Data Events
Data events provide visibility into data plane operations performed on or within AWS resources. Unlike management events that track resource-level changes, data events track the operations performed on the data itself.
What Are Data Events?
Data events (also called data plane events) capture API activity that reads or modifies the data within AWS resources. They answer the question: "Who accessed or modified data in this resource, and when?"
Examples of Data Events
| AWS Service | Resource Type | Example API Calls |
|---|---|---|
| Amazon S3 | AWS::S3::Object | GetObject, PutObject, DeleteObject |
| AWS Lambda | AWS::Lambda::Function | Invoke |
| Amazon DynamoDB | AWS::DynamoDB::Table | GetItem, PutItem, Query, Scan |
Data events are not enabled by default because they can generate very high volumes of log data. You must explicitly add data event selectors to capture them.
Supported Resource Types
The Prism CloudTrail supports three resource types for data event logging:
| Resource Type | Description |
|---|---|
AWS::S3::Object | Operations on objects in S3 buckets (reads, writes, deletes) |
AWS::Lambda::Function | Lambda function invocations |
AWS::DynamoDB::Table | Operations on items in DynamoDB tables |
Configuring Data Event Selectors
Each data event selector defines which resource type and operations to capture.
Adding a Selector
In the Event Configuration step or Edit Trail page:
- Click Add Data Event Selector
- Choose a Resource Type from the dropdown
- Set the Read/Write filter
- Optionally specify Resource ARNs to narrow the scope
Selector Fields
| Field | Required | Description |
|---|---|---|
| Resource Type | Yes | The AWS resource type to monitor (see table above). |
| Read/Write | Yes | Which operations to capture: All (default), ReadOnly, or WriteOnly. |
| Resource ARNs | No | Comma-separated list of specific resource ARNs to monitor. Leave empty to capture events for all resources of the selected type. |
Read/Write Filtering
| Option | What It Captures | Examples |
|---|---|---|
| All | Both read and write data operations | GetObject, PutObject, Invoke, GetItem, PutItem |
| ReadOnly | Operations that read data without modifying it | GetObject, GetItem, Query, Scan |
| WriteOnly | Operations that create, modify, or delete data | PutObject, DeleteObject, PutItem |
Filtering by Resource ARN
You can optionally restrict a data event selector to specific resources by providing their ARNs. This is useful for monitoring only sensitive or critical resources.
Examples:
- Monitor a specific S3 bucket:
arn:aws:s3:::my-sensitive-bucket/ - Monitor a specific Lambda function:
arn:aws:lambda:us-east-1:123456789012:function:my-function - Monitor a specific DynamoDB table:
arn:aws:dynamodb:us-east-1:123456789012:table/my-table
Enter multiple ARNs as a comma-separated list.
When no ARNs are specified, the selector captures events for all resources of the selected type across all accounts in the trail. Use ARN filters to reduce log volume and focus on resources that require auditing.
Multiple Selectors
You can add multiple data event selectors to a single trail. Each selector operates independently. For example, you might have:
- One selector for
AWS::S3::Objectfiltered to WriteOnly operations on a specific bucket - Another selector for
AWS::Lambda::Functioncapturing All operations - A third selector for
AWS::DynamoDB::Tablecapturing ReadOnly operations
To remove a selector, click the remove button on the selector.
Volume and Cost Considerations
Data events can generate extremely high log volumes depending on the resources being monitored. A frequently accessed S3 bucket or a heavily invoked Lambda function can produce millions of events per day. Consider the following strategies to manage volume:
- Use WriteOnly filtering if you only need change tracking
- Specify Resource ARNs to limit monitoring to specific resources
- Start with critical resources and expand coverage gradually
Best Practices
- Start small -- Begin by monitoring only your most sensitive or critical resources
- Use ARN filters -- Avoid logging all data events for high-traffic resource types like S3
- Filter by write operations -- If you only care about data modifications, use WriteOnly to reduce volume
- Monitor costs -- Review your CloudTrail billing after enabling data events to ensure costs are within expectations
- Combine with management events -- Data events complement management events for a complete audit picture
Related Pages
- Events Overview -- Overview of all event types
- Management Events -- Control plane event configuration
- Insight Events -- Anomaly detection events
- Event Configuration -- Configuring events during trail creation