List of AWS CloudTrail Record Fields

2021/03/072 min read
bookmark this
Responsive image

Table of Contents

  1. Introduction
  2. What Fields Does CloudTrail Display?
  3. Conclusion

Introduction

AWS CloudTrail helps you record all API calls in your AWS account. It enables you to detect who is making what kind of changes to the AWS environment.

What Fields Does CloudTrail Display?

CloudTrail natively logs the following fields to CloudTrail logs: eventVersion, userIdentity, eventTime, eventSource, eventName, awsRegion, sourceIPAddress, userAgent, requestParameters, responseElements, requestID, eventID, readOnly, eventType, apiVersion, and more.

Once you enable CloudTrail logs, you can go to CloudTrail > Event history to view all the logs CloudTrail has recorded.

The following is one of the examples that CloudTrail has logged. It shows who ran a query for CloudWatch, the actual query, the user's IP address, and their userAgent.

This kind of information is helpful. If something goes wrong, you can review the timeline to see who made a change. Also, it's good for governance, compliance, and operational purposes.

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Root",
        "principalId": "{accountid}",
        "arn": "arn:aws:iam::{accountid}:root",
        "accountId": "{accountid}",
        "accessKeyId": "{access key id}",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2020-07-30T18:08:15Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2021-07-31T03:15:59Z",
    "eventSource": "logs.amazonaws.com",
    "eventName": "StartQuery",
    "awsRegion": "us-west-1",
    "sourceIPAddress": "some IP address",
    "userAgent": "user's agent info",
    "requestParameters": {
        "logGroupNames": [
            "ta-mongo-logs"
        ],
        "startTime": 1627690559,
        "endTime": 1627701359,
        "queryString": "filter @logStream = 'i-01beaaff1a6050989'\n | fields @timestamp, @message\n | stats count()"
    },
    "responseElements": {
        "queryId": "queryid"
    },
    "requestID": "requestid",
    "eventID": "eventid",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "apiVersion": "20140328",
    "managementEvent": true,
    "recipientAccountId": "{accountid}",
    "eventCategory": "Management"
}

Conclusion

CloudTrail is an essential AWS service for auditing and monitoring API activity across your AWS account. By reviewing CloudTrail logs, you can track changes, investigate incidents, and maintain compliance.

AWS CloudTrail

More Blogs Like This