Hi all,
I’m running into a tracking issue using CloudTrail to monitor Amazon QuickSight usage. Specifically, when querying CloudTrail event history (via Athena) where eventSource = 'quicksight.amazonaws.com', I’m seeing numerous QueryDatabase events attributed to specific users - but no corresponding GetDashboard events for those same users, even though they report having accessed dashboards during that time.
This creates confusion on our end, as we expected a GetDashboard event to appear any time a user views a dashboard in the QuickSight console or via a shared folder.
To my knowledge:
QueryDatabase suggests that visuals were rendered and queried against the underlying datasetGetDashboard is supposed to log when a dashboard definition is fetched
However, the GetDashboard events are missing entirely for many sessions. The users are internal registered QuickSight users (not embedded or anonymous), and dashboards are shared through standard QuickSight folders.
I’ve reviewed the official QuickSight + CloudTrail documentation but there’s no mention of this discrepancy.
My questions:
- Under what conditions should a
GetDashboard event appear in CloudTrail?
- Is it expected behavior that
QueryDatabase events can occur without GetDashboard?
- Could caching, session reuse, or the type of access (e.g., shared folders) suppress
GetDashboard logging?
- Is there any deeper documentation that clarifies when dashboard views do and don’t trigger CloudTrail events?
Any insight from the community or AWS team would be appreciated. Our goal is to build an audit trail of dashboard usage, and right now this inconsistency is making that difficult.
Thanks in advance!
David
Hello @Dave_LeBlanc
I’m curious if these are SPICE dataset refreshes and the users that they are attributed to are the owners of the datasets.
Do the logs for the QueryDatabase look relatively consistent or more random?
Hi Duncan - these are exclusively DirectQuery datasets.
The users have no permissions to modify or refresh the underlying datasets anyways.
The QueryDatabase logs are exactly how I would expect them to be if a user accessed a Dashboard using a DirectQuery dataset (kicking off the query) - but no corresponding GetDashboard event.
1 Like
Hey @Dave_LeBlanc
Got it, thank you for clarifying!
I’m curious if maybe the users are just returning to sessions. For example, they left the dashboards open in their browser and then later on came back, refreshed the page and continued using the dashboard. In that case maybe there is only a QueryDatabase log and not GetDashboard.
@Dave_LeBlanc
If the dashboards have filters, refreshing them can trigger a QueryDatabase as well , here is an example
"eventTime": "2025-06-10T08:10:17Z",
"eventSource": "quicksight.amazonaws.com",
"eventName": "QueryDatabase",
"awsRegion": "eu-central-1",
"requestParameters": null,
"responseElements": null,
"eventID": "a1e808c6-a30d-4260-9a6a-b1c68e77227b",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXX",
"serviceEventDetails": {
"eventRequestDetails": {
"dataSourceId": "arn:aws:quicksight:eu-central-1:XXXX:datasource/a6daac79-a4ca-401f-b740-27db623756b8",
"databaseType": "ATHENA",
"queryId": "b43443da-a26f-40ec-b1db-1a33216b3389",
"dataSetId": "arn:aws:quicksight:eu-central-1:XXXX:dataset/a1895289-e114-49f1-9e57-3fcd1a3c9df6",
"dataSetMode": "Query"
}
},
Now the queryId is part of the select Query in Athena . A difference to note is that this just contains the Query ID
Whereas for a dashboard itself, the sql Query has additional details
entityid here is 53888cf6-5337-4139-ace7-d36360b7aa62 which is the actual dashboard id
1 Like
Hi Koushik - and thanks for clarifying the QueryDatabase behavior. I’m still left wondering about pure SPICE dashboards:
- Do SPICE-backed dashboards ever generate a GetDashboard or GetAnalysis (even if no DirectQuery is involved)?
- If not, is there any CloudTrail event we can rely on to know that a user actually opened/viewed a SPICE dashboard?
- Does AWS maintain an official mapping of QuickSight API calls → CloudTrail events (and conditions) so we can be sure we’re not missing anything?
From an enterprise compliance standpoint, not being able to track SPICE loads is a potential audit gap - any guidance on workarounds or plans to surface those events would be hugely appreciated.
@Dave_LeBlanc ,
The following are tracked : Tracking non-API events by using CloudTrail logs - Amazon QuickSight .
- Do SPICE-backed dashboards ever generate a GetDashboard or GetAnalysis (even if no DirectQuery is involved)?
Yes, the event is generated.
You can validate this in a few minutes : Open a dashboard which is linked to a SPICE dataset, check Cloudtrail and there will be a GetDashboard event, similar for a GetAnalysis event.
1 Like