Why don't Amazon S3 object-level API actions appear in my CloudTrail Event history?

Short description

Amazon S3 object-level API actions are CloudTrail data events. By default, trails don't log data events, and data events aren't viewable in CloudTrail Event history.

To view Amazon S3 object-level API actions after you activate data event logging, you must query your CloudTrail logs.

To query CloudTrail logs for object-level API actions, use one of the following:

• Amazon CloudWatch logs filter patterns
• Amazon Athena queries

For more information, see Logging Amazon S3 API calls using AWS CloudTrail.

Note: If you configure other data sources for the same S3 bucket as your trail, then the logs combine with CloudTrail events.

Resolution

Use CloudWatch logs filter patterns to view object-level API actions

To search your CloudWatch logs for object-level API actions, follow the instructions in Search log data using filter patterns.

For example, use the following syntax to find all DeleteBucket API actions:

{$.eventName = "DeleteBucket"}

Use Athena queries to view object-level API actions

Before you can use Athena to query your CloudTrail logs, you must configure a trail to write logs to an Amazon S3 bucket. The CloudTrail logs are available to query for up to 90 days. To query the logs, follow the instructions in How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?

For example, run the following query to find all GetBucketAcl API actions in your logs:

SELECT *  
  FROM example-cloudtrail-log  
 WHERE eventname = 'GetBucketAcl';

Note: Replace example-cloudtrail-log with your CloudTrail log's name.

For more information, see Understand CloudTrail logs and Athena tables.

Related information

CloudTrail tracking with Amazon S3 SOAP API calls

How do I use Amazon Athena to analyze my Amazon S3 server access logs?

Analyze security, compliance, and operational activity using AWS CloudTrail and Amazon Athena