost optimization, and compliance data. AWS Config advanced query is free if you are an AWS Config customer.
CloudTrail Lake supports query coverage for AWS Config configuration items, including resource configuration and compliance history. Analyzing configuration and compliance history for resources with related CloudTrail events helps infer who, when, and what changed on those resources. This helps with root-cause analysis of incidents related to security exposure or non-compliance. CloudTrail Lake is recommended if you must aggregate and query data across CloudTrail events and historical configuration items.
If I enable ingestion of configuration items from AWS Config today into CloudTrail Lake, will CloudTrail Lake ingest my historical configuration items (generated before the creation of CloudTrail Lake) or collect only the newly recorded configuration items?
CloudTrail Lake will not ingest AWS Config configuration items that were generated before CloudTrail Lake was configured. Newly recorded configuration items from AWS Config, at an account level or organization level, will be delivered to the specified CloudTrail Lake event data store. These configuration items will be available in the lake for query for the specified retention period, and can be used for historical data analysis.
Can I always know which user made a particular configuration change by querying CloudTrail Lake?
If multiple configuration changes are attempted on a single resource by multiple users in quick succession, only one configuration item may be created that would map to the end state configuration of the resource. In this and similar scenarios, it may not be possible to provide 100% correlation on which user made what configuration changes by querying CloudTrail and configuration items for a specific time-range and resource-id.
If I've used trails before, can I bring existing CloudTrail logs into my existing or new CloudTrail Lake event data store?
Yes. The CloudTrail Lake import capability supports copying CloudTrail logs from an S3 bucket that stores logs from across multiple accounts (from an organization trail) and multiple AWS Regions. You can also import logs from individual accounts and single-region trails. The import capability also lets you specify an import date range, so that you import only the subset of logs that are needed for long-term storage and analysis in CloudTrail Lake. After you've consolidated your logs, you can run queries on your logs, from the most recent events collected after you enabled CloudTrail Lake, to historic events brought over from your trails.
Does this import capability impact the original trail in S3?
The import capability copies the log information from S3 to CloudTrail Lake and keeps the original copy in S3 as is.
After I enable the CloudTrail Lake feature, how long do I need to wait to begin writing queries?
You can begin querying the activities that occur after enabling the feature almost immediately.
What are some of the common security and operational use cases that I can solve using CloudTrail Lake?
Common use cases include investigating security incidents, like unauthorized access or compromised user credentials, and enhancing your security posture by performing audits to regularly baseline user permissions. You can perform necessary audits to make sure the right set of users are making changes to your resources (such as security groups), and track any changes not adhering to your organization’s best practices. Additionally, you can track actions taken on your resources and assess modifications or deletions, and get deeper insights on your AWS services bills including the IAM users subscribing to services.
How do I get started with CloudTrail Lake?
If you are a current or new CloudTrail customer, you can immediately begin using the CloudTrail Lake capability to run queries by enabling the feature through the API or the CloudTrail console.
Select the CloudTrail Lake tab on the left panel of the CloudTrail console, and select the Create Event Data Store button. When you create an event data store, you choose the pricing option you want to use for the event data store. The pricing option determines the cost for ingesting events and the maximum and default retention period for the event data store. Then, select the event categories you want to log (management, data, and network activity events). Additionally, you can take advantage of enhanced event filtering capabilities to control which CloudTrail events are ingested into your event data stores, helping you increase efficiency and reduce costs while maintaining visibility into relevant activities. Once your event data store is set up, you can query any event data stores that you own or manage using SQL-based queries. For users less familiar with SQL, natural language query generation is available to help create SQL queries.
Additionally, query results can be summarized (in preview) using generative AI, further enhancing your ability to derive insights from your CloudTrail data. To help visualize your CloudTrail Lake data, you can use pre-curated dashboards available directly within the CloudTrail console, providing out-of-the-box visibility and key insights from your audit and security data. For more targeted monitoring and analysis, you also have the option to create custom dashboards tailored to your specific needs.
I created an event data store with seven-year retention pricing. Will I be able to migrate the same event data store to the one-year extendable retention pricing option? What happens to my existing data in the event data store that was ingested based on seven-year retention pricing?
Yes. You can update the pricing option from seven-year retention pricing to one-year extendable retention pricing as part of the event data store configuration. Your existing data will remain available in the event data store for the configured retention period. This data will not incur any extended retention charges. However, any newly ingested data will follow the one-year extendable retention pricing charges for both ingestion and extended retention.
I created an event data store with one-year extendable retention pricing. Will I be able to migrate the same event data store to the seven-year retention pricing option?
No. We currently do not support migration of an event data store from one-year extendable retention pricing to seven-year retention pricing. However, you will be able to turn-off logging for the current event data store, while creating a new event data store with seven-year retention pricing for newly ingested data. You will still be able to retain and analyze the data in both event data stores with the respective pricing option and configured retention period.
Why is the retention period for CloudTrail Lake calculated based on event-time and not based on ingestion-time to CloudTrail Lake?
CloudTrail Lake is an audit lake that helps customers meet their use case needs around compliance and auditing. Based on their compliance program mandates, customers need to retain audit logs for a specified duration from when the logs were generated, irrespective of when they were ingested into CloudTrail Lake.
If I ingest a historical CloudTrail event from S3 to CloudTrail Lake, and I have the event data store retention period configured to 1 year, will this event always be stored in CloudTrail Lake for 1 year from the time of ingestion?
No. Since this was a historical event with an event-time in the past, this event will be retained in CloudTrail Lake for a retention period of 1 year starting from event-time. So the duration for which that event will be stored in CloudTrail Lake will be less than 1 year.
What type of events from CloudTrail Lake can I visualize on dashboards today?
CloudTrail Lake's pre-curated dashboards support visualization of CloudTrail management, data, and Insights events. Additionally, you have the flexibility to create custom dashboards that can visualize any type of data stored in your event data stores, allowing you to tailor your analysis to your specific needs.
Are dashboards enabled at an account level or event data store level?
Dashboards are enabled at an account level today.
What charges are incurred when I enable CloudTrail Lake dashboards?
CloudTrail Lake dashboards are powered by CloudTrail Lake queries. When you enable CloudTrail Lake dashboards, you will be charged for the data scanned. See pricing page for more details.
Can I create custom dashboards today?
Yes, you can create your own custom dashboards and also set schedules for refreshing them on a periodic basis.
What use cases do CloudTrail Lake pre-curated dashboards support?
CloudTrail Lake offers a suite of pre-curated dashboards that cater to diverse use cases spanning security, compliance, operations, and resource management. These ready-to-use dashboards are tailored for specific scenarios, providing immediate value across various aspects of cloud governance:
- For security monitoring, dashboards like the "Security Monitoring Dashboard" help track critical security events, including access denied events, failed login attempts, and destructive actions.
- To support compliance efforts, the "IAM Activity Dashboard" provides visibility into changes to IAM entities, helping identify unintended IAM actions and potential compliance issues.
- Cloud operations teams can utilize the "Error Analysis Dashboard" to identify and troubleshoot service throttling errors and other operational issues across services.
- For resource management, the "Resource Changes Dashboard" provides visibility into trends in provisioning, deletion, and modifications across AWS resources, including changes made through CloudFormation and manually.
- Organizations can benefit from the "Organizations Activity Dashboard", which provides insights into account management, access patterns, and policy changes.
- Service-specific dashboards for EC2, Lambda, DynamoDB, and S3 offer detailed visibility into both management and data plane activities for these services.
What additional information can I add to my CloudTrail management and data events?
You can enrich CloudTrail events with resource tags on AWS Resources- By incorporating your organization's resource tagging strategy into your CloudTrail events, you can more easily categorize and analyze AWS activities in the context of your business operations, projects, or departments. For example, let's say you use resource tags to mark your production S3 buckets containing critical data. You can now easily view all CloudTrail events matching these specific tags as this information is included in the event itself. No more manual cross-referencing across multiple systems to find this information.
 IAM Global Condition Keys provide another way to add context to your CloudTrail events is through keys, including Principal Tags. When enabled, CloudTrail will include information about AWS condition keys that were evaluated during the authorization process. This can provide additional details about the principal making the request and specifics about the request itself- for example, you can view the aws:SourceAccount, for API calls made to your resource directly by an AWS service principal. It's important to note that a condition key will only appear in the enriched event if it was evaluated as part of the IAM policy during the authorization process. 
 
 You can enrich your CloudTrail events when setting up CloudTrail Lake event data stores. During the configuration process, you'll have the option to specify which additional information you want to include in your CloudTrail management and data events. This flexibility allows you to tailor the level of additional information in your logs to best suit your organization's needs for analysis, compliance, and security monitoring. Learn more about how to enrich CloudTrail events here.
What are the delivery guarantees for additional information in enriched events?
You can enrich your management and data events with resource tags and IAM global condition keys. The availability of this additional information depends on various factors including resource state, timing of tag changes, and IAM policy evaluation.
CloudTrail will update AWS resource tags information on a best-effort basis. In the cases where tags information is not available to CloudTrail at the time an AWS API call is made on the tagged resource, CloudTrail will not include this information in the corresponding CloudTrail event. CloudTrail uses Resource Groups Tagging API (RGTA) to retrieve tag information.
 There are a few scenarios where resource tags in CloudTrail events do not have the most updated values or not present.
 
- A resource tag is added or updated on an AWS resource after it is created. When a tag is modified on an AWS resource, there is a brief delay before CloudTrail captures and displays the new tag value in its events. This delay occurs because CloudTrail uses a distributed computing model called eventual consistency.
- CloudTrail events for resource deletions may not include tag information. This is because the resource could be deleted before CloudTrail can retrieve the associated tags.
- CloudTrail events are delayed due to a service issue. In such cases, CloudTrail will not include resource tag information. CloudTrail events that are delayed because of such issues include an "addendum" field that shows information about why the event is delayed.
CloudTrail will update IAM global condition keys, including Principal Tags, as API actions are authorized, and CloudTrail events are generated. However, it's crucial to understand that CloudTrail will only include a global condition key in an event if that key was evaluated as part of the IAM policy during the authorization process. Simply configuring CloudTrail to include a condition key doesn't guarantee its presence in every event. If you've set up CloudTrail to include a specific global condition key but don't see it in an event, this indicates that the particular key wasn't relevant to the IAM policy evaluation for that action - in other words, the IAM policy being evaluated didn't use that condition key in its logic.
Log file aggregation
Open allI have multiple AWS accounts. I would like log files for all the accounts to be delivered to a single S3 bucket. Can I do that?
Yes. You can configure one S3 bucket as the destination for multiple accounts. For detailed instructions, refer to aggregating log files to a single S3 bucket section of the CloudTrail user guide.
Integration with CloudWatch Logs
Open allWhat is CloudTrail integration with CloudWatch Logs?
CloudTrail integration with CloudWatch Logs delivers management and data events captured by CloudTrail to a CloudWatch Logs log stream in the CloudWatch Logs log group you specify.
What are the benefits of CloudTrail integration with CloudWatch Logs?
This integration helps you receive SNS notifications of account activity captured by CloudTrail. For example, you can create CloudWatch alarms to monitor API calls that create, modify, and delete Security Groups and Network access control lists (ACLs).
How do I turn on CloudTrail integration with CloudWatch Logs?
You can turn on CloudTrail integration with CloudWatch Logs from the CloudTrail console by specifying a CloudWatch Logs log group and an IAM role. You can also use the AWS SDKs or the AWS CLI to turn on this integration.
What happens when I turn on CloudTrail integration with CloudWatch Logs?
After you turn on the integration, CloudTrail continually delivers account activity to a CloudWatch Logs log stream in the CloudWatch Logs log group you specified. CloudTrail also continues to deliver logs to your S3 bucket as before.
In which AWS Regions is CloudTrail integration with CloudWatch Logs supported?
This integration is supported in the Regions where CloudWatch Logs is supported. For more information, see Regions and endpoints in the AWS General Reference.
How does CloudTrail deliver events containing account activity to my CloudWatch Logs?
CloudTrail assumes the IAM role you specify to deliver account activity to CloudWatch Logs. You limit the IAM role to only the permissions it requires to deliver events to your CloudWatch Logs log stream. To review IAM role policy, go to the user guide of the CloudTrail documentation.
What charges do I incur once I turn on CloudTrail integration with CloudWatch Logs?
After you turn on CloudTrail integration with CloudWatch Logs, you incur standard CloudWatch Logs and CloudWatch charges. For details, go to the CloudWatch pricing page .
CloudTrail log file encryption using AWS KMS
Open allWhat is the benefit of CloudTrail log file encryption using server-side Encryption with AWS KMS?
CloudTrail log file encryption using SSE-KMS helps you add an additional layer of security to CloudTrail log files delivered to an S3 bucket by encrypting the log files with a KMS key. By default, CloudTrail will encrypt log files delivered to your S3 bucket using S3 server-side encryption.
I have an application that ingests and processes CloudTrail log files. Do I need to make any changes to my application?
With SSE-KMS, S3 will automatically decrypt the log files so that you do not need to make any changes to your application. As always, you must make sure that your application has appropriate permissions such as S3 GetObject and AWS KMS Decrypt permissions.
How do I configure CloudTrail log file encryption?
You can use the AWS Management Console, or AWS CLI or the AWS SDKs to configure log file encryption. For detailed instructions, refer to the documentation .
What charges do I incur once I configure encryption using SSE-KMS?
Once you configure encryption using SSE-KMS, you will incur standard AWS KMS charges. For details, go to AWS KMS pricing page .
CloudTrail log file integrity validation
Open allWhat is CloudTrail log file integrity validation?
The CloudTrail log file integrity validation feature helps you determine whether a CloudTrail log file was unchanged, deleted, or modified since CloudTrail delivered it to the specified S3 bucket.
What is the benefit of the CloudTrail log file integrity validation?
You can use the log file integrity validation as an aid in your IT security and auditing processes.
How do I enable CloudTrail log file integrity validation?
You can enable the CloudTrail log file integrity validation feature from the console, AWS CLI or AWS SDKs.
What happens once I turn on the log file integrity validation feature?
Once you turn on the log file integrity validation feature, CloudTrail will deliver digest files on an hourly basis. The digest files contain information about the log files that were delivered to your S3 bucket and hash values for those log files. They also contain digital signatures for the previous digest file and the digital signature for the current digest file in the S3 metadata section. For more information about digest files, digital signatures, and hash values, go to CloudTrail documentation .
Where are the digest files delivered to?
The digest files are delivered to the same S3 bucket where your log files are delivered. However, they are delivered to a different folder so that you can enforce granular access control policies. For details, refer to the digest file structure section of the CloudTrail documentation .
How can I validate the integrity of a log file or digest file delivered by CloudTrail?
You can use the AWS CLI to validate the integrity of a log file or digest file. You can also build your own tools to do the validation. For more details on using the AWS CLI for validating the integrity of a log file, refer to the CloudTrail documentation .
I aggregate all my log files across all Regions and multiple accounts into one single S3 bucket. Will the digest files be delivered to the same S3 bucket?
Yes. CloudTrail will deliver the digest files across all Regions and multiple accounts into the same S3 bucket.
CloudTrail Processing Library
Open allWhat is the CloudTrail Processing Library?
The CloudTrail Processing Library is a Java library that makes it easier to build an application that reads and processes CloudTrail log files. You can download the CloudTrail Processing Library from GitHub .
What functionality does CloudTrail Processing Library provide?
CloudTrail Processing Library provides functionality to handle tasks such as continually polling an SQS queue and reading and parsing Amazon Simple Queue Service (Amazon SQS) messages It can also download log files stored in S3, and parse and serialize log file events in a fault-tolerant manner. For more information, go to the user guide in the CloudTrail documentation.
What software do I need to start using the CloudTrail Processing Library?
You need aws-java-sdk version 1.9.3 and Java 1.7 or higher.
Pricing
Open allHow do I get charged for CloudTrail trails?
CloudTrail helps you view, search, and download the last 90 days of your account’s management events for free. You can deliver one copy of your ongoing management events to S3 for free by creating a trail. Once a CloudTrail trail is set up, S3 charges apply based on your usage.
You can deliver additional copies of events, including data events and network activity events, using trails. You will be charged for data events, network activity events, and additional copies of management events. Learn more on the pricing page .
If I have only one trail with management events, and apply it to all Regions, will I incur charges?
No. The first copy of management events is delivered free of charge in each Region.
If I enable data events on an existing trail with free management events, will I get charged?
Yes. You will be charged for only the data events. The first copy of management events is delivered free of charge.
How do I get charged for CloudTrail Lake?
When you use CloudTrail Lake, you pay for ingestion and storage together, where the billing is based on the amount of uncompressed data ingested and the amount of compressed data stored. When you create an event data store, you choose the pricing option you want to use for the event data store. The pricing option determines the cost for ingesting events and the maximum and default retention period for the event data store. Querying charges are based on the compressed data you choose to analyze. Learn more on the pricing page .
Can I calculate my estimated CloudTrail Lake ingestion usage if I know my historical CloudTrail usage in trails?
Yes. Each CloudTrail event, on average, is around 1500 bytes. Using this mapping, you will be able to estimate the CloudTrail Lake ingestion based on past month’s CloudTrail usage in trails by number of events.
Partners
Open allHow do the AWS Partner Solutions help me analyze the events recorded by CloudTrail?
Multiple partners offer integrated solutions to analyze CloudTrail log files. These solutions include features like change tracking, troubleshooting, and security analysis. For more information, see the CloudTrail partners section .
How can I onboard an integration to CloudTrail Lake as an available source?
To get started with your integration you can review the Partner Onboarding Guide . Engage with your partner development team or partner solutions architect to connect you with the CloudTrail Lake team for a deeper dive or further questions.
Other
Open allWill turning on CloudTrail impact the performance of my AWS resources or increase API call latency?
No. Turning on CloudTrail has no impact on performance for your AWS resources or API call latency.