CloudTrail Management & Data Events

Data Events (Data Plane Operations)

  • Data events provide visibility into the resource operations performed on or within a resource.

  • They are often high-volume activities.

  • For example:

    • S3 object-level API activity (for example, GetObject, DeleteObject, PutObject )

    • Lambda function execution activity (the Invoke API).

Management Events (Control Plane Operations)

  • Management events provide visibility into management operations that are performed on resources in your AWS account.

  • For example:

    • Configuring security (for example, IAM AttachRolePolicy API operations.)

    • Registering devices (for example, EC2 CreateDefaultVpc API operations.)

    • Configuring rules for routing data (for example, EC2 CreateSubnet API operations.)

    • Setting up logging (for example, CloudTrail CreateTrail API operations.)

Read and Write Events

  • When you configure your trail to log management events, you can specify whether you want read-only events, write-only events, or both.

  • Read (API operations that read your resources, but don't make changes):

    • For example, the EC2 DescribeSecurityGroups and DescribeSubnets.

  • Write (API operations that modify (or might modify) your resources):

    • For example, the EC2 RunInstances and TerminateInstances.

KMS Example

  • Read Events:

    • Encrypt, Decrypt, and GenerateDataKey.

  • Write Events:

    • Disable, Delete, and ScheduleKey.

PreviousDeliver CloudTrail Logs to a specific S3 bucketNextCloudWatch Events + Config

Last updated