I activated AWS CloudTrail object-level event logging for an Amazon Simple Storage Service (Amazon S3) bucket. But I can't see my Amazon S3 object-level API actions in my CloudTrail Event history.
Short description
Amazon S3 object-level API actions are CloudTrail data events. By default, trails don't log data events, and data events aren't viewable in CloudTrail Event history.
To view Amazon S3 object-level API actions after you activate data event logging, you must query your CloudTrail logs.
To query CloudTrail logs for object-level API actions, use one of the following:
For more information, see Logging Amazon S3 API calls using AWS CloudTrail.
Note: If you configure other data sources for the same S3 bucket as your trail, then the logs combine with CloudTrail events.
Resolution
Use CloudWatch logs filter patterns to view object-level API actions
To search your CloudWatch logs for object-level API actions, follow the instructions in Search log data using filter patterns.
For example, use the following syntax to find all DeleteBucket API actions:
{$.eventName = "DeleteBucket"}
Use Athena queries to view object-level API actions
Before you can use Athena to query your CloudTrail logs, you must configure a trail to write logs to an Amazon S3 bucket. The CloudTrail logs are available to query for up to 90 days. To query the logs, follow the instructions in How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?
For example, run the following query to find all GetBucketAcl API actions in your logs:
SELECT *
FROM example-cloudtrail-log
WHERE eventname = 'GetBucketAcl';
Note: Replace example-cloudtrail-log with your CloudTrail log's name.
For more information, see Understand CloudTrail logs and Athena tables.
Related information
CloudTrail tracking with Amazon S3 SOAP API calls
How do I use Amazon Athena to analyze my Amazon S3 server access logs?
Analyze security, compliance, and operational activity using AWS CloudTrail and Amazon Athena