AWS CloudTrail

Name: AWS CloudTrail API
Brand: AWS CloudTrail
Availability: InStock

★ Only Publicly Available SpecSecurityCompliancehmac44 EndpointsREST

For Agents

Configure AWS CloudTrail trails, run CloudTrail Lake queries against event data stores, and look up recent management events across an AWS account. Backed by 44 endpoints covering trails, channels, queries, and event lookup.

Quickstart

Get started with AWS CloudTrail in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"look up CloudTrail events for a user"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with AWS CloudTrail API.

Create, describe, update, and delete CloudTrail trails for management and data events

Create CloudTrail Lake event data stores and run SQL-style queries against captured events

Look up the last 90 days of management events by attribute through LookupEvents

Configure event selectors and insight selectors for fine-grained event capture

GET STARTED

Start building with AWS CloudTrail API

Explore with Jentic

View OpenAPI Spec

Use for: I need to create a CloudTrail trail that logs S3 data events, Run a CloudTrail Lake query to find all root account logins last week, Look up the last 50 management events for a specific IAM user, Start logging on an existing CloudTrail trail

Not supported: Does not handle real-time threat detection, log forwarding to non-AWS destinations, or in-account log retention beyond CloudTrail Lake — use for trail configuration, event lookup, and CloudTrail Lake queries only.

Jentic publishes the only available OpenAPI specification for AWS CloudTrail, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for AWS CloudTrail, keeping it validated and agent-ready. AWS CloudTrail records management and data events across an AWS account, delivers them to S3 or an event data store, and lets you query the log with CloudTrail Lake. The API covers trails, channels, event data stores, query execution, and resource policies, so an agent can configure logging, run SQL-like queries, and pull recent events without touching the console.

Use Cases

Patterns agents use AWS CloudTrail API for, with concrete tasks.

★ Security Investigation with CloudTrail Lake

Security engineers use CloudTrail Lake to run SQL queries over months of event history without exporting logs to a separate SIEM. The API lets an agent create an event data store, start a query with StartQuery, poll DescribeQuery for completion, and pull rows with GetQueryResults. Common investigation queries include 'all ConsoleLogin events from a country' or 'every IAM policy change touching a role'.

Create a CloudTrail Lake query that returns all ConsoleLogin failures in the past 7 days, then fetch the results

Compliance Logging Setup

Auditors expect every AWS account to have a multi-region CloudTrail trail covering management events. CreateTrail provisions the trail with an S3 bucket destination, PutEventSelectors enables data event capture for S3 and Lambda, and StartLogging activates delivery. DescribeTrails confirms configuration so agents can verify accounts against a baseline before a SOC 2 or ISO 27001 audit.

Create a multi-region trail named org-audit, attach S3 data event selectors for every bucket, and start logging

Recent Event Lookup for Incident Response

When responding to an alert, an agent uses LookupEvents to retrieve the last 90 days of management events filtered by attribute (Username, EventName, ResourceName). This is faster than spinning up CloudTrail Lake when the question is 'what did this principal do recently?'. Results include the full event JSON for direct triage.

Look up the last 100 events where Username equals attacker-role over the past 24 hours and return the EventName values

AI Agent Integration via Jentic

Through Jentic, an AI agent calls CloudTrail by searching for an intent like 'look up CloudTrail events for a user', loading the LookupEvents schema, and executing it with a LookupAttributes filter. Jentic signs the SigV4 request server-side using IAM credentials in the MAXsystem vault.

Search Jentic for 'look up CloudTrail events for a user', load the LookupEvents schema, and execute it for Username=ci-deploy with MaxResults=50

Key Endpoints

44 endpoints — jentic publishes the only available openapi specification for aws cloudtrail, keeping it validated and agent-ready.

METHOD

PATH

DESCRIPTION

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.CreateTrail

Create a CloudTrail trail

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.DescribeTrails

Describe one or more trails

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.CreateEventDataStore

Create a CloudTrail Lake event data store

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.GetQueryResults

Fetch results of a CloudTrail Lake query

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.DescribeQuery

Describe the status of a query

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.GetEventSelectors

Get current event selectors for a trail

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.GetTrail

Get details of a specific trail

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.CreateTrail

Create a CloudTrail trail

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.DescribeTrails

Describe one or more trails

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.CreateEventDataStore

Create a CloudTrail Lake event data store

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.GetQueryResults

Fetch results of a CloudTrail Lake query

POST

/#X-Amz-Target=com.amazonaws.cloudtrail.v20131101.CloudTrail_20131101.DescribeQuery

Describe the status of a query

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

AWS access key ID, secret key, and optional session token are stored encrypted in the Jentic MAXsystem vault. Agents call CloudTrail via Jentic, which computes the SigV4 signature server-side — raw AWS credentials never reach the agent context.

Intent-based discovery

Agents search by intent (e.g. 'look up CloudTrail events for a user' or 'run a CloudTrail Lake query') and Jentic returns the matching CloudTrail operation with its input schema, so the agent calls LookupEvents or StartQuery directly without browsing AWS docs.

Time to first call

Direct AWS SDK integration: 1-2 days for SigV4, IAM permissions, query polling, and pagination. Through Jentic: under 1 hour — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Amazon GuardDuty

GuardDuty consumes CloudTrail events as a primary data source for threat detection findings

Use GuardDuty when the agent needs detection findings rather than raw audit events.

Complementary

AWS Security Hub

Security Hub aggregates findings across AWS security services, including CloudTrail-based detections

Choose Security Hub when the agent needs cross-service compliance posture rather than raw event data.

Complementary

AWS CloudHSM V2

CloudHSM provides FIPS 140-2 Level 3 key custody whose access can be audited via CloudTrail

Pair CloudHSM with CloudTrail when audit evidence of HSM cluster operations is required.

FAQs

Specific to using AWS CloudTrail API through Jentic.

Why is there no official OpenAPI spec for AWS CloudTrail?

AWS does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call AWS CloudTrail via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does the AWS CloudTrail API use?

CloudTrail uses AWS Signature Version 4 (HMAC) signed requests with an IAM access key ID and secret. Through Jentic, those credentials live encrypted in the MAXsystem vault and the SigV4 signature is computed server-side, so the agent context never holds the raw secret.

Can I run CloudTrail Lake SQL queries with this API?

Yes. Call StartQuery with the SQL string and the EventDataStore ARN, poll DescribeQuery until the QueryStatus is FINISHED, then call GetQueryResults to page through rows. Queries support standard SELECT, WHERE, GROUP BY, and aggregate functions.

What are the rate limits for the AWS CloudTrail API?

AWS applies per-account, per-region throttling on CloudTrail control-plane calls; LookupEvents is limited to a small number of TPS per account and returns ThrottlingException when exceeded. Use exponential backoff — the AWS SDKs Jentic wraps implement this automatically.

How do I look up the last 90 days of events for a user with this API?

Call LookupEvents with a LookupAttributes entry of AttributeKey=Username and AttributeValue=<iam-user>. The response returns up to 50 events per page, including the full CloudTrailEvent JSON. Use NextToken to paginate.

How do I run a CloudTrail query through Jentic with an AI agent?

Run pip install jentic, then have the agent search for 'run a CloudTrail Lake query', load the StartQuery schema, and execute it with the SQL string. Follow with DescribeQuery and GetQueryResults to retrieve rows once QueryStatus is FINISHED.