AWS awscloudtrail documentation change
Summary
Expanded documentation for predefined log selector templates, adding descriptions of template options including read/write/console events and exclusion of AWS service events
Security assessment
The change enhances documentation about logging configurations but does not address a specific security vulnerability. It improves clarity around security-relevant logging features like write event tracking.
Diff
diff --git a/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.md b/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.md index 90e93b9b6..7bf5e3618 100644 --- a//awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.md +++ b//awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.md @@ -161 +161,13 @@ To exclude high-volume events like `Encrypt`, `Decrypt`, and `GenerateDataKey`, - 1. In **Log selector template** , choose a template, or **Custom** to build a custom configuration based on advanced event selector field values. + 1. In **Log selector template** , choose a predefined template, or **Custom** to build a custom configuration based on advanced event selector field values. + +You can choose from the following predefined templates: + + * **Log all events** – Choose this template to log all events. + + * **Log only read events** – Choose this template to log only read events. Read-only events are events that do not change the state of a resource, such as `Get*` or `Describe*` events. + + * **Log only write events** – Choose this template to log only write events. Write events add, change, or delete resources, attributes, or artifacts, such as `Put*`, `Delete*`, or `Write*` events. + + * **Log only AWS Management Console events** – Choose this template to log only events originating from the AWS Management Console. + + * **Exclude AWS service initiated events** – Choose this template to exclude AWS service events, which have an `eventType` of `AwsServiceEvent`, and events initiated with AWS service-linked roles (SLRs).