Build CloudTrail Insights selectors and log filter patterns.
Last verified: May 2026
Output will appear here...The CloudTrail Log Filter Builder helps you construct filter patterns for searching AWS CloudTrail logs. CloudTrail records API calls across your AWS account, and finding specific events in large volumes of log data requires precise filter expressions. This tool provides templates for common audit scenarios like IAM changes, security group modifications, and console sign-ins, letting you build filters that work in the CloudTrail console, Athena queries, or CloudWatch Logs Insights.
Management events capture control-plane operations like creating or modifying resources (RunInstances, CreateBucket, AttachRolePolicy). Data events capture data-plane operations like S3 object reads/writes and Lambda function invocations. Data events are high-volume and must be explicitly enabled.
The tool can generate filter expressions compatible with CloudTrail Event History in the console and CloudWatch Logs Insights. For Athena, you query the CloudTrail S3 bucket using SQL. The tool helps you identify the right field names and values to use in your WHERE clauses.
Your security team is investigating suspicious activity around a recent IAM role compromise. They need to find every API call made by a specific role across a 3-day window. The builder generates an Athena query against the CloudTrail S3 archive: SELECT eventTime, eventName, sourceIPAddress FROM cloudtrail_logs WHERE userIdentity.sessionContext.sessionIssuer.arn = 'arn:aws:iam::ACCOUNT:role/SuspectRole' AND eventTime BETWEEN '2026-04-30' AND '2026-05-03'. Query runs in 90 seconds, surfaces 47 API calls including unusual S3 ListObjects from an unfamiliar IP. Investigation confirmed.
The builder constructs CloudTrail filter expressions usable in three contexts: (1) the CloudTrail Event History console search box (using attribute=value syntax), (2) CloudWatch Logs Insights queries against a CloudTrail log group, and (3) Athena WHERE clauses for querying CloudTrail data in S3. Templates exist for common audit scenarios (IAM changes, console sign-ins, security group modifications, root account activity, S3 bucket policy changes).
Data events on S3 and Lambda are NOT recorded by default — only management events. Many security audits assume CloudTrail captures S3 object access; it doesn't unless you explicitly enable data events. Costs are $0.10 per 100K data events, which adds up fast for high-traffic buckets. Decide which buckets/functions are sensitive enough to warrant data event logging.
Read-only events (ListBuckets, DescribeInstances, etc.) make up 80%+ of CloudTrail volume but rarely matter for audit. Use Event Selectors to capture only write events (NOT readOnly) for your routine trail, and a separate trail or Athena query for the rare cases when you need read events.
CloudTrail Lake (the new SQL-queryable archive) is dramatically more useful than searching events in the console one-at-a-time. For any compliance-driven CloudTrail analysis, route a copy of events to Lake and write reusable queries. Per-event cost is comparable, but query speed is hours-faster.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.