AWS CloudTrail Log Filter Builder

About This Tool

The CloudTrail Log Filter Builder helps you construct filter patterns for searching AWS CloudTrail logs. CloudTrail records API calls across your AWS account, and finding specific events in large volumes of log data requires precise filter expressions. This tool provides templates for common audit scenarios like IAM changes, security group modifications, and console sign-ins, letting you build filters that work in the CloudTrail console, Athena queries, or CloudWatch Logs Insights.

When to Use This Tool

• •Build filters to find IAM user creation, role assumption, and policy attachment events for security auditing.
• •Create filters for tracking security group and NACL changes to detect unauthorized network modifications.
• •Generate filters to identify console sign-in events, especially failed sign-ins or root account usage.
• •Build filters for S3 data events to track object-level access patterns for compliance and forensic investigations.

Frequently Asked Questions

What is the difference between management events and data events in CloudTrail?

Management events capture control-plane operations like creating or modifying resources (RunInstances, CreateBucket, AttachRolePolicy). Data events capture data-plane operations like S3 object reads/writes and Lambda function invocations. Data events are high-volume and must be explicitly enabled.

Can I use these filters to query CloudTrail logs in Athena?

The tool can generate filter expressions compatible with CloudTrail Event History in the console and CloudWatch Logs Insights. For Athena, you query the CloudTrail S3 bucket using SQL. The tool helps you identify the right field names and values to use in your WHERE clauses.

Related Learning Guides

• AWS IAM Best Practices25 min read