Using CloudTrail Advanced Event Selectors, is it possible to specify roles and/or user identities for inclusion or exclusion?

Question

We're currently logging all Data Events using CloudTrail. Within this logging, we have a high volume of activity from a specific role that is used to interact with the S3 bucket that is hosting our trail data. We know this activity is benign and would like to exclude the specific actions this role usually takes for this specific bucket based on the role. I've reviewed the documentation for [Advanced Event Selectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html) for CloudTrail, and it seems that there are only options to include or exclude events based on "resources.type" and the ARN/actions of a given type. Is there any way to filter CloudTrail events with more granularity? We would ideally like to exclude logs based on a role's ARN rather than excluding all logs of a target bucket.

Answer

AWS Cloudtrail is a service built around risk auditing, governance, and compliance of your AWS account, in keeping with these goals Cloudtrail logs events taken by users, roles and AWS services. This extends to data events and the advanced event selectors is built around auditing who has access to your resources, as such using the advanced event selector with a principle arn, such as a role is currently not supported.

I have raised a feature request on your behalf to add this functionality into Cloudtrail, AWS dose not divulge internal road maps for when or if a new feature will be added to a service, for updates on new features to AWS services you can follow the AWS NEW page https://aws.amazon.com/new . The option to subscribe to an RSS feed to receive new updates is also available.

Using CloudTrail Advanced Event Selectors, is it possible to specify roles and/or user identities for inclusion or exclusion?

Relevant content