1. Docs
  2. Reference
  3. API
  4. pulumi_aws
  5. cloudtrail

cloudtrail

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.cloudtrail.AwaitableGetServiceAccountResult(arn=None, region=None, id=None)
class pulumi_aws.cloudtrail.GetServiceAccountResult(arn=None, region=None, id=None)

A collection of values returned by getServiceAccount.

arn = None

The ARN of the AWS CloudTrail service account in the selected region.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_aws.cloudtrail.Trail(resource_name, opts=None, cloud_watch_logs_group_arn=None, cloud_watch_logs_role_arn=None, enable_log_file_validation=None, enable_logging=None, event_selectors=None, include_global_service_events=None, is_multi_region_trail=None, is_organization_trail=None, kms_key_id=None, name=None, s3_bucket_name=None, s3_key_prefix=None, sns_topic_name=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a CloudTrail resource.

NOTE: For a multi-region trail, this resource must be in the home region of the trail.

NOTE: For an organization trail, this resource must be in the master account of the organization.

Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • cloud_watch_logs_group_arn (pulumi.Input[str]) – Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.

  • cloud_watch_logs_role_arn (pulumi.Input[str]) – Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

  • enable_log_file_validation (pulumi.Input[bool]) – Specifies whether log file integrity validation is enabled. Defaults to false.

  • enable_logging (pulumi.Input[bool]) – Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

  • event_selectors (pulumi.Input[list]) – Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.

  • include_global_service_events (pulumi.Input[bool]) – Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

  • is_multi_region_trail (pulumi.Input[bool]) – Specifies whether the trail is created in the current region or in all regions. Defaults to false.

  • is_organization_trail (pulumi.Input[bool]) – Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

  • kms_key_id (pulumi.Input[str]) – Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.

  • name (pulumi.Input[str]) – Specifies the name of the trail.

  • s3_bucket_name (pulumi.Input[str]) – Specifies the name of the S3 bucket designated for publishing log files.

  • s3_key_prefix (pulumi.Input[str]) – Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.

  • sns_topic_name (pulumi.Input[str]) – Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the trail

The event_selectors object supports the following:

  • dataResources (pulumi.Input[list]) - Specifies logging data events. Fields documented below.

    • type (pulumi.Input[str]) - The resource type in which you want to log data events. You can specify only the follwing value: “AWS::S3::Object”, “AWS::Lambda::Function”

    • values (pulumi.Input[list]) - A list of ARN for the specified S3 buckets and object prefixes..

  • includeManagementEvents (pulumi.Input[bool]) - Specify if you want your event selector to include management events for your trail.

  • readWriteType (pulumi.Input[str]) - Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults to All.

arn = None

The Amazon Resource Name of the trail.

cloud_watch_logs_group_arn = None

Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.

cloud_watch_logs_role_arn = None

Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

enable_log_file_validation = None

Specifies whether log file integrity validation is enabled. Defaults to false.

enable_logging = None

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

event_selectors = None

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.

  • dataResources (list) - Specifies logging data events. Fields documented below.

    • type (str) - The resource type in which you want to log data events. You can specify only the follwing value: “AWS::S3::Object”, “AWS::Lambda::Function”

    • values (list) - A list of ARN for the specified S3 buckets and object prefixes..

  • includeManagementEvents (bool) - Specify if you want your event selector to include management events for your trail.

  • readWriteType (str) - Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults to All.

home_region = None

The region in which the trail was created.

include_global_service_events = None

Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

is_multi_region_trail = None

Specifies whether the trail is created in the current region or in all regions. Defaults to false.

is_organization_trail = None

Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

kms_key_id = None

Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.

name = None

Specifies the name of the trail.

s3_bucket_name = None

Specifies the name of the S3 bucket designated for publishing log files.

s3_key_prefix = None

Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.

sns_topic_name = None

Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

tags = None

A mapping of tags to assign to the trail

static get(resource_name, id, opts=None, arn=None, cloud_watch_logs_group_arn=None, cloud_watch_logs_role_arn=None, enable_log_file_validation=None, enable_logging=None, event_selectors=None, home_region=None, include_global_service_events=None, is_multi_region_trail=None, is_organization_trail=None, kms_key_id=None, name=None, s3_bucket_name=None, s3_key_prefix=None, sns_topic_name=None, tags=None)

Get an existing Trail resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The Amazon Resource Name of the trail.

  • cloud_watch_logs_group_arn (pulumi.Input[str]) – Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.

  • cloud_watch_logs_role_arn (pulumi.Input[str]) – Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

  • enable_log_file_validation (pulumi.Input[bool]) – Specifies whether log file integrity validation is enabled. Defaults to false.

  • enable_logging (pulumi.Input[bool]) – Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

  • event_selectors (pulumi.Input[list]) –

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.

  • home_region (pulumi.Input[str]) – The region in which the trail was created.

  • include_global_service_events (pulumi.Input[bool]) – Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

  • is_multi_region_trail (pulumi.Input[bool]) – Specifies whether the trail is created in the current region or in all regions. Defaults to false.

  • is_organization_trail (pulumi.Input[bool]) – Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

  • kms_key_id (pulumi.Input[str]) – Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.

  • name (pulumi.Input[str]) – Specifies the name of the trail.

  • s3_bucket_name (pulumi.Input[str]) – Specifies the name of the S3 bucket designated for publishing log files.

  • s3_key_prefix (pulumi.Input[str]) – Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.

  • sns_topic_name (pulumi.Input[str]) – Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the trail

The event_selectors object supports the following:

  • dataResources (pulumi.Input[list]) - Specifies logging data events. Fields documented below.

    • type (pulumi.Input[str]) - The resource type in which you want to log data events. You can specify only the follwing value: “AWS::S3::Object”, “AWS::Lambda::Function”

    • values (pulumi.Input[list]) - A list of ARN for the specified S3 buckets and object prefixes..

  • includeManagementEvents (pulumi.Input[bool]) - Specify if you want your event selector to include management events for your trail.

  • readWriteType (pulumi.Input[str]) - Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults to All.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_aws.cloudtrail.get_service_account(region=None, opts=None)

Use this data source to get the Account ID of the AWS CloudTrail Service Account in a given region for the purpose of allowing CloudTrail to store trail data in S3.

Parameters

region (str) – Name of the region whose AWS CloudTrail account ID is desired. Defaults to the region from the AWS provider configuration.