Monitoring Unusual API Activity? - Enable AWS CloudTrail Insights

CloudTrail tracks user activity and API usage. With the launch of AWS CloudTrail Insights, you can enable machine learning models that detect unusual activity in these logs with just a few clicks. AWS CloudTrail Insights will analyze historical API calls, identifying usage patterns and generating Insight Events for unusual activity.

Search for specific IAM events? Look in Event History (left menu on CloudTrail)

The default display of events in Event history uses an attribute filter to exclude read-only events from the list of displayed events. This attribute filter is named Read only, and it is set to false.

AWS access key
The AWS access key ID that was used to sign the request. If the request was made with temporary security credentials, this is the access key ID of the temporary credentials.
Event source
The AWS service to which the request was made, such as iam.amazonaws.com or s3.amazonaws.com. You can scroll through a list of event sources after you choose the Event source filter.
Read only
The read type of the event. Events are categorized as read events or write events. If set to false, read events are not included in the list of displayed events. By default, this attribute filter is applied and the value is set to false.
Resource name
The name or ID of the resource referenced by the event. For example, the resource name might be "auto-scaling-test-group" for an Auto Scaling group or "i-1234567" for an EC2 instance.
Resource type
The type of resource referenced by the event. For example, a resource type can be Instance for EC2 or DBInstance for RDS. Resource types vary for each AWS service.
Time range
The time range in which you want to filter events. You can filter events for the last 90 days.
User name
The identity of the user referenced by the event. For example, this can be an IAM user, an IAM role name, or a service role.

If there are no events logged for the attribute or time that you choose, the results list is empty. You can apply only one attribute filter in addition to the time range. If you choose a different attribute filter, your specified time range is preserved.

The following steps describe how to filter by attribute.

To filter by a start and end date and time

  1. To narrow the time range for the events that you want to see, choose Select time range.
  2. To remove a time range filter, choose the calendar icon on the right of the Time range box, and then choose Remove.