Network Activity Events
Network activity events provide visibility into VPC endpoint network activity in your AWS accounts. These events capture network-level actions that flow through VPC endpoints, letting you monitor which AWS services are being accessed from within your VPCs.
What Are Network Activity Events?
Network activity events record API activity that passes through VPC endpoints (AWS PrivateLink). While management events and data events capture API calls at the service level, network activity events capture the network-level perspective of those calls as they traverse your VPC endpoints.
This is particularly useful for:
- Network security monitoring -- Identify which AWS services are being accessed from your VPCs
- VPC endpoint auditing -- Verify that VPC endpoints are being used as intended
- Compliance -- Demonstrate that traffic to AWS services stays within your private network
- Anomaly detection -- Identify unexpected service access patterns through VPC endpoints
Configuring Network Activity Selectors
Network activity events are configured through selectors, where each selector specifies an AWS service event source to monitor.
Adding a Selector
In the Event Configuration step or Edit Trail page:
- Click Add Network Activity Selector
- Enter or select an Event Source from the autocomplete dropdown
- Repeat to add additional selectors for other AWS services
Event Source Field
| Property | Value |
|---|---|
| Type | Autocomplete with custom input |
| Required | Yes |
| Format | AWS service endpoint (e.g., ec2.amazonaws.com) |
The event source identifies the AWS service whose VPC endpoint network activity you want to capture.
Suggested Event Sources
The autocomplete provides suggestions for the following AWS service endpoints:
| Event Source | AWS Service |
|---|---|
aco-automation.amazonaws.com | AWS ACO Automation |
appconfig.amazonaws.com | AWS AppConfig |
application-signals.amazonaws.com | Amazon CloudWatch Application Signals |
appmesh.amazonaws.com | AWS App Mesh |
athena.amazonaws.com | Amazon Athena |
b2bi.amazonaws.com | AWS B2B Data Interchange |
backup-gateway.amazonaws.com | AWS Backup Gateway |
bcm-data-exports.amazonaws.com | AWS Billing and Cost Management Data Exports |
bcm-pricing-calculator.amazonaws.com | AWS Pricing Calculator |
bedrock.amazonaws.com | Amazon Bedrock |
billing.amazonaws.com | AWS Billing |
cassandra.amazonaws.com | Amazon Keyspaces (for Apache Cassandra) |
ce.amazonaws.com | AWS Cost Explorer |
cloudcontrolapi.amazonaws.com | AWS Cloud Control API |
cloudformation.amazonaws.com | AWS CloudFormation |
cloudhsm.amazonaws.com | AWS CloudHSM |
cloudtrail.amazonaws.com | AWS CloudTrail |
codedeploy.amazonaws.com | AWS CodeDeploy |
comprehend.amazonaws.com | Amazon Comprehend |
comprehendmedical.amazonaws.com | Amazon Comprehend Medical |
config.amazonaws.com | AWS Config |
ds.amazonaws.com | AWS Directory Service |
dynamodb.amazonaws.com | Amazon DynamoDB |
ec2.amazonaws.com | Amazon EC2 |
ecs.amazonaws.com | Amazon ECS |
elasticfilesystem.amazonaws.com | Amazon EFS |
elasticloadbalancing.amazonaws.com | Elastic Load Balancing |
events.amazonaws.com | Amazon EventBridge |
firehose.amazonaws.com | Amazon Data Firehose |
frauddetector.amazonaws.com | Amazon Fraud Detector |
freetier.amazonaws.com | AWS Free Tier |
fsx.amazonaws.com | Amazon FSx |
glue.amazonaws.com | AWS Glue |
healthlake.amazonaws.com | Amazon HealthLake |
invoicing.amazonaws.com | AWS Invoicing |
iot.amazonaws.com | AWS IoT Core |
iotfleetwise.amazonaws.com | AWS IoT FleetWise |
iotsecuredtunneling.amazonaws.com | AWS IoT Secure Tunneling |
kms.amazonaws.com | AWS Key Management Service |
lakeformation.amazonaws.com | AWS Lake Formation |
lambda.amazonaws.com | AWS Lambda |
license-manager.amazonaws.com | AWS License Manager |
lookoutequipment.amazonaws.com | Amazon Lookout for Equipment |
lookoutvision.amazonaws.com | Amazon Lookout for Vision |
monitoring.amazonaws.com | Amazon CloudWatch |
personalize.amazonaws.com | Amazon Personalize |
qbusiness.amazonaws.com | Amazon Q Business |
rds.amazonaws.com | Amazon RDS |
rekognition.amazonaws.com | Amazon Rekognition |
rolesanywhere.amazonaws.com | AWS IAM Roles Anywhere |
s3.amazonaws.com | Amazon S3 |
sagemaker.amazonaws.com | Amazon SageMaker |
scheduler.amazonaws.com | Amazon EventBridge Scheduler |
secretsmanager.amazonaws.com | AWS Secrets Manager |
servicediscovery.amazonaws.com | AWS Cloud Map |
sns.amazonaws.com | Amazon SNS |
sqs.amazonaws.com | Amazon SQS |
ssm-contacts.amazonaws.com | AWS Systems Manager Incident Manager Contacts |
ssm.amazonaws.com | AWS Systems Manager |
storagegateway.amazonaws.com | AWS Storage Gateway |
swf.amazonaws.com | Amazon SWF |
textract.amazonaws.com | Amazon Textract |
transcribe.amazonaws.com | Amazon Transcribe |
transcribestreaming.amazonaws.com | Amazon Transcribe Streaming |
transform.amazonaws.com | AWS Glue DataBrew |
translate.amazonaws.com | Amazon Translate |
user-subscriptions.amazonaws.com | AWS User Subscriptions |
verifiedpermissions.amazonaws.com | Amazon Verified Permissions |
voiceid.amazonaws.com | Amazon Connect Voice ID |
workmail.amazonaws.com | Amazon WorkMail |
workmailmessageflow.amazonaws.com | Amazon WorkMail Message Flow |
Multiple Selectors
You can add multiple network activity selectors to monitor different AWS services simultaneously. Each selector operates independently.
To remove a selector, click the remove button on the selector.
Use Cases
Security Monitoring
Monitor critical services for unauthorized access patterns:
sts.amazonaws.com-- Track credential-related activitysecretsmanager.amazonaws.com-- Monitor secrets accesskms.amazonaws.com-- Track encryption key usage
Application Auditing
Monitor services used by your applications to verify expected access patterns:
s3.amazonaws.com-- S3 data access through VPC endpointsdynamodb.amazonaws.com-- Database operationslambda.amazonaws.com-- Function invocationssqs.amazonaws.com-- Message queue access
Compliance
Demonstrate that specific services are accessed only through private network paths:
rds.amazonaws.com-- Database connections stay within VPCecr.amazonaws.com-- Container image pulls are privateelasticfilesystem.amazonaws.com-- File system access is private
Configuration in Prism
You configure network activity events in two places:
- Create Trail -- Step 4 (Event Configuration) -- During initial trail creation
- Edit Trail -- On an existing trail
Best Practices
- Start with critical services -- Focus on services that handle sensitive data or are critical to your security posture
- Monitor identity services --
sts.amazonaws.comandsecretsmanager.amazonaws.comare high-value targets for security monitoring - Align with VPC endpoint usage -- Only monitor event sources for which you have VPC endpoints configured
- Review periodically -- As your VPC endpoint usage evolves, update your network activity selectors to match
- Combine with management events -- Network activity events complement management events for a complete view of API activity
Related Pages
- Events Overview -- Overview of all event types
- Management Events -- Control plane event configuration
- Data Events -- Data plane event configuration
- Insight Events -- Anomaly detection events
- Event Configuration -- Configuring events during trail creation