CloudTrail Network Activity Events
With network activity events for VPC endpoints, you can view details of who is accessing resources within your network giving you greater ability to identify and respond to malicious or unauthorized actions in your data perimeter. For example, as the VPC endpoint owner, you can view logs of actions that were denied due to VPC endpoint policies or determine if an actor outside of your data perimeter is trying to access the data in your S3 buckets.
Advanced Event Selectors for Network Activity Events
When you use network activity events, advanced event selectors offer greater control over which CloudTrail events are ingested into your event data stores. With advanced event selectors, you can include or exclude values on fields such as errorCode, eventName, & vpcEndpointId. Advanced event selectors also support including or excluding values with pattern matching on partial strings. This increases the efficiency and precision of your security, compliance, and operational investigations while helping reduce costs. For example, you can filter CloudTrail events based on the vpcEndpointId attribute to only inlcude events from a specific VPC edpoint Id. This allows you to significantly reduce the volume of CloudTrail events ingested into CloudTrail Lake, lowering costs while maintaining visibility into relevant user and system activities.
Demo: Network Activity Events for CloudTrail Lake
In the following interactive demo we will explore how to use network activity events for VPC endpoints in CloudTrail Lake.
Sample SQL Queries for CloudTrail Lake:
Count of VPC Access Denied Errors
SELECT count(*) as VPCAccessDenied, userIdentity.arn,
userIdentity.accountid,
eventName,
errorMessage,
vpcEndpointId,
vpcEndpointAccountId,
sourceIPAddress
FROM $EDS_ID
WHERE eventCategory = 'NetworkActivity'
AND eventSource = 's3.amazonaws.com'
AND errorCode = 'VpceAccessDenied'
AND eventtime >= '2025-02-18 17:00:00'
AND eventtime <= '2025-02-21 17:00:00'
GROUP BY
userIdentity.arn,
userIdentity.accountid,
eventName,
errorMessage,
vpcEndpointId,
vpcEndpointAccountId,
sourceIPAddress
ORDER BY eventName DESC;
VPC Access Denied Errors
SELECT userIdentity.arn,
userIdentity.accountid,
eventType,
eventCategory,
eventName,
errorCode,
errorMessage,
vpcEndpointId,
vpcEndpointAccountId,
sourceIPAddress
FROM $EDS_ID
WHERE eventCategory = 'NetworkActivity'
AND eventSource = 's3.amazonaws.com'
AND errorCode = 'VpceAccessDenied'
AND eventtime >= '2025-02-18 17:00:00'
AND eventtime <= '2025-02-20 17:00:00'
ORDER BY eventTime DESC;