CloudTrail Events
Data Events
- Enlists all operations on a AWS resource
- Also as data plane operations
- are high-volume activities.
Example data events are
- Amazon S3 object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations)
- Lambda function execution activity
- During trail creation, by default data events are disabled.
- For recording data events, add supported resources or resource types to collect activity to a trail.
Management Events
- Give details to management operations on AWS resources
- Also called as control plane operations.
- Example management events include:
- Configuring security (for example, IAM AttachRolePolicy API operations)
- Registering devices (for example, Amazon EC2 CreateDefaultVpc API operations)
- Configuring rules for routing data (for example, Amazon EC2 CreateSubnet API operations)
- Setting up logging (for example, AWS CloudTrail CreateTrail API operations)
- Can also include non-API events occurring in account
- For example, when a user logs in to account, CloudTrail logs the ConsoleLogin event.
Read-only and Write-only Events
When you configure trail to log data and management events, you can specify whether you want read-only events, write-only events, both, or none.
- Read-only – Read-only events include API operations that read resources, but don’t make changes. For example, Amazon EC2 DescribeSecurityGroups and DescribeSubnets API operations, return only information on EC2 resources and don’t change configurations.
- Write-only – Write-only events include API operations that modify (or might modify) resources. For example, the Amazon EC2 RunInstances and TerminateInstances API operations modify instances.
- All – trail logs both.
- None – trail logs neither read-only nor write-only management events.
AWS Certified Security - Specialty Free Practice TestTake a Quiz