Why Does CloudTrail Take 10-15 Minutes to Log IAM User ConsoleLogin Failures?

Question

I enabled CloudTrail to track failed IAM user ConsoleLogin attempts, but I noticed a 10-15 minute delay before the events appear in Event History or CloudWatch Logs.

Management Events (Read/Write) enabled
CloudWatch Logs integration enabled
IAM login failures are getting logged, but with a delay

Is this expected behavior? Can the delay be reduced for faster detection of failed logins?

Leo K · Accepted Answer

CloudTrail aggregates events and delivers them in batches. In most cases, logs are delivered every 5 minutes. This is stated in the CloudTrail service FAQ: https://aws.amazon.com/cloudtrail/faqs/#product-faqs#cloudtrail-faqs#event-message-timeliness-and-delivery-frequency and this documentation section: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html#how-cloudtrail-works-trails, in the "Note" box:

> CloudTrail typically delivers logs within an average of about 5 minutes of an API call. This time is not guaranteed.

The batching of events is quite vital for the service to be able to function reliably also under unusual circumstances, such as heavy cyberattacks or partial technical failures, so the delivery interval is fixed for all users and is not configurable.

Why Does CloudTrail Take 10-15 Minutes to Log IAM User ConsoleLogin Failures?

Relevant content