How do I use CloudTrail to review what API calls and actions have occurred in my AWS account?
How do I review actions that occurred in my AWS account, such as console logins or terminating an instance?
You can use AWS CloudTrail data to view and track API calls made to your account using the following:
- CloudTrail Event history
- CloudTrail Lake
- Amazon CloudWatch Logs
- Amazon Athena queries
- Amazon Simple Storage Service (Amazon S3) archived log files
Note: Not all AWS services have logs recorded and available with CloudTrail. For a list of AWS services integrated with CloudTrail, see AWS service topics for CloudTrail.
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
CloudTrail Event history
Reviewing CloudTrail Event history using the CloudTrail console
You can view all supported services and integrations and event types (create, modify, delete, and non-mutable activities) from the past 90 days. You don't need to set up a trail to use CloudTrail Event history.
For instructions, see Viewing CloudTrail events in the CloudTrail console.
Reviewing CloudTrail Event history using the AWS CLI
Note: To search for events using the AWS CLI, you must have a trail created and configured to log to CloudWatch Logs. For more information, see Creating a trail. Also, Sending events to CloudWatch Logs.
Use the filter-log-events command to apply metric filters to search for specific terms, phrases, and values in your log events. Then, you can transform them into CloudWatch metrics and alarms.
For more information, see Filter and pattern syntax.
Note: To use the filter-log-events command at scale (for example, automation or a script), it's a best practice to use CloudWatch Logs subscription filters. This is because the filter-log-events API action has API limits. Subscription filters have no such limits. Subscription filters also provide the ability to process large amounts of log data in real time. For more information, see CloudWatch Logs quotas.
CloudTrail Lake allows you to aggregate, immutably store, and run SQL-based queries on your events. You can store even data in CloudTrail Lake for up to seven years, or 2,555 days.
For more information, see Working with AWS CloudTrail Lake.
Amazon CloudWatch Logs
Note: To use CloudWatch Logs, you must have a trail created and configured to log to CloudWatch Logs. For more information, see Creating a trail. Also, Sending events to CloudWatch Logs.
You can use CloudWatch Logs to search for operations that change the state of a resource (for example, StopInstances). You can also use CloudWatch Logs to search for operations that don't change the state of a resource (for example, DescribeInstances). For instructions, see View log data sent to CloudWatch Logs.
Keep in mind the following:
- You must explicitly configure CloudTrail to send events to CloudWatch Logs, even if you already created a trail.
- You can't review activity from before the logs were configured.
- There can be multiple log streams, depending on the size and volume of events. To search across all streams, choose Search Log Group before selecting an individual stream.
- Because CloudWatch Logs has an event size limitation of 256 KB, CloudTrail doesn't send events larger than 256 KB to CloudWatch Logs.
Amazon Athena queries
You can use Amazon Athena to view CloudTrail data events and management events stored in your Amazon S3 bucket.
For more information, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs? Also, Creating the table for CloudTrail logs in Athena using manual partitioning.
Amazon S3 archived log files
Note: To view Amazon S3 archived log files, you must have a trail created and configured to log to an S3 bucket. For more information, see Creating a trail.
You can see all events captured by CloudTrail in the Amazon S3 log files. You can also manually parse the log files from the S3 bucket Using the CloudTrail Processing Library, the AWS CLI, or send logs to AWS CloudTrail partners.
For instructions, see Amazon S3 CloudTrail events.
Note: You must have a trail activated to log to an S3 bucket.
What is Amazon CloudWatch Logs?
Creating metrics from log events using filters
AWS Config console now displays API events associated with configuration changes
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 9 Monaten
- Wie kann ich eine EventBridge-Ereignisregel erstellen, um mich darüber zu informieren, dass mein AWS-Root-Benutzerkonto verwendet wurde?AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor einem Jahr