List of AWS CloudTrail Record Fields
What is a list of fields CloudTrail displays?
CloudTrail natively log following fields to CloudTrail logs, eventVersion, userIdentity, eventTime, EventSource, eventName, awsRegion, SourceIPAddress, userAgent,requestParameters,responseElements,requestID,eventID,readonly,eventType,apiVersion and more.
Once you enable the CloudTrail logs, you can go to CloudTrail>Event history to view all the logs CloudTrail had logged.
Following is one of the examples that CloudTrail had logged, it tells that who had run a query for CloudWatch and the actual query, and the user IP address and its userAgent.
This kind of information is helpful, if something goes wrong you can review to check that timeline to see who had made a change. Also, it's good for governance, compliance, and operational purpose.
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Root",
"principalId": "{accountid}",
"arn": "arn:aws:iam::{accountid}:root",
"accountId": "{accountid}",
"accessKeyId": "{access key id}",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2020-07-30T18:08:15Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2021-07-31T03:15:59Z",
"eventSource": "logs.amazonaws.com",
"eventName": "StartQuery",
"awsRegion": "us-west-1",
"sourceIPAddress": "some IP address",
"userAgent": "user's agent info",
"requestParameters": {
"logGroupNames": [
"ta-mongo-logs"
],
"startTime": 1627690559,
"endTime": 1627701359,
"queryString": "filter @logStream = 'i-01beaaff1a6050989'\n | fields @timestamp, @message\n | stats count()"
},
"responseElements": {
"queryId": "queryid"
},
"requestID": "requestid",
"eventID": "eventid",
"readOnly": false,
"eventType": "AwsApiCall",
"apiVersion": "20140328",
"managementEvent": true,
"recipientAccountId": "{accountid}",
"eventCategory": "Management"
}