AWS CloudTrail 现已推出 VPC 端点网络活动事件，允许用户记录和监控通过 VPC 端点的 AWS API 活动。此功能增强了数据边界，有助于检测潜在的数据泄露尝试和未经授权的访问。用户可以通过 CloudTrail 控制台轻松启用此功能，选择网络活动事件，并配置事件源和过滤器。这些事件为用户提供了全面的可见性，帮助他们加强安全监控、满足合规性要求，并优化 AWS 网络基础设施。

🕵️‍♀️ 全面可见性：记录所有通过 VPC 端点的 API 活动，无论发起操作的 AWS 账户如何。

🔑 外部凭证检测：识别来自组织外部的凭证访问 VPC 端点的情况。

🛡️ 数据泄露预防：检测和调查潜在的未经授权的数据移动尝试。

💡 增强的安全监控：无需解密 TLS 流量，即可深入了解 VPC 端点上的所有 AWS API 活动。

📜 合规性可见性：通过跟踪所有 API 活动，提高满足监管要求的能力。

<section class="blog-post-content lb-rtxt"><table><tbody><tr><td><p></p></td></tr></tbody></table><p>Today, I’m happy to announce the general availability of network activity events for <a href="https://aws.amazon.com/vpc/&quot;&gt;Amazon Virtual Private Cloud (Amazon VPC)</a> endpoints in <a href="https://aws.amazon.com/cloudtrail/&quot;&gt;AWS CloudTrail</a>. This feature helps you to record and monitor AWS API activity traversing your VPC endpoints, helping you strengthen your data perimeter and implement better detective controls.</p><p>Previously, it was hard to detect potential data exfiltration attempts and unauthorized access to the resources within your network through VPC endpoints. While VPC endpoint policies could be configured to prevent access from external accounts, there was no built-in mechanism to log denied actions or detect when external credentials were used at a VPC endpoint. This often required you to build custom solutions to inspect and analyze TLS traffic, which could be operationally costly and negate the benefits of encrypted communications.</p><p>With this new capability, you can now opt in to log all AWS API activity passing through your VPC endpoints. CloudTrail records these events as a new event type called network activity events, which capture both control plane and data plane actions passing through a VPC endpoint.</p><p>Network activity events in CloudTrail provide several key benefits:</p><ul><li><strong>Comprehensive visibility</strong> – Log all API activity traversing VPC endpoints, regardless of the AWS account initiating the action.</li><li><strong>External credential detection</strong> – Identify when credentials from outside your organization are accessing your VPC endpoint.</li><li><strong>Data exfiltration prevention</strong> – Detect and investigate potential unauthorized data movement attempts.</li><li><strong>Enhanced security monitoring</strong> – Gain insights into all AWS API activity at your VPC endpoints without the need to decrypt TLS traffic.</li><li><strong>Visibility for regulatory compliance</strong> – Improve your ability to meet regulatory requirements by tracking all API activity passing through.</li></ul><p><strong>Getting started with network activity events for VPC endpoint logging<br /></strong> To enable network activity events, I go to the <a href="https://console.aws.amazon.com/cloudtrailv2&quot;&gt;AWS CloudTrail</a> console and choose <strong>Trails</strong> in the navigation pane. I choose <strong>Create trail</strong> to create a new one. I enter a name in the <strong>Trail name</strong> field and choose an <a href="https://aws.amazon.com/s3/&quot;&gt;Amazon Simple Storage Service (Amazon S3)</a> bucket to store the event logs. When I create a trail in CloudTrail, I can specify an existing Amazon S3 bucket or create a new bucket to store my trail’s event logs.</p><p>If you set <strong>Log file SSE-KMS encryption</strong> to <strong>Enabled</strong>, you have two options: Choose <strong>New</strong> to create a new <a href="https://aws.amazon.com/kms/&quot;&gt;AWS Key Management Service (AWS KMS)</a> key or choose <strong>Existing</strong> to choose an existing KMS key. If you chose <strong>New</strong>, you need to type an alias in the <strong>AWS KMS alias</strong> field. CloudTrail encrypts your log files with this KMS key and adds the policy for you. The KMS key and Amazon S3 must be in the same AWS Region. For this example, I use an existing KMS key. I enter the alias in the <strong>AWS KMS alias</strong> field and leave the rest as default for this demo. I choose <strong>Next</strong> for the next step.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/01/23/01a-vpce-LaunchMarketingIntake-1442.png&quot;&gt;&lt;img class="alignnone size-full wp-image-93384" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/01/23/01a-vpce-LaunchMarketingIntake-1442.png&quot; alt="" width="1675" height="802" /></a></p><p>In the <strong>Choose log events</strong> step, I choose <strong>Network activity events</strong> under <strong>Events</strong>. I choose the event source from the list of AWS services, such as <code>cloudtrail.amazonaws.com</code>, <code>ec2.amazonaws.com</code>, <code>kms.amazonaws.com</code>, <code>s3.amazonaws.com</code>, and <code>secretsmanager.amazonaws.com</code>. I add two network activity event sources for this demo. For the first source, I select <code>ec2.amazonaws.com</code> option. For <strong>Log selector template</strong>, I can use templates for common use cases or create fine-grained filters for specific scenarios. For example, to log all API activities traversing the VPC endpoint, I can choose the <strong>Log all events</strong> template. I choose <strong>Log network activity access denied events</strong> template to log only access denied events. Optionally, I can enter a name in the <strong>Selector name</strong> field to identify the log selector template, such as <strong>Include network activity events for Amazon EC2</strong>.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/01/23/02-vpce-LaunchMarketingIntake-1442.png&quot;&gt;&lt;img class="alignnone size-full wp-image-93385" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/01/23/02-vpce-LaunchMarketingIntake-1442.png&quot; alt="" width="1507" height="782" /></a></p><p>As a second example, I choose <strong>Custom</strong> to create custom filters on multiple fields, such as <strong>eventName</strong> and <strong>vpcEndpointId</strong>. I can specify specific VPC endpoint IDs or filter the results to include only the VPC endpoints that match specific criteria. For <strong>Advanced event selectors,</strong> I choose <strong>vpcEndpointId</strong> from the <strong>Field</strong> dropdown, choose <strong>equals</strong> as <strong>Operator</strong>, and enter the VPC endpoint ID. When I expand the JSON view, I can see my event selectors as a JSON block. I choose <strong>Next</strong> and after reviewing the selections, I choose <strong>Create trail</strong>.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/01/23/03-vpce-LaunchMarketingIntake-1442.png&quot;&gt;&lt;img class="alignnone size-full wp-image-93386" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/01/23/03-vpce-LaunchMarketingIntake-1442.png&quot; alt="" width="1388" height="813" /></a></p><p>After it’s configured, CloudTrail will begin logging network activity events for my VPC endpoints, helping me analyze and act on this data. To analyze AWS CloudTrail network activity events, you can use the CloudTrail console, <a href="https://aws.amazon.com/cli/&quot;&gt;AWS Command Line Interface (AWS CLI)</a>, and <a href="https://aws.amazon.com/developer/tools/&quot;&gt;AWS SDK</a> to retrieve relevant logs. You can also use <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html&quot;&gt;CloudTrail Lake</a> to capture, store and analyze your network activity events. If you are using Trails, you can use <a href="https://aws.amazon.com/athena&quot;&gt;Amazon Athena</a> to query and filter these events based on specific criteria. Regular analysis of these events can help you maintain security, comply with regulations, and optimize your network infrastructure in AWS.</p><p><strong>Now available<br /></strong> CloudTrail network activity events for VPC endpoint logging provide you with a powerful tool to enhance your security posture, detect potential threats, and gain deeper insights into your VPC network traffic. This feature addresses your critical needs for comprehensive visibility and control over your AWS environments.</p><p>Network activity events for VPC endpoints are available in all commercial AWS Regions.</p><p>For pricing information, visit <a href="https://aws.amazon.com/cloudtrail/pricing/&quot;&gt;AWS CloudTrail pricing</a>.</p><p>To get started with CloudTrail network activity events, visit <a href="https://aws.amazon.com/cloudtrail/&quot;&gt;AWS CloudTrail</a>. For more information on CloudTrail and its features, refer to the <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html&quot;&gt;AWS CloudTrail documentation</a>.</p><a href="https://www.linkedin.com/in/esrakayabali/&quot;&gt;— Esra</a></section><aside class="blog-comments"><div data-lb-comp="aws-blog:cosmic-comments" data-env="prod" data-content-id="f974d885-2262-4b89-8bdc-eaedfb28bf20" data-title="AWS CloudTrail network activity events for VPC endpoints now generally available" data-url="https://aws.amazon.com/blogs/aws/aws-cloudtrail-network-activity-events-for-vpc-endpoints-now-generally-available/&quot;&gt;&lt;p data-failed-message="Comments cannot be loaded… Please refresh and try again.">Loading comments…</p></div></aside>