I want to understand the differences between data events and management events in AWS CloudTrail. How are the two types of CloudTrail events different?
Resolution
CloudTrail data events
CloudTrail data events (also known as "data plane operations") show the resource operations performed on or within a resource in your AWS account. These operations are often high-volume activities.
Example data events
- Amazon Simple Storage Service (Amazon S3) object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations)
- AWS Lambda function invocation activity (for example, InvokeFunction API operations)
- Amazon DynamoDB object-level API activity on tables (for example, PutItem, DeleteItem, and UpdateItem API operations)
Viewing data events
By default, trails don't log data events, and data events aren't viewable in CloudTrail Event history. To activate data event logging, you must explicitly add the supported resources or resource types to a trail.
For instructions to activate data event logging, see Logging data events for trails.
For instructions to view data events, see Getting and viewing your CloudTrail log files.
Note: Additional charges apply for logging data events. For more information, see AWS CloudTrail pricing.
CloudTrail management events
CloudTrail management events (also known as "control plane operations") show management operations that are performed on resources in your AWS account.
Example management events
- Creating an Amazon Simple Storage Service (Amazon S3) bucket
- Creating and managing AWS Identity and Access Management (IAM) resources
- Registering devices
- Configuring routing table rules
- Setting up logging
Viewing management events
By default, trails log management events across AWS services and is available for free. You can review and download the most recent 90-day history of your account's management events using CloudTrail Event history or the LookupEvents API.
For more information, see Logging management events for trails.
Note: You can deliver one copy of your ongoing management events to Amazon S3 for free by creating trails. Creating trails lets you store events in Amazon S3 for up to 90 days. Additional copies of management events incur a charge. For more information, see AWS CloudTrail pricing.
To view CloudTrail data events and management events stored in your Amazon S3 bucket after 90 days
You can use Amazon Athena to view CloudTrail data events and management events stored in your Amazon S3 bucket.
For instructions, see How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs? Also, Creating the table for CloudTrail logs in Athena using manual partitioning.
Related information
How CloudTrail works
CloudTrail supported services and integrations
How do I use CloudTrail to review what API calls and actions have occurred in my AWS account?