docs.aws.amazon.com Open in urlscan Pro
18.66.139.49  Public Scan

Form analysis
0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use cookies and similar tools to enhance your experience, provide our
services, deliver relevant advertising, and make improvements. Approved third
parties also use these tools to help us deliver advertising and provide certain
site features.

CustomizeAccept all


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice

.

CancelSave preferences


English


Sign In to the Console
 1. AWS
 2. ...
    
 3. Documentation
 4. AWS CloudTrail
 5. User Guide

Feedback
Preferences
AWS CloudTrail
User Guide
 * What Is AWS CloudTrail?
    * How CloudTrail works
    * CloudTrail workflow
    * CloudTrail concepts
    * CloudTrail supported regions
    * CloudTrail log file examples
    * CloudTrail supported services and integrations
       * CloudTrail unsupported services
   
    * Quotas in AWS CloudTrail

 * CloudTrail tutorial
 * Working with CloudTrail
    * Viewing events with CloudTrail Event history
       * Viewing CloudTrail events in the CloudTrail console
       * Viewing CloudTrail events with the AWS CLI
   
    * Viewing CloudTrail Insights events
       * Viewing CloudTrail Insights events in the CloudTrail console
       * Viewing CloudTrail Insights events with the AWS CLI
   
    * Creating a trail for your AWS account
       * Creating and updating a trail with the console
          * Creating a trail
          * Updating a trail
          * Deleting a trail
          * Turning off logging for a trail
      
       * Creating, updating, and managing trails with the AWS Command Line
         Interface
          * Using create-trail
          * Using update-trail
          * Managing trails with the AWS CLI
   
    * Creating a trail for an organization
       * Prepare for creating a trail for your organization
       * Creating a trail for your organization in the console
       * Creating a trail for an organization with the AWS Command Line
         Interface
   
    * Getting and viewing your CloudTrail log files
       * Finding your CloudTrail log files
       * Downloading your CloudTrail log files
   
    * Configuring Amazon SNS notifications for CloudTrail
    * Controlling user permissions for CloudTrail
    * Tips for managing trails
       * Managing CloudTrail costs
       * CloudTrail trail naming requirements
       * Amazon S3 bucket naming requirements
       * AWS KMS alias naming requirements
   
    * Using AWS CloudTrail with interface VPC endpoints

 * Working with CloudTrail Lake
    * Create an event data store
    * Manage event data store lifecycles
    * Create or edit a query
    * Run a query
    * View query results
    * Managing CloudTrail Lake by using the AWS CLI
    * CloudTrail Lake SQL constraints
    * Example queries

 * CloudTrail log files
    * Create multiple trails
    * Logging management events for trails
    * Logging data events for trails
    * Logging Insights events for trails
    * Receiving CloudTrail log files from multiple regions
    * Monitoring CloudTrail log files with Amazon CloudWatch Logs
       * Sending events to CloudWatch Logs
       * Creating CloudWatch alarms with an AWS CloudFormation template
       * Creating CloudWatch alarms for CloudTrail events: examples
       * Configuring notifications for CloudWatch Logs alarms
       * Stopping CloudTrail from sending events to CloudWatch Logs
       * CloudWatch log group and log stream naming for CloudTrail
       * Role policy document for CloudTrail to use CloudWatch Logs for
         monitoring
   
    * Receiving CloudTrail log files from multiple accounts
       * Setting bucket policy for multiple accounts
       * Turning on CloudTrail in additional accounts
   
    * Sharing CloudTrail log files between AWS accounts
       * Creating a role
       * Creating an access policy to grant access to accounts you own
       * Creating an access policy to grant access to a third party
       * Assuming a role
       * Stop sharing CloudTrail log files between AWS accounts
   
    * Validating CloudTrail log file integrity
       * Enabling log file integrity validation for CloudTrail
       * Validating CloudTrail log file integrity with the AWS CLI
       * CloudTrail digest file structure
       * Custom implementations of CloudTrail log file integrity validation
   
    * Using the CloudTrail Processing Library

 * Security
    * Data protection
    * Identity and Access Management
       * How AWS CloudTrail works with IAM
       * Identity-based policy examples
       * Amazon S3 bucket policy for CloudTrail
       * Amazon SNS topic policy for CloudTrail
       * Troubleshooting
       * Using service-linked roles
   
    * Compliance validation
    * Resilience
    * Infrastructure security
    * Security best practices
    * Encrypting CloudTrail log files with AWS KMS–managed keys (SSE-KMS)
       * Granting permissions to create a KMS key
       * Configure AWS KMS key policies for CloudTrail
          * Default KMS key policy created in CloudTrail console
      
       * Updating a trail to use your KMS key
       * Enabling and disabling CloudTrail log file encryption with the AWS CLI

 * Log event reference
    * CloudTrail record contents
       * Example sharedEventID
   
    * CloudTrail userIdentity element
    * Insights insightDetails element
    * Non-API events captured by CloudTrail
       * AWS service events
       * AWS Management Console sign-in events

 * Document history
 * AWS glossary

Sending events to CloudWatch Logs - AWS CloudTrail
AWSDocumentationAWS CloudTrailUser Guide
Configuring CloudWatch Logs monitoring with the consoleConfiguring CloudWatch
Logs monitoring with the AWS CLILimitation


SENDING EVENTS TO CLOUDWATCH LOGS

PDFRSS

When you configure your trail to send events to CloudWatch Logs, CloudTrail
sends only the events that match your trail settings. For example, if you
configure your trail to log data events only, your trail sends data events only
to your CloudWatch Logs log group. CloudTrail supports sending data, Insights,
and management events to CloudWatch Logs. For more information, see Working with
CloudTrail log files.

To send events to a CloudWatch Logs log group:

 * Make sure you have sufficient permissions to create or specify an IAM role.
   For more information, see Granting permission to view and configure Amazon
   CloudWatch Logs information on the CloudTrail console.

 * Create a new trail or specify an existing one. For more information, see
   Creating and updating a trail with the console.

 * Create a log group or specify an existing one.

 * Specify an IAM role. If you are modifying an existing IAM role for an
   organization trail, you must manually update the policy to allow logging for
   the organization trail. For more information, see this policy example and
   Creating a trail for an organization.

 * Attach a role policy or use the default.

Contents

 * Configuring CloudWatch Logs monitoring with the console
   * Creating a log group or specifying an existing log group
   * Specifying an IAM role
   * Viewing events in the CloudWatch console
 * Configuring CloudWatch Logs monitoring with the AWS CLI
   * Creating a log group
   * Creating a role
   * Creating a policy document
   * Updating the trail
 * Limitation


CONFIGURING CLOUDWATCH LOGS MONITORING WITH THE CONSOLE

You can use the AWS Management Console to configure your trail to send events to
CloudWatch Logs for monitoring.


CREATING A LOG GROUP OR SPECIFYING AN EXISTING LOG GROUP

CloudTrail uses a CloudWatch Logs log group as a delivery endpoint for log
events. You can create a log group or specify an existing one.

To create or specify a log group

 1. Make sure you are logged in with an administrative IAM user or role with
    sufficient permissions to configure CloudWatch Logs integration. For more
    information, see Granting permission to view and configure Amazon CloudWatch
    Logs information on the CloudTrail console.

 2. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

 3. Choose the trail name. If you choose a trail that applies to all regions,
    you will be redirected to the region in which the trail was created. You can
    create a log group or choose an existing log group in the same region as the
    trail.
    
    Note
    
    A trail that applies to all regions sends log files from all regions to the
    CloudWatch Logs log group that you specify.

 4. For CloudWatch Logs, choose Configure.

 5. For New or existing log group, type the log group name , and then choose
    Continue. For more information, see CloudWatch log group and log stream
    naming for CloudTrail.

 6. For the IAM role, choose an existing role or create one. If you create an
    IAM role, type a role name.

 7. Choose Allow to grant CloudTrail permissions to create a CloudWatch Logs log
    stream and deliver events.


SPECIFYING AN IAM ROLE

You can specify a role for CloudTrail to assume to deliver events to the log
stream.

To specify a role

 1. By default, the CloudTrail_CloudWatchLogs_Role is specified for you. The
    default role policy has the required permissions to create a CloudWatch Logs
    log stream in a log group that you specify, and to deliver CloudTrail events
    to that log stream.
    
    Note
    
    If you want to use this role for a log group for an organization trail, you
    must manually modify the policy after you create the role. For more
    information, see this policy example and Creating a trail for an
    organization.
    
    1. To verify the role, go to the AWS Identity and Access Management console
       at https://console.aws.amazon.com/iam/.
    
    2. Choose Roles and then choose the CloudTrail_CloudWatchLogs_Role.
    
    3. To see the contents of the role policy, choose View Policy Document.

 2. You can specify another role, but you must attach the required role policy
    to the existing role if you want to use it to send events to CloudWatch
    Logs. For more information, see Role policy document for CloudTrail to use
    CloudWatch Logs for monitoring.




VIEWING EVENTS IN THE CLOUDWATCH CONSOLE

After you configure your trail to send events to your CloudWatch Logs log group,
you can view the events in the CloudWatch console. CloudTrail typically delivers
events to your log group within an average of about 15 minutes of an API call.
This time is not guaranteed. Review the AWS CloudTrail Service Level Agreement
for more information.

To view events in the CloudWatch console

 1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

 2. Choose Logs.

 3. Choose the log group that you specified for your trail.

 4. Choose the log stream name.

 5. To see the details of the event that your trail logged, choose an event.

Note

The Time (UTC) column in the CloudWatch console shows when the event was
delivered to your log group. To see the actual time that the event was logged by
CloudTrail, see the eventTime field.


CONFIGURING CLOUDWATCH LOGS MONITORING WITH THE AWS CLI

You can use the AWS CLI to configure CloudTrail to send events to CloudWatch
Logs for monitoring.


CREATING A LOG GROUP

 1. If you don't have an existing log group, create a CloudWatch Logs log group
    as a delivery endpoint for log events using the CloudWatch Logs
    create-log-group command.
    
    aws logs create-log-group --log-group-name name
    
    The following example creates a log group named CloudTrail/logs:
    
    aws logs create-log-group --log-group-name CloudTrail/logs

 2. Retrieve the log group Amazon Resource Name (ARN).
    
    aws logs describe-log-groups


CREATING A ROLE

Create a role for CloudTrail that enables it to send events to the CloudWatch
Logs log group. The IAM create-role command takes two parameters: a role name
and a file path to an assume role policy document in JSON format. The policy
document that you use gives AssumeRole permissions to CloudTrail. The
create-role command creates the role with the required permissions.

To create the JSON file that will contain the policy document, open a text
editor and save the following policy contents in a file called
assume_role_policy_document.json.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Run the following command to create the role with AssumeRole permissions for
CloudTrail.

aws iam create-role --role-name role_name --assume-role-policy-document file://<path to assume_role_policy_document>.json

When the command completes, take a note of the role ARN in the output.


CREATING A POLICY DOCUMENT

Create the following role policy document for CloudTrail. This document grants
CloudTrail the permissions required to create a CloudWatch Logs log stream in
the log group you specify and to deliver CloudTrail events to that log stream.

{
  "Version": "2012-10-17",
  "Statement": [
    {

      "Sid": "AWSCloudTrailCreateLogStream2014110",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream"
      ],
      "Resource": [
        "arn:aws:logs:region:accountID:log-group:log_group_name:log-stream:accountID_CloudTrail_region*"
      ]

    },
    {
      "Sid": "AWSCloudTrailPutLogEvents20141101",
      "Effect": "Allow",
      "Action": [
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:region:accountID:log-group:log_group_name:log-stream:accountID_CloudTrail_region*"
      ]
    }
  ]
}

Save the policy document in a file called role-policy-document.json.

If you're creating a policy that might be used for organization trails as well,
you will need to configure it slightly differently. For example, the following
policy grants CloudTrail the permissions required to create a CloudWatch Logs
log stream in the log group you specify and to deliver CloudTrail events to that
log stream for both trails in the AWS account 111111111111 and for organization
trails created in the 111111111111 account that are applied to the AWS
Organizations organization with the ID of o-exampleorgid:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream20141101",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:us-east-2:111111111111:log-group:CloudTrail/DefaultLogGroupTest:log-stream:111111111111_CloudTrail_us-east-2*",
                "arn:aws:logs:us-east-2:111111111111:log-group:CloudTrail/DefaultLogGroupTest:log-stream:o-exampleorgid_*",
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents20141101",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-2:111111111111:log-group:CloudTrail/DefaultLogGroupTest:log-stream:111111111111_CloudTrail_us-east-2*",             
                "arn:aws:logs:us-east-2:111111111111:log-group:CloudTrail/DefaultLogGroupTest:log-stream:o-exampleorgid_*",
            ]
        }
    ]
}

For more information about organization trails, see Creating a trail for an
organization.

Run the following command to apply the policy to the role.

aws iam put-role-policy --role-name role_name --policy-name cloudtrail-policy --policy-document file://<path to role-policy-document>.json


UPDATING THE TRAIL

Update the trail with the log group and role information using the CloudTrail
update-trail command.

aws cloudtrail update-trail --name trail_name --cloud-watch-logs-log-group-arn log_group_arn --cloud-watch-logs-role-arn role_arn

For more information about the AWS CLI commands, see the AWS CloudTrail Command
Line Reference.


LIMITATION

CloudWatch Logs and CloudWatch Events each allow a maximum event size of 256 KB.
Although most service events have a maximum size of 256 KB, some services still
have events that are larger. CloudTrail does not send these events to CloudWatch
Logs or CloudWatch Events.

Starting with CloudTrail event version 1.05, events have a maximum size of 256
KB. This is to help prevent exploitation by malicious actors, and allow events
to be consumed by other AWS services, such as CloudWatch Logs and CloudWatch
Events.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Monitoring CloudTrail log files with Amazon CloudWatch Logs
Creating CloudWatch alarms with an AWS CloudFormation template
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Did this page help you?
YesNo
Provide feedback
Edit this page on GitHub
Next topic:Creating CloudWatch alarms with an AWS CloudFormation template
Previous topic:Monitoring CloudTrail log files with Amazon CloudWatch Logs
Need help?
 * Try AWS re:Post
 * Connect with an AWS IQ expert

PrivacySite termsCookie preferences
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On this page

--------------------------------------------------------------------------------

 * Configuring CloudWatch Logs monitoring with the console
 * Configuring CloudWatch Logs monitoring with the AWS CLI
 * Limitation





DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.



Feedback