How do I log Amazon SNS data events in CloudTrail?

Short description

CloudTrail captures Amazon SNS control plane API calls as management events by default. To log SNS data events, such as Publish and PublishBatch API operations, you must configure your trails with the Data events option.

Resolution

To log SNS data events in CloudTrail, use the AWS Management Console or the AWS Command Line Interface (AWS CLI).

Important: Additional charges apply for data events. For more information, see AWS CloudTrail pricing.

Use the CloudTrail console to log SNS data events

To log SNS data events, see Updating an existing event data store to log data events using the console. For Resource type, choose SNS topic or SNS platform endpoint.

Use the AWS CLI to log SNS data events

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To log SNS data events for all topics, run the following put-event-selectors AWS CLI command:

aws cloudtrail put-event-selectors \
    --trail-name TrailName \
    --advanced-event-selectors '[
        {
            "Name": "Log SNS data events",
            "FieldSelectors": [
                {
                    "Field": "eventCategory",
                    "Equals": ["Data"]
                },
                {
                    "Field": "resources.type",
                    "Equals": ["AWS::SNS::Topic"]
                }
            ]
        }
    ]' \
    --region REGION

Note: Replace TrailName with your CloudTrail trail name and REGION with your AWS Region.

To log SNS data events for specific topics, run the following put-event-selectors AWS CLI command:

aws cloudtrail put-event-selectors \
    --trail-name TrailName \
    --advanced-event-selectors '[
        {
            "Name": "Log specific SNS topics",
            "FieldSelectors": [
                {
                    "Field": "eventCategory",
                    "Equals": ["Data"]
                },
                {
                    "Field": "resources.type",
                    "Equals": ["AWS::SNS::Topic"]
                },
                {
                    "Field": "resources.ARN",
                    "StartsWith": ["arn:aws:sns:region:account-id:topic-name"]
                }
            ]
        }
    ]' \
    --region REGION

Note: Replace TrailName with your CloudTrail trail name, REGION with your AWS Region, account-id with your AWS account ID, and topic-name with your SNS topic name.

To log SNS platform endpoint data events, run the following put-event-selectors AWS CLI command:

aws cloudtrail put-event-selectors \
    --trail-name TrailName \
    --advanced-event-selectors '[
        {
            "Name": "Log SNS platform endpoint events",
            "FieldSelectors": [
                {
                    "Field": "eventCategory",
                    "Equals": ["Data"]
                },
                {
                    "Field": "resources.type",
                    "Equals": ["AWS::SNS::PlatformEndpoint"]
                }
            ]
        }
    ]' \
    --region REGION

Note: Replace TrailName with your CloudTrail trail name and REGION with your AWS Region.

For more information, see Logging data events with the AWS CLI.

Confirm that CloudTrail logs SNS data events

Complete the following steps:

1. Open the CloudTrail console.
2. In the navigation pane, choose Event history.
3. Select the Lookup attributes dropdown list, and then choose Event name.
4. In the search field, if the event appears, then CloudTrail is logging SNS data events.
   Note: After you call the API operation, it can take up to 15 minutes for events to appear in CloudTrail.

Related information

Logging AWS SNS API calls using AWS CloudTrail

Filtering data events by using advanced event selectors