What are the differences between data events and management events in CloudTrail?

2 minute read

I want to understand the differences between data events and management events in AWS CloudTrail.

Resolution

CloudTrail data events

CloudTrail data events, also known as data plane operations, show operations that occur on resources in your AWS account.

The following are examples of data events:

Amazon Simple Storage Service (Amazon S3) object-level API activity. For example, GetObject, DeleteObject, and PutObject API operations.
AWS Lambda function invocation activity. For example, Invoke API operations.
Amazon DynamoDB item-level API activity on tables. For example, PutItem, DeleteItem, and UpdateItem API operations.

By default, trails don't log data events, and data events don't appear in CloudTrail event history. To activate data event logging, you must add the supported resources or resource types to a trail. To view data events, check your CloudTrail log files in the Amazon S3 console.

Note: Additional charges can apply for logging data events. For more information, see AWS CloudTrail pricing.

CloudTrail management events

CloudTrail management events, also known as control plane operations, show management operations that occur on resources in your account. CloudTrail logs management events when you take the following actions:

Create an Amazon S3 bucket
Create and manage AWS Identity and Access Management (IAM) resources
Register devices
Configure routing table rules
Set up logging

By default, CloudTrail logs management events across AWS services. You can access and download the last 90 days of management events with CloudTrail event history or the LookupEvents API.

Note: You can create a trail to store one copy of management events in Amazon S3 beyond the 90-day retention period. Additional copies of management events can incur a charge. For more information, see AWS CloudTrail pricing.

View CloudTrail data events and management events in your S3 bucket

You can use Amazon Athena to view CloudTrail data events and management events in your Amazon S3 bucket. For instructions, see How do I automatically create tables in Athena to search through CloudTrail logs?

Related information

How CloudTrail works

CloudTrail supported services and integrations

How do I use CloudTrail to review what API calls and actions have occurred in my AWS account?

Topics: Management & Governance
Tags: AWS CloudTrail
Language: English

AWS OFFICIALUpdated 10 months ago

No comments

Relevant content

How to know if a CloudTrail event is a Management Event or Data Event?
Accepted Answer
tasnime
asked 4 years ago
Many AWS Step Functions events in CloudTrail are considered "Management Events", but should be "Data Events"
bchecketts
asked 4 years ago
Does the IAM Access Analyzer consider Data Events as well as Management Events in CloudTrail Trail logs?
Accepted Answer
rePost-User-3291816
asked 3 years ago
Cloudtrail Management Events in Security Lake
Steven
asked 2 years ago
Data events doesn't log in Cloudtrail
kangjwme
asked 2 years ago
How do I use CloudTrail to log Amazon Q Developer events that my IDE or CLI provides?
AWS OFFICIALUpdated a year ago
Why don't Amazon S3 object-level API actions appear in my CloudTrail Event history?
AWS OFFICIALUpdated a year ago
How can I optimize CloudTrail costs and still maintain compliance?
AWS OFFICIALUpdated 3 months ago
How do I use CloudWatch alarms to monitor CloudTrail events?
AWS OFFICIALUpdated 2 years ago
Proactive Strategies for Optimizing AWS CloudTrail Lake Usage
EXPERT
Georges
published a year ago