AWS Security ChangesHomeSearch

AWS awscloudtrail documentation change

Service: awscloudtrail · 2025-04-11 · Documentation low

File: awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.md

Summary

Added detailed predefined log selector templates and new filter fields including sessionCredentialFromConsole and userIdentity.arn

Security assessment

Documents security-related filtering capabilities for audit trails but does not address a specific vulnerability

Diff

diff --git a/awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.md b/awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.md
index c7801c521..70f5a4df6 100644
--- a//awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.md
+++ b//awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.md
@@ -91 +91,13 @@ For **Resource type** , choose the resource type on which you want to log data e
-  13. Choose a log selector template. CloudTrail includes predefined templates that log all data events for the resource type. To build a custom log selector template, choose **Custom**.
+  13. Choose a log selector template. You can choose a predefined template, or choose **Custom** to define your own event collection conditions.
+
+You can choose from the following predefined templates:
+
+     * **Log all events** – Choose this template to log all events.
+
+     * **Log only read events** – Choose this template to log only read events. Read-only events are events that do not change the state of a resource, such as `Get*` or `Describe*` events.
+
+     * **Log only write events** – Choose this template to log only write events. Write events add, change, or delete resources, attributes, or artifacts, such as `Put*`, `Delete*`, or `Write*` events.
+
+     * **Log only AWS Management Console events** – Choose this template to log only events originating from the AWS Management Console.
+
+     * **Exclude AWS service initiated events** – Choose this template to exclude AWS service events, which have an `eventType` of `AwsServiceEvent`, and events initiated with AWS service-linked roles (SLRs).
@@ -116,0 +129,8 @@ Selectors don't support the use of wildcards like `*` . To match multiple values
+       * **`eventSource`** – The event source to include or exclude. This field can use any operator.
+
+       * **eventType** – The event type to include or exclude. For example, you can set this field to **not equals** `AwsServiceEvent` to exclude [AWS service events](./non-api-aws-service-events.html). For a list of event types, see [eventType](./cloudtrail-event-reference-record-contents.html#ct-event-type) in [CloudTrail record contents for management, data, and network activity events](./cloudtrail-event-reference-record-contents.html).
+
+       * **sessionCredentialFromConsole** – Include or exclude events originating from an AWS Management Console session. This field can be set to **equals** or **not equals** with a value of `true`.
+
+       * **userIdentity.arn** – Include or exclude events for actions taken by specific IAM identities. For more information, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
+