Events
AWS CloudTrail records different categories of events that occur in your AWS environment. Understanding these event types is essential for configuring your trails to capture the right level of detail for your security, compliance, and operational needs.
Event Types Overview
The Prism CloudTrail supports four categories of events:
| Event Type | What It Captures | Use Case |
|---|---|---|
| Management Events | Control plane API calls that create, modify, or delete AWS resources | Security auditing, compliance, change tracking |
| Data Events | Data plane operations on resources (e.g., S3 object reads, Lambda invocations) | Data access auditing, sensitive resource monitoring |
| Insight Events | Anomalous API activity patterns | Threat detection, unusual activity alerting |
| Network Activity Events | Network-level activity through VPC endpoints | Network security monitoring, VPC endpoint auditing |
Event Configuration in Prism
You configure events in two places within the CloudTrail:
- Create Trail wizard -- Step 4 -- Set the initial event configuration when creating a new trail
- Edit Trail -- Modify event configuration on an existing trail
Both interfaces provide the same event configuration options.
Management Events vs. Data Events
The distinction between management events and data events is one of the most important concepts in CloudTrail:
-
Management events (also called control plane events) record actions that manage your AWS resources. Examples include creating an S3 bucket (
CreateBucket), launching an EC2 instance (RunInstances), or modifying a security group (AuthorizeSecurityGroupIngress). Management events are enabled by default and cover the "who did what to which resource" question. -
Data events (also called data plane events) record actions performed on the data within resources. Examples include reading an object from S3 (
GetObject), invoking a Lambda function (Invoke), or querying a DynamoDB table (GetItem). Data events are not enabled by default because they can generate very high volumes of log data.
Read vs. Write Events
Both management events and data events can be filtered by operation type:
| Filter | What It Captures | Examples |
|---|---|---|
| All | Both read and write operations | All API activity |
| ReadOnly | Operations that read data or metadata but do not make changes | DescribeInstances, GetObject, ListBuckets |
| WriteOnly | Operations that create, modify, or delete resources or data | CreateBucket, PutObject, TerminateInstances |
If you are primarily interested in change tracking and security auditing, filtering to WriteOnly can significantly reduce log volume while still capturing all modifications. Use All for comprehensive auditing, or ReadOnly if you need to audit data access patterns.
Cost and Volume Considerations
Different event types have different impacts on log volume and associated costs:
| Event Type | Typical Volume | Cost Impact |
|---|---|---|
| Management Events | Low to moderate | Included in free tier (first trail) |
| Data Events | Can be very high | Charged per event |
| Insight Events | Low (only anomalies) | Charged per insight event analyzed |
| Network Activity Events | Moderate to high | Charged per event |
Data events for high-traffic resources (like frequently accessed S3 buckets or heavily invoked Lambda functions) can generate millions of events per day. Use resource ARN filters to limit data event logging to specific resources when possible.
Related Pages
- Management Events -- Detailed management events reference
- Data Events -- Detailed data events reference
- Insight Events -- Detailed insight events reference
- Network Activity Events -- Detailed network activity events reference
- Event Configuration -- Configuring events during trail creation
- Edit Trail -- Modifying events on an existing trail