Why didn't my CloudTrail logs capture IAM user activity?

Short description

IAM events that CloudTrail logs are different from the activity that you view on the IAM console. Use the IAM console to review the last password that the IAM user used, the last access key that the user used, and the last accessed information. You can also use an IAM API operation to view activity. For example, use the GenerateServiceLastAccessedDetails API operation with the AWS Command Line Interface (AWS CLI) to programmatically retrieve service access history.

To view the API operations that an IAM user called, review the CloudTrail logs.  

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Resolution

Use the correct AWS Region

CloudTrail logs IAM events only in the US East (N. Virginia) AWS Region. To view IAM events, you must be in the same Region.

To check the Region, view the CloudTrail Event history.

Filter by the correct event source in CloudTrail

CloudTrail doesn't log all IAM user activity under iam.amazonaws.com. To view an event, make sure that you filter by the correct event source. 

CloudTrail logs IAM operations, such as CreateUser, AttachUserPolicy, and DeleteRole, under iam.amazonaws.com.

To view AWS Management Console sign-in events, such as ConsoleLogin, check the signin.amazonaws.com event source.

To view temporary credential and role assumption activity, such as AssumeRole, check sts.amazonaws.com.

Note: CloudTrail logs AWS Security Token Service (AWS STS) events in the Region where you made the API operation. To view AssumeRole or temporary credential activity, check all Regions or use a multi-Region trail.

Check whether you created a trail for logs that are older than 90 days

CloudTrail event history retains events for 90 days. To view events that are older than 90 days, you must create a CloudTrail trail. If you didn't create a trail before the activity occurred, then you can't retrieve the event.

To determine whether you created a trail, choose Trails in the navigation pane of the CloudTrail console and check for a list of trails. If a trail exists, then check the associated Amazon Simple Storage Service (Amazon S3) bucket for the logs that are older than 90 days.

CloudTrail stores IAM events under the us-east-1 prefix. To events from other services, find the prefix that matches the Region where you called the API operation. To update an existing trail to multi- or single-Region, see Converting a single-Region trail to a multi-Region trail or Converting a multi-Region trail to a single-Region trail.

If you created an S3 Lifecycle configuration, then check whether the expiration action that you set deleted the log files.

Check for data events on your trail

CloudTrail classifies some actions that an IAM user performs on AWS resources as data events. For example, when an IAM user accesses an S3 object or invokes an AWS Lambda function, CloudTrail logs the action as a data event. If you didn't create an event data store before an action occurred, then you can't view the event. 

To create an event data store, see Create an event data store for CloudTrail events with the console. To log data events in an existing data store, see Logging data events with the AWS Management Console. 

You can't view data events in the CloudTrail event history. To view data events, you must access them either in the trail's S3 bucket or use Amazon Athena or CloudTrail Lake to query the event. 

Note: Data events incur additional costs. For more information, see AWS CloudTrail pricing. 

Wait to check for CloudTrail event delivery in your S3 bucket

CloudTrail typically delivers management events within 15 minutes of an API operation. If the events don't appear in the trail's S3 bucket, then wait and check again.