AWS CloudTrail Network Activity Events for VPC Endpoints Reaches General Availability

Figure 1: Visual representation of the BeyondTrust vulnerability chain

AWS published the general availability announcement on March 30, 2025, through its official blog. The feature had been in preview since late 2024, allowing select customers to test the functionality before the broader release.

According to the AWS blog post, network activity events capture API calls made through VPC endpoints to supported AWS services. The events include details such as the source VPC endpoint, the AWS service being accessed, the principal making the request, and timestamps.

The feature integrates with existing CloudTrail infrastructure, meaning customers can route network activity events to the same destinations they use for management events and data events. Supported destinations include Amazon S3 buckets, CloudWatch Logs, and Amazon EventBridge.

AWS stated that network activity events are available for VPC endpoints connected to services that support the feature. The company published documentation listing supported services and configuration requirements.

AWS claims that network activity events provide "comprehensive visibility into API activity through VPC endpoints," according to the official blog announcement. The company stated that customers can use these events to detect unauthorized access attempts, investigate security incidents, and demonstrate compliance with regulatory requirements.

The documentation specifies that network activity events capture the following information: VPC endpoint ID, AWS service name, source IP address within the VPC, IAM principal ARN, request parameters, and response elements. Events are delivered in the standard CloudTrail JSON format.

AWS noted that network activity events are charged separately from management events and data events. The pricing follows the existing CloudTrail event pricing model, with charges based on the number of events recorded.

Figure 2: How the authentication bypass vulnerability works

Security teams gain visibility into a previously opaque traffic path. Organizations that route sensitive API calls through VPC endpoints to avoid public internet exposure can now audit those calls with the same fidelity as public API calls.

Compliance requirements that mandate comprehensive audit trails become easier to satisfy. Regulations such as PCI DSS, HIPAA, and SOC 2 often require organizations to log and monitor access to sensitive systems. Network activity events fill a gap that previously required workarounds or compensating controls.

Incident response capabilities improve with the additional data source. Security analysts investigating potential breaches can now trace activity through VPC endpoints, which may have been invisible in previous investigations.

The integration with existing CloudTrail infrastructure reduces operational complexity. Organizations do not need to deploy additional logging agents or configure separate data pipelines.

Cost implications require careful consideration. Organizations with high volumes of VPC endpoint traffic may see significant increases in CloudTrail costs. AWS recommends using event selectors to filter events and control costs.

Not all AWS services support network activity events at launch. Organizations must verify that the services they use through VPC endpoints are included in the supported services list. Gaps in coverage may leave blind spots in audit trails.

The feature adds to the volume of log data that security teams must process and analyze. Organizations without mature security operations capabilities may struggle to derive value from the additional events without investing in log management and analysis tools.

Network activity events do not capture the actual data payload of API calls. Organizations requiring deep packet inspection or content-level auditing must implement additional controls.

Figure 3: Privilege escalation from user to SYSTEM level

VPC endpoints allow AWS customers to privately connect their Virtual Private Cloud to supported AWS services without requiring an internet gateway, NAT device, or VPN connection. Traffic between the VPC and the AWS service does not leave the Amazon network.

CloudTrail network activity events extend the existing CloudTrail logging framework to capture API calls made through these private connections. When an application in a VPC makes an API call through a VPC endpoint, CloudTrail generates an event record containing metadata about the request.

The event record includes the VPC endpoint identifier, allowing security teams to correlate activity with specific network configurations. The source IP address field contains the private IP address within the VPC, enabling identification of the originating resource.

Technical context (optional): Network activity events use the same delivery mechanisms as other CloudTrail event types. Events can be delivered to S3 buckets with optional server-side encryption, streamed to CloudWatch Logs for real-time analysis, or routed to EventBridge for automated response workflows. Organizations can configure event selectors to capture events for specific VPC endpoints or AWS services, reducing noise and controlling costs.

The feature reflects growing enterprise demand for comprehensive cloud audit capabilities. As organizations migrate sensitive workloads to cloud environments, regulatory and security requirements drive the need for detailed logging of all access paths.

Private connectivity options like VPC endpoints have become standard practice for security-conscious organizations. The ability to audit traffic through these connections removes a barrier to adoption for organizations with strict compliance requirements.

Cloud providers face increasing pressure to provide native security and compliance capabilities. Features like network activity events reduce the need for third-party security tools, potentially affecting the cloud security market.

The announcement may influence how organizations architect their AWS environments. With comprehensive logging available for VPC endpoint traffic, security teams may advocate for broader use of private connectivity.

Confirmed:

• Network activity events for VPC endpoints is generally available as of March 30, 2025
• Events capture VPC endpoint ID, service name, source IP, principal ARN, and request details
• Events integrate with existing CloudTrail delivery destinations
• Pricing follows the standard CloudTrail event model
• The feature is available in all commercial AWS regions

Unclear:

• Complete list of supported AWS services at launch
• Specific pricing tiers and volume discounts
• Timeline for expanding support to additional services
• Performance impact on high-volume VPC endpoint traffic

AWS typically expands feature support to additional services following general availability announcements. The list of supported services for network activity events will likely grow in subsequent releases.

Customer adoption patterns will indicate whether the feature addresses real security and compliance needs. AWS may share case studies or usage statistics at future events like re:Invent.

Third-party security tools will likely integrate network activity events into their analysis capabilities. Security information and event management (SIEM) vendors may release updated connectors or parsing rules.

Pricing feedback from customers may influence AWS's approach to CloudTrail costs. High-volume customers may advocate for tiered pricing or bundled options.

1. AWS Blog, "AWS CloudTrail network activity events for VPC endpoints now generally available," March 30, 2025 - https://aws.amazon.com/blogs/aws/aws-cloudtrail-network-activity-events-for-vpc-endpoints-now-generally-available/

2. AWS CloudTrail Documentation, "Logging network events with CloudTrail," March 2025 - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html

3. AWS What's New, "AWS CloudTrail network activity events for VPC endpoints now generally available," March 30, 2025 - https://aws.amazon.com/about-aws/whats-new/2025/03/aws-cloudtrail-network-activity-events-vpc-endpoints/