AWS CloudTrail helps you review activity in your AWS account, including who signed in, who changed a resource, and when an action occurred. This guide shows how to use the AWS web console to search CloudTrail Event history and open an event for more details.
Before you begin, sign in to the AWS Management Console and open the CloudTrail service.
Getting started
-
Make sure you are in the correct AWS Region before searching. CloudTrail Event history is regional, so if you are looking for an event in the wrong Region, it may not appear in the results.
-
In the left navigation menu, select Event history.
-
CloudTrail Event history shows recent management events for your account.
-
To narrow the results, you can optionally select Filter by date and time, choose the time range you want, and then select Apply.
- Use the Lookup attributes filter to search for events. The best filter depends on what you already know, such as an event name, AWS service, or resource ID.
Example 1: See who logged in to the AWS web console
If you want to check who logged in to the AWS console:
- In Lookup attributes, select Event name.
- In the search field, begin typing the event you want to find.
- CloudTrail will suggest matching event names as you type.
- Select ConsoleLogin to show AWS web console login events for the selected time period.
This is useful when you need to confirm whether a user signed in to the AWS console and when the sign-in occurred.
Example 2: See activity for a specific AWS service
If you want to review activity for a service such as Amazon EC2:
- In Lookup attributes, select Event source.
- Enter the service endpoint, such as
ec2.amazonaws.com.
This shows EC2-related events in the selected time period.
CloudTrail also includes read-only events, such as viewing or describing resources. If you only want actions that changed something:
- In Lookup attributes, select Read-only.
- Set the value to false.
This helps reduce noise and makes it easier to find create, update, delete, start, stop, or terminate actions.
Example 3: See activity for a specific resource
If you already know the resource you want to investigate, such as an EC2 instance ID:
- In Lookup attributes, select Resource name.
- Enter the resource ID.
This is often the fastest way to find actions related to one specific resource.
Viewing event details
Once you find the event you want:
- Select the Event name in the results list.
- The event details page shows information about what happened and who performed the action.
In the event details view, look for fields such as:
- Event time
- User name
- Event name
- Event source
- AWS Region
- Source IP address
- Resource name
These fields usually provide enough information to understand what action occurred and who performed it.
Tips
CloudTrail Event history is useful for quick investigations in the AWS console.
- Use Event name to find a known action such as
ConsoleLoginorTerminateInstances - Use Event source to review activity for a service such as EC2
- Use Resource name when you know the resource ID
- Use Read-only = false to focus on changes instead of view-only activity
Summary
To find out who did something in your AWS account using CloudTrail:
- Open CloudTrail
- Go to Event history
- Filter by time range if needed
- Search using Event name, Event source, or Resource name
- Open the event to view details about the action and the user who performed it