アクティビティ発生後 CloudTrail でログ出力されるまでのタイムラグ

CloudTrail typically delivers log files within 15 minutes of account activity. In addition, CloudTrail publishes log files multiple times an hour, about every five minutes. These log files contain API calls from services in the account that support CloudTrail.
How CloudTrail Works - AWS CloudTrail

CloudTrail はアクティビティ発生後 15 分以内にログが出力される。5分間隔でログを出力する。と書かれているが、CloudTrail で S3 に出力されたログを Athena で確認してみたら、結構ラグは少なそうな感じ。

クエリ

select now() AT TIME ZONE 'Asia/Tokyo' as now_tokyo, now() now_utc, eventtime ,eventsource, eventname
from default.cloudtrail_logs_cloudtrail_123456789012_do_not_delete 
order by eventtime desc limit 10

結果

now_tokyo	now_utc	eventtime	eventsource	eventname
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:13:41Z	s3.amazonaws.com	PutObject
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:13:38Z	s3.amazonaws.com	PutObject
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:13:38Z	s3.amazonaws.com	PutObject
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:12:58Z	s3.amazonaws.com	PutObject
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:09:43Z	s3.amazonaws.com	PutObject
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:09:42Z	s3.amazonaws.com	PutObject
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:09:31Z	s3.amazonaws.com	PutObject
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:09:31Z	s3.amazonaws.com	PutObject
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:09:31Z	s3.amazonaws.com	PutObject
2018-10-01 00:13:50.110 Asia/Tokyo	2018-09-30 15:13:50.110 UTC	2018-09-30T15:09:25Z	s3.amazonaws.com	HeadObject

ablog

不器用で落着きのない技術者のメモ

アクティビティ発生後 CloudTrail でログ出力されるまでのタイムラグ