View audit events
- Admin role
- Audits > Audit > View permission
To view audit events, perform the following steps:
- Open the audit log viewer.
- Search for audit events.
The Audit Viewer displays all events for the current day by default. To view events for a different date or date range, perform the following steps:
- To select a date, click the Previous date and Next date arrows on either sides of the date link.
- To select a date range:
- To open the calendar, click the current date link.
- Select the start date and end dates for the date range on the calendar.
Note: Intervals cannot exceed more than the last 14 days. To view audit events for a period prior to the last 14 days, use the Audit APIs referenced in the Developer Center. - ClickEnter .
Click the image to enlarge.
You can search for events by date range and then use the filters in the Filter by Service section to refine the search audit results. To refine the search results after selecting a date range, perform the following steps:
- Click to expand the Filter by Service section.
- Select a service from the Service Name list.
- Select an entity type.
- Select an action.
- Click Refresh .
An entity is an object or component on which the action is taken. For example, an entity could be the queue, flow, or user that is being changed.
To search for events by entity, perform the following steps:
- Click to expand the Filer by Entity section.
- Enter an entity ID in the Filter by Entity field.
- Click Refresh .
Click the image to enlarge.
To search for events by user, perform the following steps:
- Click to expand the Filter by User section.
- Enter a user name in the Search for a user field.
- Click Refresh .
- To select a date, click the Previous date and Next date arrows on either sides of the date link.
- View details of an event.
To view details of an event, click the event on the search results in the Audit Viewer. The Details window opens and you can view the following details:
- Who or what performed the action: You can view whether an API or upstream service caused the action. A related link is available to indicate the causing event. You can also view if a user within the organization performed the action that caused an audit event.
- RemoteIP: If a user generated an event, you can view the user’s RemoteIP.
- Property Changes: You can view the property values before and after the change.
- Related events: You can view any related upstream or downstream events.
Asynch versus Real time
The Audit Viewer currently only displays audit events from the real-time query. For more information, see Audits Query and Audits APIs. Audit events that are available through the asynchronous queries can be consumed via an API or Amazon EventBridge.
Amazon EventBridge
You can use Amazon EventBridge integration to enable your organization to consume all available audit events. This process is useful for organizations that want to either back up their audit events or ingest them into their own log tooling.
To view related upstream or downstream events for an event, click the event in the search results and then click See related audits. The Details window displays the related audits.