Working with CloudTrail event history - AWS CloudTrail
Limitations of Event history
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

Working with CloudTrail event history

CloudTrail is enabled by default for your AWS account and you automatically have access to the CloudTrail event history. The event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an AWS Region. These events capture activity made through the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. The event history records events in the AWS Region where the event happened. There are no CloudTrail charges for viewing the event history.

You can look up events related to the creation, modification, or deletion of resources (such as IAM users or Amazon EC2 instances) in your AWS account on a by-Region basis on the CloudTrail console by viewing the Event history page. You can also look up these events by running the aws cloudtrail lookup-events command or by using the LookupEvents API.

You can use the Event history page on the CloudTrail console to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can customize the view of the Event history page on the console by selecting how many events to display on each page and which columns to display or hide. You can also compare the details of events in event history side-by-side. You can programmatically look up events by using the AWS SDKs or AWS Command Line Interface.

Note

Over time, AWS services might add additional events. CloudTrail records these events in event history, but a full 90-day record of activity that includes added events won't be available until 90 days after it adds the events.

The sections which follow describe how to look up recent management events by using the CloudTrail console and the AWS CLI, and describe how to download a file of events. For information about using the LookupEvents API to retrieve information from CloudTrail events, see LookupEvents in the AWS CloudTrail API Reference.

Topics

Limitations of Event history

The following limitations apply to the event history.

  • The Event history page on the CloudTrail console only shows management events. It does not show data events, Insights events, or network activity events.

  • When you download events from the Event history page on the CloudTrail console, you can download up to 200,000 events in a single file. If you reach the 200,000 event limit, the CloudTrail console will provide the option to download additional files.

  • An event history search is limited to a single AWS account, only returns events from a single AWS Region, and cannot query multiple attributes. You can only apply one attribute filter and a time range filter.