1. Tracking API Calls for AI Services via AWS CloudTrail


    AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

    When it comes to tracking API calls for AI services, CloudTrail provides a history of AWS API calls for your account, including API calls made by AI services. The API calls can be made by users, roles, or by AWS services.

    To track these API calls, you need to create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The following Pulumi program will create a CloudTrail setup tracking API calls for all AI services in your AWS account and will store the logs in an Amazon S3 bucket for later retrieval and analysis.

    Below is a Pulumi program written in Python that will create a CloudTrail trail for you:

    import pulumi import pulumi_aws as aws # Create an S3 bucket to store the CloudTrail logs. # Encrypt the contents of the bucket using AWS-managed Server-Side Encryption (SSE-S3). s3_bucket = aws.s3.Bucket("cloudtrail-logs", server_side_encryption_configuration={ "rule": { "apply_server_side_encryption_by_default": { "sse_algorithm": "AES256" } } }) # Create an IAM role for the CloudTrail service to assume. trail_role = aws.iam.Role("cloudtrail-role", assume_role_policy=aws.iam.get_policy_document(statements=[ aws.iam.GetPolicyDocumentStatementArgs( actions=["sts:AssumeRole"], principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs( type="Service", identifiers=["cloudtrail.amazonaws.com"] )] ) ]).json) # Attach a policy to the IAM role that allows writing logs to the bucket. policy = aws.iam.RolePolicy("cloudtrail-bucket-access", role=trail_role.id, policy=s3_bucket.arn.apply(lambda arn: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "s3:PutObject", "Resource": f"{arn}/AWSLogs/*" }] })) # Create a CloudTrail trail. trail = aws.cloudtrail.Trail("cloudtrail", s3_bucket_name=s3_bucket.id, enable_logging=True, is_multi_region_trail=True, include_global_service_events=True, s3_key_prefix="cloudtrail", # Specify the role created above for CloudTrail. cloud_watch_logs_role_arn=trail_role.arn, cloud_watch_logs_group_arn=aws.cloudwatch.LogGroup("cloudtrail-logs-group", retention_in_days=7).arn, tags={"Name": "default-trail"}) # Export the bucket name and trail ARN. pulumi.export("bucket_name", s3_bucket.id) pulumi.export("trail_arn", trail.arn)

    This Pulumi program does the following:

    1. It creates an Amazon S3 bucket to store CloudTrail log files.
    2. It creates an IAM role that CloudTrail can assume to operate.
    3. It attaches a policy to the IAM role to allow writing logs to the bucket.
    4. It creates a CloudTrail trail configured to capture every API call in all regions and to track events from global services such as IAM. CloudTrail logs are directed to the S3 bucket we created.
    5. It creates a CloudWatch Logs group with a retention period of 7 days, where you can continuously monitor and retain events.
    6. It exports the S3 bucket name and CloudTrail ARN for reference or use in other Pulumi stacks.

    Keep in mind that you would need proper permissions set up in your AWS account and have Pulumi configured to interact with your AWS account. This program assumes you've already set up the Pulumi environment and AWS credentials. Once you run pulumi up, this will create the resources in your AWS account.