# Receiving read-only management events from AWS services You can set up rules on your default or custom event bus to receive read-only *management events* from AWS services via CloudTrail. Management events provide visibility into management operations that are performed on resources in your AWS account. These are also known as control plane operations. For more information, see [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#logging-management-events) in the *CloudTrail User Guide*. For each rule on the default or custom event buses, you can set the rule state to control the types of events to receive: + Disable the rule so that EventBridge does not match events against the rule. + Enable the rule so that EventBridge matches events against the rule, except for read-only AWS management events delivered through CloudTrail. + Enable the rule so that EventBridge matches all events against the rule, *including* read-only management events delivered through CloudTrail. Partner event buses do not receive AWS events. Some things to consider when deciding whether to receive read-only management events: + Certain read-only management events, such as AWS Key Management Service `GetKeyPolicy` and `DescribeKey`, or IAM `GetPolicy` and `GetRole` events, occur at a much higher volume than typical change events. + You may already be receiving read-only management events even if those events don't start with `Describe`, `Get`, or `List`. One such example is `TestEventPattern` from EventBridge. For a list of read-only management events that do not adhere to the `Describe`, `Get`, or `List` naming convention, by AWS services, see [Management events generated by AWS services in EventBridge](eb-service-management-event-list.md). **To create a rule that receives read-only management events using the AWS CLI** + Use the `put-rule` command to create or update the rule, using parameters to: + Specify that the rule belongs on the default event bus, or a specific custom event bus + Set rule state as `ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS` `aws events put-rule --name "ruleForManagementEvents" --event-bus-name "default" --state "ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS"` **Note** Enabling a rule for CloudWatch management events is supported through the AWS CLI and CloudFormation templates only. **Example** The following example illustrates how to match against specific events. Best practice is to define a dedicated rule for matching specific events, for clarity and ease of editing. In this case, the dedicated rule matches the `AssumeRole` management event from AWS Security Token Service. ``` { "source" : [ "aws.sts" ], "detail-type": ["AWS API Call via CloudTrail"], "detail" : { "eventName" : ["AssumeRole"] } } ```