You are currently viewing How To Log Specific Events In CloudTrail Using Event Selector

How To Log Specific Events In CloudTrail Using Event Selector

How To Log Specific Events In CloudTrail Using Event Selector

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed how to create enable organization trail.

In today’s blog post, we will discuss how to log specific events in CloudTrail using Event Selector. Event selector give you full control over CloudTrail logging. You can specify which events to capture in CloudTrail using event selector. By default, trails created without specific event selectors are configured to log all read and write management events, and no data events. Event selector not only helps you to capture only the required data to debug but also reduces the overall cost as there are cost associated with CloudTrail data events.

How To Log Specific Events In CloudTrail Using Event Selector:


  • AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.

Step 1: Create S3 bucket and bucket policy for CloudTrail logging.

Step 2: Create a new regional Trail

Note: By default, when you create a new trail, it will log all management events and no data events. We can override this with an event selector which we are going to create next.

Step 3: Create a new advance event selector.

Note: You can create up to 5 event selectors for your trail and once you created an event selector, you cannot update or modify it. In order to modify an event selector, you basically need to recreate your trail with the new event selector. In the above event selector, we are telling CloudTrail to capture only object level operations for a specific bucket and key. No other events (including management events) will be capture as a result of this.

Step 4: Start logging for your trail.

Observe, no logs will be generated even after 15 mins as we did not perform the required API call that matches the event selector yet, which we are going to do next.

Step 5: Perform some API action that matches the event selector criteria to log those events.

Observe, now one new log has been generated as we put (PutObject) the object (object1.txt) to specific location (myapp/) in the bucket (s3-for-cloudtrail-logs) as defined in the event selector.

Below is the log for your reference –

Step 6: Clean up.

Hope you have enjoyed this article. To know more about AWS CloudTrail, please refer below official documentation

Leave a Reply