0Pricing
AWS Security Academy · Lesson

Reading a CloudTrail Event Record

Decode the JSON fields that describe who made each call.

Anatomy of an Event

A CloudTrail event is a JSON record with a consistent set of fields. Learning to read it lets you reconstruct exactly what happened during an investigation.

Each record describes one API call: who made it, what they did, when, from where, and what the result was.

The userIdentity Field

The most important field for security is userIdentity. It describes the principal that made the call — its type (IAMUser, AssumedRole, Root, AWSService), account, and ARN (Amazon Resource Name).

This is how you attribute an action to a specific person, role, or service with confidence.

"userIdentity": {
  "type": "AssumedRole",
  "arn": "arn:aws:sts::1111:assumed-role/Admin/alice"
}

All lessons in this course

  1. What CloudTrail Records
  2. Management, Data, and Insight Events
  3. Organization Trails Across Accounts
  4. Reading a CloudTrail Event Record
← Back to AWS Security Academy