Management Events
Management events provide visibility into control plane operations performed on AWS resources in your accounts. These events capture API calls that create, modify, delete, or manage the configuration of AWS resources.
What Are Management Events?
Management events (also called control plane events) are API actions that operate on the resources themselves rather than the data within them. They answer the question: "Who made what change to which AWS resource, and when?"
Examples of Management Events
| AWS Service | Example API Calls |
|---|---|
| Amazon S3 | CreateBucket, DeleteBucket, PutBucketPolicy |
| Amazon EC2 | RunInstances, TerminateInstances, AuthorizeSecurityGroupIngress |
| AWS IAM | CreateUser, AttachRolePolicy, DeleteAccessKey |
| Amazon RDS | CreateDBInstance, ModifyDBInstance, DeleteDBCluster |
| AWS Lambda | CreateFunction, UpdateFunctionConfiguration, DeleteFunction |
| Amazon DynamoDB | CreateTable, UpdateTable, DeleteTable |
| AWS CloudFormation | CreateStack, UpdateStack, DeleteStack |
Configuration Options
Enable/Disable
Management events are enabled by default when creating a new trail. You can toggle them off if you only need to capture data events, insight events, or network activity events.
Disabling management events means you lose visibility into all resource-level API activity. This is not recommended for most use cases. Only disable management events if you have a specific reason, such as a dedicated trail for data events only.
Read/Write Type
Filter which management events are captured based on the operation type:
| Option | Description | Examples |
|---|---|---|
| All (default) | Captures both read and write management events | All management API activity |
| ReadOnly | Only captures events that read resource metadata or configuration | DescribeInstances, ListBuckets, GetBucketPolicy |
| WriteOnly | Only captures events that create, modify, or delete resources | CreateBucket, RunInstances, DeleteTable |
Exclude AWS KMS Events
When checked, AWS Key Management Service (KMS) events are excluded from the trail logs.
Why exclude KMS events? Many AWS services make frequent calls to KMS for encryption and decryption operations. In environments with encryption enabled on S3, EBS, RDS, and other services, KMS events can account for a large percentage of total management event volume. Excluding them reduces log size and storage costs.
Common KMS API calls that are excluded:
EncryptDecryptGenerateDataKeyReEncryptGenerateDataKeyWithoutPlaintext
If you do not actively analyze KMS events, excluding them is a good way to reduce log volume without sacrificing meaningful security audit data. Resource creation and deletion events for KMS keys themselves are still captured.
Exclude Amazon RDS Data API Events
When checked, Amazon RDS Data API events are excluded from the trail logs.
Why exclude RDS Data API events? Applications that use the RDS Data API (commonly used with Aurora Serverless) make frequent API calls for every database query. These can generate high volumes of management events. Excluding them keeps your logs focused on resource management activity.
Configuration in Prism
You configure management events in two places:
- Create Trail -- Step 4 (Event Configuration) -- During initial trail creation
- Edit Trail -- On an existing trail
The configuration interface provides toggle and checkbox controls for all options described above.
Best Practices
- Keep management events enabled -- They are the foundation of your AWS audit trail
- Start with "All" read/write -- Narrow to ReadOnly or WriteOnly only after understanding your log patterns
- Consider KMS exclusion -- In most environments, excluding KMS events significantly reduces noise
- Review RDS Data API usage -- Exclude if your application makes frequent Data API calls
Related Pages
- Events Overview -- Overview of all event types
- Data Events -- Data plane event configuration
- Insight Events -- Anomaly detection events
- Event Configuration -- Configuring events during trail creation