CloudTrail record contents for aggregated events - AWS CloudTrail
Example aggregated event

CloudTrail record contents for aggregated events

AWS CloudTrail aggregated event records include fields that are different from other CloudTrail events in their JSON payload. Aggregated events contain the following fields:

eventVersion

The version of the aggregated event.

Since: 1.0

Optional: False

accountId

The account ID that received this event.

Since: 1.0

Optional: False

eventId

A GUID generated by CloudTrail to uniquely identify each aggregated event. You can use this value to identify a single event. For example, you can use the ID as a primary key to retrieve log data from a searchable database.

Since: 1.0

Optional: False

eventCategory

Identifies the category of the event. For aggregated events, this value is always Aggregated. Use this field for filtering when you query events by category.

Since: 1.0

Optional: False

eventType

Identifies the type of aggregated event. For aggregated events, this value is AwsAggregatedEvent.

Since: 1.0

Optional: False

awsRegion

The AWS Region of the atomic CloudTrail events that were aggregated into this record, such as ap-northeast-1. This is typically the Region where the service API calls were made.

Since: 1.0

Optional: False

eventSource

The AWS service for which the underlying events were recorded.

Since: 1.0

Optional: False

timeWindow

The time interval over which atomic CloudTrail events were aggregated into this aggregated event record. The timeWindow field contains details such as window start time, window end time and window size.

Since: 1.0

Optional: False

windowStart

The start of the aggregation window, inclusive, in Universal Time (UTC), represented in ISO-8601 format.

Since: 1.0

Optional: False

windowEnd

The end of the aggregation window, exclusive, in UTC, represented in ISO-8601 format.

Since: 1.0

Optional: False

windowSize

The duration of the aggregation window. The difference windowEnd − windowStart should correspond to windowSize. The windowSize is represented in ISO-8601 format.

Since: 1.0

Optional: False

summary

An aggregation summary for the underlying atomic events, grouped by a primary dimension (for example, eventName, resourceARN or userIdentity) and optionally broken down by additional dimensions (for example, userAgent, sourceIpAddress, errorCodes).

Since: 1.0

Optional: False

The summary contains the following fields:

primaryDimension

The primary aggregation dimension for this AwsAggregatedEvent. This is the main view of the aggregated data. For instance, in the API_ACTIVITY aggregation template, the primary dimension is eventName; in the RESOURCE_ACCESS template, it is resourceARN; and in the USER_ACTIONS template, it is userIdentity.

Since: 1.0

Optional: False

details

Additional dimensions that provide more detail about aggregated atomic events. Each Detail object may provide an additional view of the same underlying events, such as eventName, resourceARN, userIdentity, userAgent and sourceIpAddress depending on the aggregation template.

Since: 1.0

Optional: False

Each detail provides the following information:

dimension

The name of the dimension used to group the aggregated events. Common values include:

  • eventName

  • resourceARN

  • userIdentity

  • userAgent

  • sourceIpAddress

Since: 1.0

Optional: False

statistics

A list of statistics for this dimension, where each entry represents one bucket (for example, one event name or one resource ARN) and its aggregated value.

Since: 1.0

Optional: False

Each entry in statistics contains the following information:

name

The bucket identifier or key for this statistic within the associated dimension.

value

The aggregated numeric value for the specified name in the given dimension.

aggregationType

The type of aggregation applied to compute statistics.value for this dimension. Allowed values:

  • Count – Number of events.

Since: 1.0

Optional: False

addendum

Carries metadata about delayed delivery or updates to an existing AggregatedEvent.

Since: 1.0

Optional: False

reason

The reason why an AwsAggregatedEvent was delayed, updated, or otherwise supplemented. Common values can include (non-exhaustive):

  • DELIVERY_DELAY – Delivery of aggregated data was delayed (for example, network issues or high volume).

  • UPDATED_DATA – Aggregated data was recomputed or corrected.

  • SERVICE_OUTAGE – Underlying service outage affected event availability.

Since: 1.0

Optional: True

Example aggregated event

The following is an example of a CloudTrail aggregated event (AwsAggregatedEvent). In this example, CloudTrail aggregates PutAuditEvents calls to cloudtrail-data.amazonaws.com over a five-minute time window in the us-east-1 Region. The summary block shows the primary aggregation dimension (eventName) and that 30 PutAuditEvents calls occurred during the time window. The details entries further break down those calls by resourceARN, userIdentity, userAgent, and sourceIpAddress to show how activity is distributed across resources, principals, and clients.

{  
    "eventVersion": "1.0",  
    "accountId": "111122223333",  
    "eventId": "4da798a8-1db6-4d17-8b51-4c33df06b56d",  
    "eventCategory": "Aggregated",  
    "eventType": "AwsAggregatedEvent",  
    "awsRegion": "us-east-1",  
    "eventSource": "cloudtrail-data.amazonaws.com",  
    "timeWindow":  
    {  
        "windowStart": "2025-10-30 23:45:00",  
        "windowEnd": "2025-10-30 23:50:00",  
        "windowSize": "PT5M"  
    },  
    "summary":  
    {  
        "primaryDimension":  
        {  
            "dimension": "eventName",  
            "statistics":  
            [  
                {  
                    "name": "PutAuditEvents",  
                    "value": 30  
                }  
            ],  
            "aggregationType": "Count"  
        },  
        "details":  
        [  
            {  
                "dimension": "resourceARN",  
                "statistics":  
                [  
                    {  
                        "name": "arn:aws:cloudtrail:us-east-1:111122223333:channel/1234abcd-12ab-34cd-56ef-1234567890ab",  
                        "value": 20  
                    },  
                    {  
                        "name": "arn:aws:cloudtrail:us-east-1:111122223333:channel/6789abcd-12ab-34cd-56ef-6789012345ab",  
                        "value": 10  
                    }  
                ],  
                "aggregationType": "Count"  
            },  
            {  
                "dimension": "userIdentity",  
                "statistics":  
                [  
                    {  
                        "name": "AWSAccount:111122223333",  
                        "value": 20  
                    },  
                    {  
                        "name": "AWSService:AWS Internal",  
                        "value": 10  
                    }  
                ],  
                "aggregationType": "Count"  
            },  
            {  
                "dimension": "userAgent",  
                "statistics":  
                [  
                    {  
                        "name": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0",  
                        "value": 20  
                    },  
                    {  
                        "name": "AWS Internal",  
                        "value":10  
                    }  
                ],  
                "aggregationType": "Count"  
            },  
            {  
                "dimension": "sourceIpAddress",  
                "statistics":  
                [  
                    {  
                        "name": "1.2.3.4",  
                        "value": 20  
                    },  
                    {  
                        "name": "AWS Internal",  
                        "value": 10  
                    }  
                ],  
                "aggregationType": "Count"  
            }  
        ]  
    }  
}