AWS CloudTrail Event Types: Management, Data, Network, Insights
AWS CloudTrail records four types of events, not three. Management events track infrastructure changes. Data events track who touches your data. Network activity events track API calls flowing through VPC endpoints. Insights events flag anomalies across all of the above. Only management events are on by default and free for the first trail. The other three are off by default and cost money, but each one fills a visibility gap that the others cannot.
CloudTrail log types explained
Analogy: security cameras in a building
Management events are the lobby cameras that record everyone who enters, leaves, or changes the building layout. Data events are the cameras inside the filing cabinets that record who opens which drawer and pulls which folder. Network activity events are the cameras on the private tunnels that show who used the back entrance instead of the front door. Insights events are the smart alert system that watches all the camera feeds and pages security when something looks unusual.
Most teams already have management events running (they are on by default). The next step is usually adding data events for your most sensitive S3 buckets and Lambda functions. Network activity events and Insights are worth enabling once you understand your account’s traffic patterns and have a clear security or compliance driver.
If you are setting up CloudTrail for the first time, start with the CloudTrail overview to create your first trail. Come back here once the trail is running and you are deciding what to log beyond the defaults.
Why this matters
Security visibility. Management events alone do not show data access. If an attacker assumes a role and downloads thousands of S3 objects, management events will show the AssumeRole call but nothing about the data exfiltration. You need data events for that. For patterns to watch for, see detecting suspicious activity in AWS logs.
Auditability. Compliance frameworks like PCI-DSS, HIPAA, and SOC 2 often require evidence of who accessed what data and when. Data events provide that evidence for S3, DynamoDB, and other services. Network activity events prove that API calls stayed within your private network boundary.
Cost control. Enabling every event type on every resource can cost thousands of dollars per month in a busy account. Understanding the four types lets you enable the right logging for the right resources: full coverage where it matters, selective logging everywhere else.
How CloudTrail event types work
AWS services operate on two planes. The control plane manages the service itself: creating a bucket, modifying a security group, changing a role policy. The data plane operates on the data inside the service: reading an object, invoking a function, querying a table. CloudTrail management events cover the control plane. Data events cover the data plane.
Network activity events add a third dimension. They capture API calls made through VPC endpoints using AWS PrivateLink. Instead of answering “what happened” or “who did it,” they answer “which network path did the call take?” This matters for organisations that route AWS API traffic through private endpoints and need proof that calls never left their VPC.
Insights events sit on top of the other types. CloudTrail continuously analyses your management events (and optionally your data events) to build a baseline of normal activity. When it detects a significant deviation, such as a spike in API call rate or an unusual surge in error rates, it generates an Insights event. This helps you catch compromised credentials, runaway automation, or misconfigured services without writing custom detection rules.
CloudTrail event types at a glance
| Event type | What it records | Logged by default? | Best for | Cost impact |
|---|---|---|---|---|
| Management events | Control plane: create, modify, delete resources | Yes (first trail free) | Governance, IAM auditing, change tracking | Free (first copy); $2.00/100k for additional trails |
| Data events | Data plane: S3 object access, Lambda invocations, DynamoDB queries | No | Exfiltration detection, data access auditing, compliance | $0.10/100k events |
| Network activity events | API calls through VPC endpoints (PrivateLink) | No | VPC endpoint auditing, zero-trust verification, private network compliance | $0.10/100k events |
| Insights events | Anomalies in API call rate or error rate | No | Early breach detection, misconfiguration alerts, anomaly detection | $0.35/100k events analysed |
Management vs data: Management events tell you someone created a bucket. Data events tell you someone downloaded a file from that bucket. Network activity vs the rest: Network activity events do not replace management or data events. They add visibility into which network path the API call took. Insights vs everything: Insights does not log new actions. It watches the other event streams and alerts you when patterns deviate from normal.
Management events
What they capture
Management events (also called control plane events) record operations that create, modify, configure, or delete AWS resources. These are the events you care about most for security and governance.
- IAM changes: creating users, modifying roles, attaching policies
- Infrastructure changes: launching EC2 instances, modifying security groups, creating VPCs
- Service configuration: changing CloudTrail settings, modifying service control policies, updating Config rules
- Authentication: console logins, STS
AssumeRolecalls, federated access - Encryption: KMS key creation, key policy changes, key deletion scheduling
- Bucket-level S3 operations: creating or deleting buckets, changing bucket policies (not object-level access)
Read vs write events
Management events split into two categories:
- Write events change state:
RunInstances,CreateRole,DeleteBucket. These are security-critical because they modify your environment. - Read events retrieve information:
DescribeInstances,GetPolicy,ListBuckets. Higher volume, lower immediate security priority.
If you need to reduce log volume without losing security coverage, log only write management events and add reads later for specific investigations.
Cost and defaults
The first copy of management events delivered to a trail is free. If you send the same management events to additional trails (for example, an organisation trail and an account-level trail), additional copies cost $2.00 per 100,000 events. For most accounts, management event logging costs nothing.
When to use management events
Always. Every AWS account should have at least one trail logging management events. This is your baseline audit trail for who did what to your infrastructure. It is the foundation that Security Hub and other detection services build on.
Configure management events via CLI
# Log only write management events (reduces volume, keeps security coverage)
aws cloudtrail put-event-selectors \
--trail-name organization-trail \
--event-selectors '[
{
"ReadWriteType": "WriteOnly",
"IncludeManagementEvents": true
}
]'Data events
What they capture
Data events record resource-level operations: actions performed on the data inside AWS services. They are not enabled by default and must be turned on per service and per resource.
High-value services and examples
| Service | Example data events | Why it matters |
|---|---|---|
| Amazon S3 | GetObject, PutObject, DeleteObject | Detect data exfiltration and unauthorised access |
| AWS Lambda | InvokeFunction | Track who invokes sensitive functions |
| Amazon DynamoDB | GetItem, PutItem, Query, Scan | Audit access to application data |
| AWS Secrets Manager | GetSecretValue | Monitor secret retrieval patterns |
| Amazon SNS | Publish | Audit message publishing to topics |
| Amazon SQS | SendMessage, ReceiveMessage, DeleteMessage | Track queue access and message consumption |
| Amazon Cognito | InitiateAuth, RespondToAuthChallenge | Monitor authentication flows |
Cost and scoping advice
Data events cost $0.10 per 100,000 events. That sounds small until you consider volume. An S3 bucket receiving 10 million requests per day generates $10/day or roughly $300/month in CloudTrail charges alone. A busy Lambda function invoked millions of times per day adds similar costs.
Always scope data events to specific resources. Use advanced event selectors to target individual bucket ARNs, specific Lambda functions, or particular event names rather than enabling data events across all resources in a service.
When to use data events
Enable data events when you need visibility into who is accessing your data, not just your infrastructure. Common use cases:
- S3 exfiltration detection: log
GetObjecton buckets containing PII, financial data, or intellectual property. - Lambda invocation auditing: track who triggers payment-processing or data-export functions.
- Compliance evidence: prove that only authorised principals accessed regulated data in DynamoDB or S3.
- Secrets access monitoring: detect unusual patterns of
GetSecretValuecalls that may indicate credential theft.
Enable data events for specific S3 buckets
aws cloudtrail put-event-selectors \
--trail-name organization-trail \
--event-selectors '[
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": [
"arn:aws:s3:::sensitive-data-bucket/",
"arn:aws:s3:::pci-data-bucket/"
]
}
]
}
]'The trailing slash in the ARN (e.g. arn:aws:s3:::bucket-name/) means “all objects in this bucket.” To log all S3 buckets, use arn:aws:s3 with no bucket name, but check the cost implications first.
Enable data events for a specific Lambda function
aws cloudtrail put-event-selectors \
--trail-name organization-trail \
--event-selectors '[
{
"ReadWriteType": "All",
"IncludeManagementEvents": true,
"DataResources": [
{
"Type": "AWS::Lambda::Function",
"Values": ["arn:aws:lambda:us-east-1:123456789012:function:payment-processor"]
}
]
}
]'Use advanced event selectors for precise scoping
Advanced event selectors allow field-level conditions so you can log exactly the events you need. For example, log only GetObject and PutObject calls on a specific S3 prefix:
aws cloudtrail put-event-selectors \
--trail-name organization-trail \
--advanced-event-selectors '[
{
"Name": "SensitivePrefixAccess",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["Data"]},
{"Field": "resources.type", "Equals": ["AWS::S3::Object"]},
{"Field": "eventName", "Equals": ["GetObject", "PutObject"]},
{"Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::data-lake/pii/"]}
]
}
]'This gives you surgical precision: compliance-grade logging at a fraction of the cost of broad data event capture. For detection patterns to layer on top of these logs, see detecting suspicious activity in AWS logs.
Advanced event selectors often cut data event costs by 80%+ compared to broad logging. Instead of paying for every S3 event across every bucket, target specific prefixes, event names, and resource ARNs.
Enabling data events with “Values”: [“arn:aws:s3”] (all S3 buckets) in an account with significant traffic can generate millions of events per hour. Always start with specific bucket ARNs and expand only when you have a clear need. Check your estimated costs in the CloudTrail pricing calculator before enabling blanket data event logging.
Network activity events
What they capture
Network activity events record API calls made through VPC endpoints using AWS PrivateLink. While management and data events tell you what happened and who did it, network activity events tell you which network path the API call took, specifically which VPC endpoint was used.
These events capture details like the VPC endpoint ID, the VPC ID, and whether the call was allowed or denied by the endpoint policy. This visibility is essential for organisations that require proof that API traffic stayed within their private network.
Analogy: tracking which door someone used
Management events tell you that someone entered the vault. Data events tell you which safe deposit box they opened. Network activity events tell you whether they came in through the private staff entrance (VPC endpoint) or the public front door (internet). If your security policy says “all vault access must use the staff entrance,” network activity events are how you verify that.
When they matter
- Zero-trust network verification: confirm that API calls to services like STS, KMS, and S3 route through your VPC endpoints, not the public internet.
- Regulatory compliance: in industries like finance and healthcare, you may need evidence that sensitive API calls never left your private network boundary.
- VPC endpoint policy auditing: identify which calls are being denied by endpoint policies and whether endpoint configurations need adjustment.
- Detecting unauthorised endpoint use: spot unexpected principals or accounts using your VPC endpoints.
VPC endpoint examples and audit use cases
Network activity events are available for services commonly accessed through VPC endpoints, including EC2, STS, KMS, Secrets Manager, S3, and others. A typical network activity event record includes:
- The VPC endpoint ID through which the call was made
- The VPC ID where the endpoint lives
- The API action called (e.g.
sts:AssumeRole,kms:Decrypt) - Whether the VPC endpoint policy allowed or denied the call
- The calling principal and source IP (private IP within the VPC)
This information lets you answer questions like: “Did any API call to KMS originate from outside our approved VPC endpoints?” or “Which principals used the STS endpoint in the production VPC last week?”
Cost and default behaviour
Network activity events are not logged by default. When enabled, they cost $0.10 per 100,000 events, the same rate as data events. You enable them using advanced event selectors by specifying the eventCategory as NetworkActivity and selecting the service-specific resource types you want to log.
# Enable network activity events for STS VPC endpoint calls
aws cloudtrail put-event-selectors \
--trail-name organization-trail \
--advanced-event-selectors '[
{
"Name": "STSNetworkActivity",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["NetworkActivity"]},
{"Field": "resources.type", "Equals": ["AWS::EC2::VPCEndpoint"]}
]
}
]'Network activity events require advanced event selectors. They cannot be enabled with basic event selectors. If your trail still uses basic selectors, you will need to migrate to advanced selectors first.
Insights events
What they detect
CloudTrail Insights events fire when CloudTrail detects unusual activity: a significant deviation from the normal baseline of API call volume or error rate. Instead of requiring you to write custom detection rules, Insights automatically flags anomalies.
Examples of what Insights can catch:
- A sudden spike in
AuthorizeSecurityGroupIngresscalls (possible automated security group modification) - An abnormal volume of
iam:CreateUsercalls in a short period (potential credential abuse) - A surge in error rates for a specific API (misconfiguration or failed attack)
- Unusual volume of
TerminateInstancescalls (potential sabotage or ransomware) - A spike in S3
GetObjectcalls (possible data exfiltration, via data event Insights)
Management vs data event Insights
Insights can analyse both management events and data events for anomalies:
- Management event Insights detect anomalies in control plane activity. They catch unusual spikes in infrastructure changes, IAM modifications, or authentication patterns.
- Data event Insights detect anomalies in data plane activity. They catch unusual patterns in S3 object access, Lambda invocations, or other data operations. Particularly valuable for spotting data exfiltration attempts that appear as abnormal
GetObjectvolume.
You can enable both independently. Data event Insights require that data events are also being logged on the same trail.
Baseline and timing
After you enable Insights, CloudTrail takes up to 7 days to establish a baseline of normal activity. During this learning period, no Insights events are generated. This is expected. Do not disable Insights thinking it is broken. Once the baseline is established, Insights events appear whenever activity deviates significantly from the norm.
When to use Insights
Enable Insights for security-sensitive accounts where early breach detection matters: production accounts, accounts with access to sensitive data, and accounts that are targets for privilege escalation. The cost is modest relative to the detection value: $0.35 per 100,000 events analysed.
Insights works well as a complement to Security Hub findings and custom CloudWatch Logs metric filters. It catches patterns that rule-based detection might miss because it adapts to your account’s actual usage patterns.
Enable Insights for a trail
aws cloudtrail put-insight-selectors \
--trail-name organization-trail \
--insight-selectors '[
{"InsightType": "ApiCallRateInsight"},
{"InsightType": "ApiErrorRateInsight"}
]'Which CloudTrail event type should you enable?
Use this decision matrix to match event types to your situation. Most teams work through this list from top to bottom.
| Situation | Enable | Why |
|---|---|---|
| General account auditing | Management events (write + read) | Covers all infrastructure and IAM changes. Already on by default and free. |
| IAM and infrastructure change tracking | Management events (write only) | Lower volume, captures security-critical mutations. Add reads if you need investigation depth. |
| S3 exfiltration visibility | Data events on sensitive S3 buckets | Logs GetObject, PutObject, DeleteObject. Scope to specific buckets to control cost. |
| Lambda invocation monitoring | Data events on critical Lambda functions | Tracks who invokes payment, data-export, or admin functions. |
| Private VPC endpoint auditing | Network activity events | Proves API calls route through PrivateLink. Required for some zero-trust architectures. |
| Anomaly detection in security-sensitive accounts | Insights (management + data) | Catches unusual spikes in API calls or errors without custom rules. Good for production and high-value accounts. |
| Compliance (PCI-DSS, HIPAA, SOC 2) | Management events + data events on regulated resources | Provides evidence of who accessed what data and when. Often combined with Insights for anomaly detection. |
For a typical production AWS account, enable: (1) management events with both reads and writes (free), (2) data events scoped to your most sensitive S3 buckets and Lambda functions, and (3) Insights on management events. Add network activity events and data event Insights when your security posture or compliance requirements call for them.
Common mistakes
- Enabling all S3 data events without checking cost. This is the most common way teams get an unexpected CloudTrail bill. A busy account can generate millions of S3 data events per hour. Always start with specific bucket ARNs and check the pricing calculator.
- Assuming management events cover data exfiltration. Management events do not include S3
GetObjectcalls. If someone downloads millions of objects, management events show nothing. You need S3 data events for exfiltration visibility. - Thinking CloudTrail only has three event types. Network activity events are the fourth type, added for VPC endpoint visibility. If your workloads use PrivateLink, you are missing an audit dimension without them.
- Treating Insights as management-event-only. Insights can analyse both management events and data events. If you log S3 data events but do not enable data event Insights, you miss anomaly detection on data access patterns.
- Disabling Insights during the 7-day baseline period. Insights takes up to a week to learn normal patterns before generating events. No events during this period is expected, not a sign of a broken configuration.
- Using basic event selectors when advanced selectors provide better value. Basic event selectors are all-or-nothing per service. Advanced event selectors let you target specific event names, ARN prefixes, and field values for precise logging at a fraction of the cost.
Summary
- CloudTrail has four event types: management, data, network activity, and Insights.
- Management events are on by default and free (first trail). They cover control plane operations like resource creation, modification, deletion, and IAM changes.
- Data events cover data plane operations (S3 object access, Lambda invocations, DynamoDB queries). Off by default, $0.10 per 100k events. Scope them to specific resources.
- Network activity events record API calls through VPC endpoints. Off by default, $0.10 per 100k events. Enable them for private network auditing.
- Insights detect anomalies in both management and data event patterns. Off by default, $0.35 per 100k events analysed. Enable for security-sensitive accounts.
- Use advanced event selectors to target specific resources, event names, and field values to control costs.
Frequently asked questions
What are the four CloudTrail event types?
AWS CloudTrail records four event types: management events (control plane operations like creating or deleting resources), data events (data plane operations like reading S3 objects or invoking Lambda functions), network activity events (API calls made through VPC endpoints), and Insights events (anomaly detection for unusual API call rates or error rates). Management events are logged by default. The other three must be enabled explicitly.
What does CloudTrail log by default?
By default, CloudTrail logs management events, which are the control plane operations that create, modify, or delete AWS resources. Data events, network activity events, and Insights events are all disabled by default and must be explicitly enabled on a trail or event data store. The first copy of management events is free.
Should I enable data events for all S3 buckets?
No. Data events for all S3 buckets in a high-traffic account can generate enormous volume and significant cost at $0.10 per 100,000 events. A bucket receiving 10 million requests per day costs $10/day in CloudTrail charges alone. Enable data events selectively for buckets that contain sensitive data, such as PII stores, log archives, or regulated data exports. Use advanced event selectors to further narrow logging to specific prefixes or event names.
Do CloudTrail Insights work for data events?
Yes. CloudTrail Insights can analyse both management events and data events for anomalies. When you enable Insights on a trail that logs S3 data events, CloudTrail can detect unusual patterns like a sudden spike in GetObject calls that may indicate data exfiltration. You enable data event Insights separately from management event Insights.
When do network activity events matter?
Network activity events matter when your workloads call AWS services through VPC endpoints using AWS PrivateLink. They record which principal made which API call through which VPC endpoint, giving you visibility into private network traffic that does not traverse the public internet. This is important for zero-trust auditing, compliance in regulated industries, and detecting unauthorised use of VPC endpoints.