{
	"id": "b82e9c14-6125-4cfb-a057-02ff1421a2f8",
	"created_at": "2026-04-06T02:11:30.838634Z",
	"updated_at": "2026-04-10T03:21:42.893326Z",
	"deleted_at": null,
	"sha1_hash": "b19e0de9345655eebeb9a4def94455e0a49c6e5c",
	"title": "Logging AWS Backup API calls with CloudTrail",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 110940,
	"plain_text": "Logging AWS Backup API calls with CloudTrail\r\nArchived: 2026-04-06 02:06:58 UTC\r\nAWS Backup is integrated with AWS CloudTrail a service that provides a record of actions taken by a user, role,\r\nor an AWS service service. CloudTrail captures all API calls for AWS Backup as events. The calls captured\r\ninclude calls from the AWS Backup console and code calls to the AWS Backup API operations. Using the\r\ninformation collected by CloudTrail, you can determine the request that was made to AWS Backup, the IP address\r\nfrom which the request was made, when it was made, and additional details.\r\nEvery event or log entry contains information about who generated the request. The identity information helps you\r\ndetermine the following:\r\nWhether the request was made with root user or user credentials.\r\nWhether the request was made on behalf of an IAM Identity Center user.\r\nWhether the request was made with temporary security credentials for a role or federated user.\r\nWhether the request was made by another AWS service.\r\nCloudTrail is active in your AWS account when you create the account and you automatically have access to the\r\nCloudTrail Event history. The CloudTrail Event history provides a viewable, searchable, downloadable, and\r\nimmutable record of the past 90 days of recorded management events in an AWS Region. For more information,\r\nsee Working with CloudTrail Event history in the AWS CloudTrail User Guide. There are no CloudTrail charges\r\nfor viewing the Event history.\r\nFor an ongoing record of events in your AWS account past 90 days, create a trail or a CloudTrail Lake event data\r\nstore.\r\nCloudTrail trails\r\nA trail enables CloudTrail to deliver log files to an Amazon S3 bucket. All trails created using the AWS\r\nManagement Console are multi-Region. You can create a single-Region or a multi-Region trail by using\r\nthe AWS CLI. Creating a multi-Region trail is recommended because you capture activity in all AWS\r\nRegions in your account. If you create a single-Region trail, you can view only the events logged in the\r\ntrail's AWS Region. For more information about trails, see Creating a trail for your AWS account and\r\nCreating a trail for an organization in the AWS CloudTrail User Guide.\r\nYou can deliver one copy of your ongoing management events to your Amazon S3 bucket at no charge\r\nfrom CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information\r\nabout CloudTrail pricing, see AWS CloudTrail Pricing. For information about Amazon S3 pricing, see\r\nAmazon S3 Pricing.\r\nCloudTrail Lake event data stores\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 1 of 10\n\nCloudTrail Lake lets you run SQL-based queries on your events. CloudTrail Lake converts existing events\r\nin row-based JSON format to Apache ORC format. ORC is a columnar storage format that is optimized for\r\nfast retrieval of data. Events are aggregated into event data stores, which are immutable collections of\r\nevents based on criteria that you select by applying advanced event selectors. The selectors that you apply\r\nto an event data store control which events persist and are available for you to query. For more information\r\nabout CloudTrail Lake, see Working with AWS CloudTrail Lake in the AWS CloudTrail User Guide.\r\nCloudTrail Lake event data stores and queries incur costs. When you create an event data store, you choose\r\nthe pricing option you want to use for the event data store. The pricing option determines the cost for\r\ningesting and storing events, and the default and maximum retention period for the event data store. For\r\nmore information about CloudTrail pricing, see AWS CloudTrail Pricing.\r\nAWS Backup events in CloudTrail\r\nAWS Backup generates these CloudTrail events when it performs backups, restores, copies, scans or notifications.\r\nThese events are not necessarily generated by use of the AWS Backup public APIs. For more information, see\r\nAWS service events in the AWS CloudTrail User Guide.\r\nAssociateBackupVaultMpaApprovalTeamCompleted\r\nAssociateBackupVaultMpaApprovalTeamFailed\r\nBackupDeleted\r\nBackupJobCompleted\r\nBackupJobStarted\r\nBackupSelectionDeletedDueToSLRDeletion\r\nBackupTransitionedToCold\r\nCopyJobCompleted\r\nCopyJobStarted\r\nCreateRestoreAccessBackupVaultFailed\r\nDisassociateBackupVaultMpaApprovalTeamFailed\r\nPutBackupVaultNotifications\r\nRecoveryPointCreated\r\nReportJobCompleted\r\nReportJobStarted\r\nRestoreAccessBackupVaultDeleted\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 2 of 10\n\nRestoreCompleted\r\nRestoreStarted\r\nRevokeRestoreAccessBackupVaultFailed\r\nScanJobCompleted\r\nScanJobCreated\r\nScanJobFailed\r\nScanJobStarted\r\nUnderstanding AWS Backup log file entries\r\nA trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify.\r\nCloudTrail log files contain one or more log entries. An event represents a single request from any source and\r\nincludes information about the requested action, the date and time of the action, request parameters, and so on.\r\nCloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.\r\nThe following example shows a CloudTrail log entry that demonstrates the StartBackupJob , StartRestoreJob ,\r\nand DeleteRecoveryPoint actions and also the BackupJobCompleted event.\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"type\": \"Root\",\r\n \"principalId\": \"123456789012\",\r\n \"arn\": \"arn:aws:iam::123456789012:root\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \"AKIAI44QH8DHBEXAMPLE\",\r\n \"sessionContext\": {\r\n \"attributes\": {\r\n \"mfaAuthenticated\": \"false\",\r\n \"creationDate\": \"2019-01-10T12:24:50Z\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2019-01-10T13:45:24Z\",\r\n \"eventSource\": \"backup.amazonaws.com\",\r\n \"eventName\": \"StartBackupJob\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"12.34.567.89\",\r\n \"userAgent\": \"aws-internal/3 aws-sdk-java/1.11.465 Linux/4.9.124-0.1.ac.198.73.329.metal1.x86_64 OpenJDK_64-\r\n \"requestParameters\": {\r\n \"backupVaultName\": \"Default\",\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 3 of 10\n\n\"resourceArn\": \"arn:aws:ec2:us-east-1:123456789012:volume/vol-00a422a05b9c6asd3\",\r\n \"iamRoleArn\": \"arn:aws:iam::123456789012:role/AWSBackup\",\r\n \"startWindowMinutes\": 60\r\n },\r\n \"responseElements\": {\r\n \"backupJobId\": \"8a3c2a87-b23e-4d56-b045-fa9e88ede4e6\",\r\n \"creationDate\": \"Jan 10, 2019 1:45:24 PM\"\r\n },\r\n \"requestID\": \"98cf4d59-8c76-49f7-9201-790743931234\",\r\n \"eventID\": \"fe8146a5-7812-4a95-90ad-074498be1234\",\r\n \"eventType\": \"AwsApiCall\",\r\n \"recipientAccountId\": \"account-id\"\r\n},\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"type\": \"Root\",\r\n \"principalId\": \"123456789012\",\r\n \"arn\": \"arn:aws:iam::123456789012:root\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \"AKIAI44QH8DHBEXAMPLE\",\r\n \"sessionContext\": {\r\n \"attributes\": {\r\n \"mfaAuthenticated\": \"false\",\r\n \"creationDate\": \"2019-01-10T12:24:50Z\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2019-01-10T13:49:50Z\",\r\n \"eventSource\": \"backup.amazonaws.com\",\r\n \"eventName\": \"StartRestoreJob\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"12.34.567.89\",\r\n \"userAgent\": \"aws-internal/3 aws-sdk-java/1.11.465 Linux/4.9.124-0.1.ac.198.73.329.metal1.x86_64 OpenJDK_64-\r\n \"requestParameters\": {\r\n \"recoveryPointArn\": \"arn:aws:ec2:us-east-1::snapshot/snap-00a129455bdbc9d99\",\r\n \"metadata\": {\r\n \"volumeType\": \"gp2\",\r\n \"availabilityZone\": \"us-east-1b\",\r\n \"volumeSize\": \"100\"\r\n },\r\n \"iamRoleArn\": \"arn:aws:iam::123456789012:role/AWSBackup\",\r\n \"idempotencyToken\": \"a9c8b4fb-d369-4a58-944b-942e442a8fe3\",\r\n \"resourceType\": \"EBS\"\r\n },\r\n \"responseElements\": {\r\n \"restoreJobId\": \"9808E090-8C76-CCB8-4CEA-407CF6AC4C43\"\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 4 of 10\n\n},\r\n \"requestID\": \"783ddddc-6d7e-4539-8fab-376aa9668543\",\r\n \"eventID\": \"ff35ddea-7577-4aec-a132-964b7e9dd423\",\r\n \"eventType\": \"AwsApiCall\",\r\n \"recipientAccountId\": \"account-id\"\r\n},\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"type\": \"Root\",\r\n \"principalId\": \"123456789012\",\r\n \"arn\": \"arn:aws:iam::123456789012:root\",\r\n \"accountId\": \"123456789012\",\r\n \"accessKeyId\": \"AKIAI44QH8DHBEXAMPLE\",\r\n \"sessionContext\": {\r\n \"attributes\": {\r\n \"mfaAuthenticated\": \"false\",\r\n \"creationDate\": \"2019-01-10T12:24:50Z\"\r\n }\r\n }\r\n },\r\n \"eventTime\": \"2019-01-10T14:52:42Z\",\r\n \"eventSource\": \"backup.amazonaws.com\",\r\n \"eventName\": \"DeleteRecoveryPoint\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"12.34.567.89\",\r\n \"userAgent\": \"aws-internal/3 aws-sdk-java/1.11.465 Linux/4.9.124-0.1.ac.198.73.329.metal1.x86_64 OpenJDK_64-\r\n \"requestParameters\": {\r\n \"backupVaultName\": \"Default\",\r\n \"recoveryPointArn\": \"arn:aws:ec2:us-east-1::snapshot/snap-05f426fd9daab3433\"\r\n },\r\n \"responseElements\": null,\r\n \"requestID\": \"f1f1b33a-48da-436c-9a8f-7574f1ab5fd7\",\r\n \"eventID\": \"2dd70080-5aba-4a79-9a0f-92647c9f0846\",\r\n \"eventType\": \"AwsApiCall\",\r\n \"recipientAccountId\": \"account-id\"\r\n},\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"accountId\": \"123456789012\",\r\n \"invokedBy\": \"backup.amazonaws.com\"\r\n },\r\n \"eventTime\": \"2019-01-10T08:24:39Z\",\r\n \"eventSource\": \"backup.amazonaws.com\",\r\n \"eventName\": \"BackupJobCompleted\",\r\n \"awsRegion\": \"us-east-1\",\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 5 of 10\n\n\"sourceIPAddress\": \"backup.amazonaws.com\",\r\n \"userAgent\": \"backup.amazonaws.com\",\r\n \"requestParameters\": null,\r\n \"responseElements\": null,\r\n \"eventID\": \"2e7e4fcf-0c52-467f-9fd0-f61c2fcf7d17\",\r\n \"eventType\": \"AwsServiceEvent\",\r\n \"recipientAccountId\": \"account-id\",\r\n \"serviceEventDetails\": {\r\n \"completionDate\": {\r\n \"seconds\": 1547108091,\r\n \"nanos\": 906000000\r\n },\r\n \"state\": \"COMPLETED\",\r\n \"percentDone\": 100,\r\n \"backupJobId\": \"8A8E738B-A8C5-E058-8224-90FA323A3C0E\",\r\n \"backupVaultName\": \"BackupVault\",\r\n \"backupVaultArn\": \"arn:aws:backup:us-east-1:123456789012:backup-vault:BackupVault\",\r\n \"recoveryPointArn\": \"arn:aws:ec2:us-east-1::snapshot/snap-07ce8c3141d361233\",\r\n \"resourceArn\": \"arn:aws:ec2:us-east-1:123456789012:volume/vol-06692095a6a421233\",\r\n \"creationDate\": {\r\n \"seconds\": 1547101638,\r\n \"nanos\": 272000000\r\n },\r\n \"backupSizeInBytes\": 8589934592,\r\n \"iamRoleArn\": \"arn:aws:iam::123456789012:role/AWSBackup\",\r\n \"resourceType\": \"EBS\"\r\n }\r\n}\r\nLogging cross-account management events\r\nWith AWS Backup, you can manage your backups across all AWS accounts inside your AWS Organizations\r\nstructure. AWS Backup generates these CloudTrail events in your member account when you create, update, or\r\ndelete an AWS Organizations backup policy (that applies backup plans to your member accounts) or when there is\r\nan invalid organization backup plan:\r\nCreateOrganizationalBackupPlan\r\nUpdateOrganizationalBackupPlan\r\nDeleteOrganizationalBackupPlan\r\nInvalidOrganizationBackupPlan\r\nExample: AWS Backup log file entries for cross-account management\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 6 of 10\n\nA trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify.\r\nCloudTrail log files contain one or more log entries. An event represents a single request from any source and\r\nincludes information about the requested action, the date and time of the action, request parameters, and so on.\r\nCloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.\r\nThe following example shows a CloudTrail log entry that demonstrates the CreateOrganizationalBackupPlan\r\naction.\r\n{\r\n \"eventVersion\": \"1.05\",\r\n \"userIdentity\": {\r\n \"accountId\": \"123456789012\",\r\n \"invokedBy\": \"backup.amazonaws.com\"},\r\n \"eventTime\": \"2020-06-02T00:34:00Z\",\r\n \"eventSource\": \"backup.amazonaws.com\",\r\n \"eventName\": \"CreateOrganizationalBackupPlan\",\r\n \"awsRegion\": \"ca-central-1\",\r\n \"sourceIPAddress\": \"backup.amazonaws.com\",\r\n \"userAgent\": \"backup.amazonaws.com\",\r\n \"requestParameters\": null,\r\n \"responseElements\": null,\r\n \"eventID\": \"f2642255-af77-4203-8c37-7ca19d898e84\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsServiceEvent\",\r\n \"recipientAccountId\": \"account-id\",\r\n \"serviceEventDetails\": {\r\n \"backupPlanId\": \"orgs/544033d1-b19c-3f2a-9c20-40bcfa82ca68\",\r\n \"backupPlanVersionId\": \"ZTA1Y2ZjZDYtNmRjMy00ZTA1LWIyNTAtM2M1NzQ4OThmNzRj\",\r\n \"backupPlanArn\": \"arn:aws:backup:ca-central-1:123456789012:backup-plan:orgs/544033d1-b19c-3f2a-9c20-40bc\r\n \"backupPlanName\": \"mybackupplan\",\r\n \"backupRules\": \"[{\\\"id\\\":\\\"745fd0ea-7f57-3f35-8a0e-ed4b8c48a8e2\\\",\\\"name\\\":\\\"hourly\\\",\\\"description\\\":nu\r\n \"backupSelections\": \"[{\\\"name\\\":\\\"selectiondatatype\\\",\\\"arn\\\":\\\"arn:aws:backup:ca-central-1:123456789012\r\n \"creationDate\": {\r\n \"seconds\": 1591058040,\r\n \"nanos\": 695000000\r\n },\r\n \"organizationId\": \"org-id\",\r\n \"accountId\": \"123456789012\"\r\n }\r\n}\r\nThe following example shows a CloudTrail log entry that demonstrates the DeleteOrganizationalBackupPlan\r\naction.\r\n{\r\n \"eventVersion\": \"1.05\",\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 7 of 10\n\n\"userIdentity\": {\r\n \"accountId\": \"123456789012\",\r\n \"invokedBy\": \"backup.amazonaws.com\"\r\n },\r\n \"eventTime\": \"2020-06-02T00:34:25Z\",\r\n \"eventSource\": \"backup.amazonaws.com\",\r\n \"eventName\": \"DeleteOrganizationalBackupPlan\",\r\n \"awsRegion\": \"ca-central-1\",\r\n \"sourceIPAddress\": \"backup.amazonaws.com\",\r\n \"userAgent\": \"backup.amazonaws.com\",\r\n \"requestParameters\": null,\r\n \"responseElements\": null,\r\n \"eventID\": \"5ce66cd0-b90c-4957-8e00-96ea1077b4fa\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsServiceEvent\",\r\n \"recipientAccountId\": \"account-id\",\r\n \"serviceEventDetails\": {\r\n \"backupPlanId\": \"orgs/544033d1-b19c-3f2a-9c20-40bcfa82ca68\",\r\n \"backupPlanVersionId\": \"ZTA1Y2ZjZDYtNmRjMy00ZTA1LWIyNTAtM2M1NzQ4OThmNzRj\",\r\n \"backupPlanArn\": \"arn:aws:backup:ca-central-1:123456789012:backup-plan:orgs/544033d1-b19c-3f2a-9c20-40bc\r\n \"backupPlanName\": \"mybackupplan\",\r\n \"deletionDate\": {\r\n \"seconds\": 1591058065,\r\n \"nanos\": 519000000\r\n },\r\n \"organizationId\": \"org-id\",\r\n \"accountId\": \"123456789012\"\r\n }\r\n}\r\nThe following example shows a CloudTrail log entry that demonstrates the event\r\nInvalidOrganizationBackupPlan , which is sent when AWS Backup receives an invalid backup plan from\r\nOrganizations.\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"accountId\": \"123456789012\",\r\n \"invokedBy\": \"backup.amazonaws.com\"\r\n },\r\n \"eventTime\": \"2022-06-11T13:29:23Z\",\r\n \"eventSource\": \"backup.amazonaws.com\",\r\n \"eventName\": \"InvalidOrganizationBackupPlan\",\r\n \"awsRegion\": \"Region\",\r\n \"sourceIPAddress\": \"backup.amazonaws.com\",\r\n \"userAgent\": \"backup.amazonaws.com\",\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 8 of 10\n\n\"requestParameters\": null,\r\n \"responseElements\": null,\r\n \"eventID\": \"ab1de234-fg56-7890-h123-45ij678k9l01\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsServiceEvent\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"987654321098\",\r\n \"serviceEventDetails\": {\r\n \"effectivePolicyVersion\": 7,\r\n \"effectivePolicyId\": \"12345678-a9b0-123c-45d6-78e901f23456\",\r\n \"lastUpdatedTimestamp\": \"Jun 11, 2022 1:29:22 PM\",\r\n \"policyType\": \"BACKUP_POLICY\",\r\n \"effectiveBackupPlan\": {\r\n \"logicalName\": \"logical-name\",\r\n \"regions\": [\r\n \"Region\"\r\n ],\r\n \"rules\": [\r\n {\r\n \"name\": \"test-orgs\",\r\n \"targetBackupVaultName\": \"vault-name\",\r\n \"ruleLifecycle\": {\r\n \"deleteAfterDays\": 100\r\n },\r\n \"copyActions\": [],\r\n \"enableContinuousBackup\": true\r\n }\r\n ],\r\n \"selections\": {\r\n \"tagSelections\": [\r\n {\r\n \"selectionName\": \"selection-name\",\r\n \"iamRoleArn\": \"arn:aws:iam::$account:role/role\",\r\n \"targetedTags\": [\r\n {\r\n \"tagKey\": \"key\",\r\n \"tagValue\": \"value\"\r\n }\r\n ]\r\n }\r\n ]\r\n },\r\n \"backupPlanTags\": {\r\n \"key\": \"value\"\r\n }\r\n },\r\n \"organizationId\": \"org-id\",\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 9 of 10\n\n\"accountId\": \"123456789012\"\r\n },\r\n \"eventCategory\": \"Management\"\r\n}\r\nSource: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nhttps://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html"
	],
	"report_names": [
		"logging-using-cloudtrail.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441490,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b19e0de9345655eebeb9a4def94455e0a49c6e5c.pdf",
		"text": "https://archive.orkl.eu/b19e0de9345655eebeb9a4def94455e0a49c6e5c.txt",
		"img": "https://archive.orkl.eu/b19e0de9345655eebeb9a4def94455e0a49c6e5c.jpg"
	}
}