- Newest
- Most votes
- Most comments
That's correct: CloudTrail events that are captured by any of your configured trails in the region are delivered to EventBridge, and events not recorded by any of the trails you've configured do not get delivered. It's summarised in this documentation segment: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-eventbridge
The point about some events being reported both by CloudTrail and the underlying service refers to that information about certain types of events is available directly from the underlying service as well as by listening to CloudTrail events. For example, if an EC2 instance is stopped by the customer calling the StopInstances
API, it can be observed either by listening to CloudTrail for that API call or by using the EC2 instance state change notification that EC2 delivers to EventBridge without involving CloudTrail: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instance-state-changes.html.
However, while both methods would detect an operator shutting down an instance, the event from EC2 wouldn't say which IAM role or user requested it, while the CloudTrail event would contain that information. On the other hand, the EC2 instance state notification would also respond to an AWS-initiated event or hardware failure, while CloudTrail would only log events requested explicitly by calling an API in your account.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Thank you fo this clear and thorough answer. Is there also a difference in delivery time of these two mechanisms?
In general, both CloudTrail and other services send messages to EventBridge nearly in real time, but semantics can vary. For example, EC2 might notify about an EBS volume creation completing, while CloudTrail would produce a log entry as soon as the API request is made to create the volume. In many cases, there's no major difference in timing, but with long-lasting operations where the service only notifies about the completion, there can be.