Docs
PackagesTry AWS Native preview for resources not in the classic version.
aws.cloudtrail.Trail
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
Provides a CloudTrail resource.
Tip: For a multi-region trail, this resource must be in the home region of the trail.
Tip: For an organization trail, this resource must be in the master account of the organization.
Example Usage
Basic
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleBucketV2 = new Aws.S3.BucketV2("exampleBucketV2", new()
{
ForceDestroy = true,
});
var currentCallerIdentity = Aws.GetCallerIdentity.Invoke();
var currentPartition = Aws.GetPartition.Invoke();
var currentRegion = Aws.GetRegion.Invoke();
var examplePolicyDocument = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "AWSCloudTrailAclCheck",
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"cloudtrail.amazonaws.com",
},
},
},
Actions = new[]
{
"s3:GetBucketAcl",
},
Resources = new[]
{
exampleBucketV2.Arn,
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "aws:SourceArn",
Values = new[]
{
$"arn:{currentPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:cloudtrail:{currentRegion.Apply(getRegionResult => getRegionResult.Name)}:{currentCallerIdentity.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:trail/example",
},
},
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "AWSCloudTrailWrite",
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"cloudtrail.amazonaws.com",
},
},
},
Actions = new[]
{
"s3:PutObject",
},
Resources = new[]
{
$"{exampleBucketV2.Arn}/prefix/AWSLogs/{currentCallerIdentity.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}/*",
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "s3:x-amz-acl",
Values = new[]
{
"bucket-owner-full-control",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "aws:SourceArn",
Values = new[]
{
$"arn:{currentPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:cloudtrail:{currentRegion.Apply(getRegionResult => getRegionResult.Name)}:{currentCallerIdentity.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:trail/example",
},
},
},
},
},
});
var exampleBucketPolicy = new Aws.S3.BucketPolicy("exampleBucketPolicy", new()
{
Bucket = exampleBucketV2.Id,
Policy = examplePolicyDocument.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var exampleTrail = new Aws.CloudTrail.Trail("exampleTrail", new()
{
S3BucketName = exampleBucketV2.Id,
S3KeyPrefix = "prefix",
IncludeGlobalServiceEvents = false,
}, new CustomResourceOptions
{
DependsOn = new[]
{
exampleBucketPolicy,
},
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleBucketV2, err := s3.NewBucketV2(ctx, "exampleBucketV2", &s3.BucketV2Args{
ForceDestroy: pulumi.Bool(true),
})
if err != nil {
return err
}
currentCallerIdentity, err := aws.GetCallerIdentity(ctx, nil, nil)
if err != nil {
return err
}
currentPartition, err := aws.GetPartition(ctx, nil, nil)
if err != nil {
return err
}
currentRegion, err := aws.GetRegion(ctx, nil, nil)
if err != nil {
return err
}
examplePolicyDocument := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Sid: pulumi.String("AWSCloudTrailAclCheck"),
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("Service"),
Identifiers: pulumi.StringArray{
pulumi.String("cloudtrail.amazonaws.com"),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("s3:GetBucketAcl"),
},
Resources: pulumi.StringArray{
exampleBucketV2.Arn,
},
Conditions: iam.GetPolicyDocumentStatementConditionArray{
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("StringEquals"),
Variable: pulumi.String("aws:SourceArn"),
Values: pulumi.StringArray{
pulumi.String(fmt.Sprintf("arn:%v:cloudtrail:%v:%v:trail/example", currentPartition.Partition, currentRegion.Name, currentCallerIdentity.AccountId)),
},
},
},
},
&iam.GetPolicyDocumentStatementArgs{
Sid: pulumi.String("AWSCloudTrailWrite"),
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("Service"),
Identifiers: pulumi.StringArray{
pulumi.String("cloudtrail.amazonaws.com"),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("s3:PutObject"),
},
Resources: pulumi.StringArray{
exampleBucketV2.Arn.ApplyT(func(arn string) (string, error) {
return fmt.Sprintf("%v/prefix/AWSLogs/%v/*", arn, currentCallerIdentity.AccountId), nil
}).(pulumi.StringOutput),
},
Conditions: iam.GetPolicyDocumentStatementConditionArray{
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("StringEquals"),
Variable: pulumi.String("s3:x-amz-acl"),
Values: pulumi.StringArray{
pulumi.String("bucket-owner-full-control"),
},
},
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("StringEquals"),
Variable: pulumi.String("aws:SourceArn"),
Values: pulumi.StringArray{
pulumi.String(fmt.Sprintf("arn:%v:cloudtrail:%v:%v:trail/example", currentPartition.Partition, currentRegion.Name, currentCallerIdentity.AccountId)),
},
},
},
},
},
}, nil)
exampleBucketPolicy, err := s3.NewBucketPolicy(ctx, "exampleBucketPolicy", &s3.BucketPolicyArgs{
Bucket: exampleBucketV2.ID(),
Policy: examplePolicyDocument.ApplyT(func(examplePolicyDocument iam.GetPolicyDocumentResult) (*string, error) {
return &examplePolicyDocument.Json, nil
}).(pulumi.StringPtrOutput),
})
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "exampleTrail", &cloudtrail.TrailArgs{
S3BucketName: exampleBucketV2.ID(),
S3KeyPrefix: pulumi.String("prefix"),
IncludeGlobalServiceEvents: pulumi.Bool(false),
}, pulumi.DependsOn([]pulumi.Resource{
exampleBucketPolicy,
}))
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.inputs.GetPartitionArgs;
import com.pulumi.aws.inputs.GetRegionArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucketV2 = new BucketV2("exampleBucketV2", BucketV2Args.builder()
.forceDestroy(true)
.build());
final var currentCallerIdentity = AwsFunctions.getCallerIdentity();
final var currentPartition = AwsFunctions.getPartition();
final var currentRegion = AwsFunctions.getRegion();
final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("AWSCloudTrailAclCheck")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("cloudtrail.amazonaws.com")
.build())
.actions("s3:GetBucketAcl")
.resources(exampleBucketV2.arn())
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("aws:SourceArn")
.values(String.format("arn:%s:cloudtrail:%s:%s:trail/example", currentPartition.applyValue(getPartitionResult -> getPartitionResult.partition()),currentRegion.applyValue(getRegionResult -> getRegionResult.name()),currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("AWSCloudTrailWrite")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("cloudtrail.amazonaws.com")
.build())
.actions("s3:PutObject")
.resources(exampleBucketV2.arn().applyValue(arn -> String.format("%s/prefix/AWSLogs/%s/*", arn,currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))))
.conditions(
GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("s3:x-amz-acl")
.values("bucket-owner-full-control")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("aws:SourceArn")
.values(String.format("arn:%s:cloudtrail:%s:%s:trail/example", currentPartition.applyValue(getPartitionResult -> getPartitionResult.partition()),currentRegion.applyValue(getRegionResult -> getRegionResult.name()),currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
.build())
.build())
.build());
var exampleBucketPolicy = new BucketPolicy("exampleBucketPolicy", BucketPolicyArgs.builder()
.bucket(exampleBucketV2.id())
.policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(examplePolicyDocument -> examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
var exampleTrail = new Trail("exampleTrail", TrailArgs.builder()
.s3BucketName(exampleBucketV2.id())
.s3KeyPrefix("prefix")
.includeGlobalServiceEvents(false)
.build(), CustomResourceOptions.builder()
.dependsOn(exampleBucketPolicy)
.build());
}
}
import pulumi
import pulumi_aws as aws
example_bucket_v2 = aws.s3.BucketV2("exampleBucketV2", force_destroy=True)
current_caller_identity = aws.get_caller_identity()
current_partition = aws.get_partition()
current_region = aws.get_region()
example_policy_document = aws.iam.get_policy_document_output(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
sid="AWSCloudTrailAclCheck",
effect="Allow",
principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=["cloudtrail.amazonaws.com"],
)],
actions=["s3:GetBucketAcl"],
resources=[example_bucket_v2.arn],
conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
variable="aws:SourceArn",
values=[f"arn:{current_partition.partition}:cloudtrail:{current_region.name}:{current_caller_identity.account_id}:trail/example"],
)],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="AWSCloudTrailWrite",
effect="Allow",
principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=["cloudtrail.amazonaws.com"],
)],
actions=["s3:PutObject"],
resources=[example_bucket_v2.arn.apply(lambda arn: f"{arn}/prefix/AWSLogs/{current_caller_identity.account_id}/*")],
conditions=[
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
variable="s3:x-amz-acl",
values=["bucket-owner-full-control"],
),
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
variable="aws:SourceArn",
values=[f"arn:{current_partition.partition}:cloudtrail:{current_region.name}:{current_caller_identity.account_id}:trail/example"],
),
],
),
])
example_bucket_policy = aws.s3.BucketPolicy("exampleBucketPolicy",
bucket=example_bucket_v2.id,
policy=example_policy_document.json)
example_trail = aws.cloudtrail.Trail("exampleTrail",
s3_bucket_name=example_bucket_v2.id,
s3_key_prefix="prefix",
include_global_service_events=False,
opts=pulumi.ResourceOptions(depends_on=[example_bucket_policy]))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleBucketV2 = new aws.s3.BucketV2("exampleBucketV2", {forceDestroy: true});
const currentCallerIdentity = aws.getCallerIdentity({});
const currentPartition = aws.getPartition({});
const currentRegion = aws.getRegion({});
const examplePolicyDocument = aws.iam.getPolicyDocumentOutput({
statements: [
{
sid: "AWSCloudTrailAclCheck",
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["cloudtrail.amazonaws.com"],
}],
actions: ["s3:GetBucketAcl"],
resources: [exampleBucketV2.arn],
conditions: [{
test: "StringEquals",
variable: "aws:SourceArn",
values: [Promise.all([currentPartition, currentRegion, currentCallerIdentity]).then(([currentPartition, currentRegion, currentCallerIdentity]) => `arn:${currentPartition.partition}:cloudtrail:${currentRegion.name}:${currentCallerIdentity.accountId}:trail/example`)],
}],
},
{
sid: "AWSCloudTrailWrite",
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["cloudtrail.amazonaws.com"],
}],
actions: ["s3:PutObject"],
resources: [pulumi.all([exampleBucketV2.arn, currentCallerIdentity]).apply(([arn, currentCallerIdentity]) => `${arn}/prefix/AWSLogs/${currentCallerIdentity.accountId}/*`)],
conditions: [
{
test: "StringEquals",
variable: "s3:x-amz-acl",
values: ["bucket-owner-full-control"],
},
{
test: "StringEquals",
variable: "aws:SourceArn",
values: [Promise.all([currentPartition, currentRegion, currentCallerIdentity]).then(([currentPartition, currentRegion, currentCallerIdentity]) => `arn:${currentPartition.partition}:cloudtrail:${currentRegion.name}:${currentCallerIdentity.accountId}:trail/example`)],
},
],
},
],
});
const exampleBucketPolicy = new aws.s3.BucketPolicy("exampleBucketPolicy", {
bucket: exampleBucketV2.id,
policy: examplePolicyDocument.apply(examplePolicyDocument => examplePolicyDocument.json),
});
const exampleTrail = new aws.cloudtrail.Trail("exampleTrail", {
s3BucketName: exampleBucketV2.id,
s3KeyPrefix: "prefix",
includeGlobalServiceEvents: false,
}, {
dependsOn: [exampleBucketPolicy],
});
resources:
exampleTrail:
type: aws:cloudtrail:Trail
properties:
s3BucketName: ${exampleBucketV2.id}
s3KeyPrefix: prefix
includeGlobalServiceEvents: false
options:
dependson:
- ${exampleBucketPolicy}
exampleBucketV2:
type: aws:s3:BucketV2
properties:
forceDestroy: true
exampleBucketPolicy:
type: aws:s3:BucketPolicy
properties:
bucket: ${exampleBucketV2.id}
policy: ${examplePolicyDocument.json}
variables:
examplePolicyDocument:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: AWSCloudTrailAclCheck
effect: Allow
principals:
- type: Service
identifiers:
- cloudtrail.amazonaws.com
actions:
- s3:GetBucketAcl
resources:
- ${exampleBucketV2.arn}
conditions:
- test: StringEquals
variable: aws:SourceArn
values:
- arn:${currentPartition.partition}:cloudtrail:${currentRegion.name}:${currentCallerIdentity.accountId}:trail/example
- sid: AWSCloudTrailWrite
effect: Allow
principals:
- type: Service
identifiers:
- cloudtrail.amazonaws.com
actions:
- s3:PutObject
resources:
- ${exampleBucketV2.arn}/prefix/AWSLogs/${currentCallerIdentity.accountId}/*
conditions:
- test: StringEquals
variable: s3:x-amz-acl
values:
- bucket-owner-full-control
- test: StringEquals
variable: aws:SourceArn
values:
- arn:${currentPartition.partition}:cloudtrail:${currentRegion.name}:${currentCallerIdentity.accountId}:trail/example
currentCallerIdentity:
fn::invoke:
Function: aws:getCallerIdentity
Arguments: {}
currentPartition:
fn::invoke:
Function: aws:getPartition
Arguments: {}
currentRegion:
fn::invoke:
Function: aws:getRegion
Arguments: {}
Logging All Lambda Function Invocations By Using Basic Event Selectors
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.CloudTrail.Trail("example", new()
{
EventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
DataResources = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "AWS::Lambda::Function",
Values = new[]
{
"arn:aws:lambda",
},
},
},
IncludeManagementEvents = true,
ReadWriteType = "All",
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::Lambda::Function"),
Values: pulumi.StringArray{
pulumi.String("arn:aws:lambda"),
},
},
},
IncludeManagementEvents: pulumi.Bool(true),
ReadWriteType: pulumi.String("All"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Trail("example", TrailArgs.builder()
.eventSelectors(TrailEventSelectorArgs.builder()
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("AWS::Lambda::Function")
.values("arn:aws:lambda")
.build())
.includeManagementEvents(true)
.readWriteType("All")
.build())
.build());
}
}
import pulumi
import pulumi_aws as aws
example = aws.cloudtrail.Trail("example", event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
type="AWS::Lambda::Function",
values=["arn:aws:lambda"],
)],
include_management_events=True,
read_write_type="All",
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
dataResources: [{
type: "AWS::Lambda::Function",
values: ["arn:aws:lambda"],
}],
includeManagementEvents: true,
readWriteType: "All",
}]});
resources:
example:
type: aws:cloudtrail:Trail
properties:
eventSelectors:
- dataResources:
- type: AWS::Lambda::Function
values:
- arn:aws:lambda
includeManagementEvents: true
readWriteType: All
Logging All S3 Object Events By Using Basic Event Selectors
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.CloudTrail.Trail("example", new()
{
EventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
DataResources = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "AWS::S3::Object",
Values = new[]
{
"arn:aws:s3",
},
},
},
IncludeManagementEvents = true,
ReadWriteType = "All",
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::S3::Object"),
Values: pulumi.StringArray{
pulumi.String("arn:aws:s3"),
},
},
},
IncludeManagementEvents: pulumi.Bool(true),
ReadWriteType: pulumi.String("All"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Trail("example", TrailArgs.builder()
.eventSelectors(TrailEventSelectorArgs.builder()
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("AWS::S3::Object")
.values("arn:aws:s3")
.build())
.includeManagementEvents(true)
.readWriteType("All")
.build())
.build());
}
}
import pulumi
import pulumi_aws as aws
example = aws.cloudtrail.Trail("example", event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
type="AWS::S3::Object",
values=["arn:aws:s3"],
)],
include_management_events=True,
read_write_type="All",
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
dataResources: [{
type: "AWS::S3::Object",
values: ["arn:aws:s3"],
}],
includeManagementEvents: true,
readWriteType: "All",
}]});
resources:
example:
type: aws:cloudtrail:Trail
properties:
eventSelectors:
- dataResources:
- type: AWS::S3::Object
values:
- arn:aws:s3
includeManagementEvents: true
readWriteType: All
Logging Individual S3 Bucket Events By Using Basic Event Selectors
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var important_bucket = Aws.S3.GetBucket.Invoke(new()
{
Bucket = "important-bucket",
});
var example = new Aws.CloudTrail.Trail("example", new()
{
EventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
DataResources = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "AWS::S3::Object",
Values = new[]
{
important_bucket.Apply(important_bucket => $"{important_bucket.Apply(getBucketResult => getBucketResult.Arn)}/"),
},
},
},
IncludeManagementEvents = true,
ReadWriteType = "All",
},
},
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
important_bucket, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
Bucket: "important-bucket",
}, nil)
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::S3::Object"),
Values: pulumi.StringArray{
pulumi.String(fmt.Sprintf("%v/", important_bucket.Arn)),
},
},
},
IncludeManagementEvents: pulumi.Bool(true),
ReadWriteType: pulumi.String("All"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var important-bucket = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket")
.build());
var example = new Trail("example", TrailArgs.builder()
.eventSelectors(TrailEventSelectorArgs.builder()
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("AWS::S3::Object")
.values(String.format("%s/", important_bucket.arn()))
.build())
.includeManagementEvents(true)
.readWriteType("All")
.build())
.build());
}
}
import pulumi
import pulumi_aws as aws
important_bucket = aws.s3.get_bucket(bucket="important-bucket")
example = aws.cloudtrail.Trail("example", event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
type="AWS::S3::Object",
values=[f"{important_bucket.arn}/"],
)],
include_management_events=True,
read_write_type="All",
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const important-bucket = aws.s3.getBucket({
bucket: "important-bucket",
});
const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
dataResources: [{
type: "AWS::S3::Object",
values: [important_bucket.then(important_bucket => `${important_bucket.arn}/`)],
}],
includeManagementEvents: true,
readWriteType: "All",
}]});
resources:
example:
type: aws:cloudtrail:Trail
properties:
eventSelectors:
- dataResources:
- type: AWS::S3::Object
values:
- ${["important-bucket"].arn}/
includeManagementEvents: true
readWriteType: All
variables:
important-bucket:
fn::invoke:
Function: aws:s3:getBucket
Arguments:
bucket: important-bucket
Logging All S3 Object Events Except For Two S3 Buckets By Using Advanced Event Selectors
Coming soon!
Coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var not-important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("not-important-bucket-1")
.build());
final var not-important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("not-important-bucket-2")
.build());
var example = new Trail("example", TrailArgs.builder()
.advancedEventSelectors(
TrailAdvancedEventSelectorArgs.builder()
.fieldSelectors(
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("Data")
.field("eventCategory")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("resources.ARN")
.notStartsWith(
String.format("%s/", not_important_bucket_1.arn()),
String.format("%s/", not_important_bucket_2.arn()))
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("AWS::S3::Object")
.field("resources.type")
.build())
.name("Log all S3 objects events except for two S3 buckets")
.build(),
TrailAdvancedEventSelectorArgs.builder()
.fieldSelectors(TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("Management")
.field("eventCategory")
.build())
.name("Log readOnly and writeOnly management events")
.build())
.build());
}
}
Coming soon!
Coming soon!
resources:
example:
type: aws:cloudtrail:Trail
properties:
advancedEventSelectors:
- fieldSelectors:
- equals:
- Data
field: eventCategory
- field: resources.ARN
notStartsWith:
- ${["not-important-bucket-1"].arn}/
- ${["not-important-bucket-2"].arn}/
- equals:
- AWS::S3::Object
field: resources.type
name: Log all S3 objects events except for two S3 buckets
- fieldSelectors:
- equals:
- Management
field: eventCategory
name: Log readOnly and writeOnly management events
variables:
not-important-bucket-1:
fn::invoke:
Function: aws:s3:getBucket
Arguments:
bucket: not-important-bucket-1
not-important-bucket-2:
fn::invoke:
Function: aws:s3:getBucket
Arguments:
bucket: not-important-bucket-2
Logging Individual S3 Buckets And Specific Event Names By Using Advanced Event Selectors
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleLogGroup = new Aws.CloudWatch.LogGroup("exampleLogGroup");
var exampleTrail = new Aws.CloudTrail.Trail("exampleTrail", new()
{
CloudWatchLogsGroupArn = exampleLogGroup.Arn.Apply(arn => $"{arn}:*"),
});
// CloudTrail requires the Log Stream wildcard
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleLogGroup, err := cloudwatch.NewLogGroup(ctx, "exampleLogGroup", nil)
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "exampleTrail", &cloudtrail.TrailArgs{
CloudWatchLogsGroupArn: exampleLogGroup.Arn.ApplyT(func(arn string) (string, error) {
return fmt.Sprintf("%v:*", arn), nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket-1")
.build());
final var important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket-2")
.build());
final var important-bucket-3 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket-3")
.build());
var example = new Trail("example", TrailArgs.builder()
.advancedEventSelectors(
TrailAdvancedEventSelectorArgs.builder()
.fieldSelectors(
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("Data")
.field("eventCategory")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals(
"PutObject",
"DeleteObject")
.field("eventName")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("resources.ARN")
.startsWith(
String.format("%s/", important_bucket_1.arn()),
String.format("%s/", important_bucket_2.arn()))
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("false")
.field("readOnly")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("AWS::S3::Object")
.field("resources.type")
.build())
.name("Log PutObject and DeleteObject events for two S3 buckets")
.build(),
TrailAdvancedEventSelectorArgs.builder()
.fieldSelectors(
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("Data")
.field("eventCategory")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("eventName")
.startsWith("Delete")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals(String.format("%s/important-prefix", important_bucket_3.arn()))
.field("resources.ARN")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("false")
.field("readOnly")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("AWS::S3::Object")
.field("resources.type")
.build())
.name("Log Delete* events for one S3 bucket")
.build())
.build());
}
}
import pulumi
import pulumi_aws as aws
example_log_group = aws.cloudwatch.LogGroup("exampleLogGroup")
example_trail = aws.cloudtrail.Trail("exampleTrail", cloud_watch_logs_group_arn=example_log_group.arn.apply(lambda arn: f"{arn}:*"))
# CloudTrail requires the Log Stream wildcard
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleLogGroup = new aws.cloudwatch.LogGroup("exampleLogGroup", {});
const exampleTrail = new aws.cloudtrail.Trail("exampleTrail", {cloudWatchLogsGroupArn: pulumi.interpolate`${exampleLogGroup.arn}:*`});
// CloudTrail requires the Log Stream wildcard
resources:
example:
type: aws:cloudtrail:Trail
properties:
advancedEventSelectors:
- fieldSelectors:
- equals:
- Data
field: eventCategory
- equals:
- PutObject
- DeleteObject
field: eventName
- field: resources.ARN
startsWith:
- ${["important-bucket-1"].arn}/
- ${["important-bucket-2"].arn}/
- equals:
- 'false'
field: readOnly
- equals:
- AWS::S3::Object
field: resources.type
name: Log PutObject and DeleteObject events for two S3 buckets
- fieldSelectors:
- equals:
- Data
field: eventCategory
- field: eventName
startsWith:
- Delete
- equals:
- ${["important-bucket-3"].arn}/important-prefix
field: resources.ARN
- equals:
- 'false'
field: readOnly
- equals:
- AWS::S3::Object
field: resources.type
name: Log Delete* events for one S3 bucket
variables:
important-bucket-1:
fn::invoke:
Function: aws:s3:getBucket
Arguments:
bucket: important-bucket-1
important-bucket-2:
fn::invoke:
Function: aws:s3:getBucket
Arguments:
bucket: important-bucket-2
important-bucket-3:
fn::invoke:
Function: aws:s3:getBucket
Arguments:
bucket: important-bucket-3
Sending Events to CloudWatch Logs
Coming soon!
Coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleLogGroup = new LogGroup("exampleLogGroup");
var exampleTrail = new Trail("exampleTrail", TrailArgs.builder()
.cloudWatchLogsGroupArn(exampleLogGroup.arn().applyValue(arn -> String.format("%s:*", arn)))
.build());
}
}
Coming soon!
Coming soon!
resources:
exampleLogGroup:
type: aws:cloudwatch:LogGroup
exampleTrail:
type: aws:cloudtrail:Trail
properties:
cloudWatchLogsGroupArn: ${exampleLogGroup.arn}:*
Create Trail Resource
new Trail(name: string, args: TrailArgs, opts?: CustomResourceOptions);@overload
def Trail(resource_name: str,
opts: Optional[ResourceOptions] = None,
advanced_event_selectors: Optional[Sequence[TrailAdvancedEventSelectorArgs]] = None,
cloud_watch_logs_group_arn: Optional[str] = None,
cloud_watch_logs_role_arn: Optional[str] = None,
enable_log_file_validation: Optional[bool] = None,
enable_logging: Optional[bool] = None,
event_selectors: Optional[Sequence[TrailEventSelectorArgs]] = None,
include_global_service_events: Optional[bool] = None,
insight_selectors: Optional[Sequence[TrailInsightSelectorArgs]] = None,
is_multi_region_trail: Optional[bool] = None,
is_organization_trail: Optional[bool] = None,
kms_key_id: Optional[str] = None,
name: Optional[str] = None,
s3_bucket_name: Optional[str] = None,
s3_key_prefix: Optional[str] = None,
sns_topic_name: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None)
@overload
def Trail(resource_name: str,
args: TrailArgs,
opts: Optional[ResourceOptions] = None)func NewTrail(ctx *Context, name string, args TrailArgs, opts ...ResourceOption) (*Trail, error)public Trail(string name, TrailArgs args, CustomResourceOptions? opts = null)type: aws:cloudtrail:Trail
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Trail Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Trail resource accepts the following input properties:
- S3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- Advanced
Event List<TrailSelectors Advanced Event Selector> Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- Cloud
Watch stringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- Cloud
Watch stringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation Whether log file integrity validation is enabled. Defaults to
false.- Enable
Logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- Event
Selectors List<TrailEvent Selector> Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- Include
Global boolService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- Insight
Selectors List<TrailInsight Selector> Configuration block for identifying unusual operational activity. See details below.
- Is
Multi boolRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- Is
Organization boolTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- Kms
Key stringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
Name of the trail.
- S3Key
Prefix string S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName Name of the Amazon SNS topic defined for notification of log file delivery.
- Dictionary<string, string>
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- S3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- Advanced
Event []TrailSelectors Advanced Event Selector Args Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- Cloud
Watch stringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- Cloud
Watch stringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation Whether log file integrity validation is enabled. Defaults to
false.- Enable
Logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- Event
Selectors []TrailEvent Selector Args Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- Include
Global boolService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- Insight
Selectors []TrailInsight Selector Args Configuration block for identifying unusual operational activity. See details below.
- Is
Multi boolRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- Is
Organization boolTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- Kms
Key stringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
Name of the trail.
- S3Key
Prefix string S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName Name of the Amazon SNS topic defined for notification of log file delivery.
- map[string]string
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- s3Bucket
Name String Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- advanced
Event List<TrailSelectors Advanced Event Selector> Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- cloud
Watch StringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch StringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log BooleanFile Validation Whether log file integrity validation is enabled. Defaults to
false.- enable
Logging Boolean Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event
Selectors List<TrailEvent Selector> Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- include
Global BooleanService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- insight
Selectors List<TrailInsight Selector> Configuration block for identifying unusual operational activity. See details below.
- is
Multi BooleanRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- is
Organization BooleanTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms
Key StringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name String
Name of the trail.
- s3Key
Prefix String S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic StringName Name of the Amazon SNS topic defined for notification of log file delivery.
- Map<String,String>
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- s3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- advanced
Event TrailSelectors Advanced Event Selector[] Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- cloud
Watch stringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch stringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log booleanFile Validation Whether log file integrity validation is enabled. Defaults to
false.- enable
Logging boolean Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event
Selectors TrailEvent Selector[] Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- include
Global booleanService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- insight
Selectors TrailInsight Selector[] Configuration block for identifying unusual operational activity. See details below.
- is
Multi booleanRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- is
Organization booleanTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms
Key stringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name string
Name of the trail.
- s3Key
Prefix string S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic stringName Name of the Amazon SNS topic defined for notification of log file delivery.
- {[key: string]: string}
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- s3_
bucket_ strname Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- advanced_
event_ Sequence[Trailselectors Advanced Event Selector Args] Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- cloud_
watch_ strlogs_ group_ arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud_
watch_ strlogs_ role_ arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable_
log_ boolfile_ validation Whether log file integrity validation is enabled. Defaults to
false.- enable_
logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event_
selectors Sequence[TrailEvent Selector Args] Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- include_
global_ boolservice_ events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- insight_
selectors Sequence[TrailInsight Selector Args] Configuration block for identifying unusual operational activity. See details below.
- is_
multi_ boolregion_ trail Whether the trail is created in the current region or in all regions. Defaults to
false.- is_
organization_ booltrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms_
key_ strid KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name str
Name of the trail.
- s3_
key_ strprefix S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns_
topic_ strname Name of the Amazon SNS topic defined for notification of log file delivery.
- Mapping[str, str]
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- s3Bucket
Name String Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- advanced
Event List<Property Map>Selectors Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- cloud
Watch StringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch StringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log BooleanFile Validation Whether log file integrity validation is enabled. Defaults to
false.- enable
Logging Boolean Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event
Selectors List<Property Map> Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- include
Global BooleanService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- insight
Selectors List<Property Map> Configuration block for identifying unusual operational activity. See details below.
- is
Multi BooleanRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- is
Organization BooleanTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms
Key StringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name String
Name of the trail.
- s3Key
Prefix String S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic StringName Name of the Amazon SNS topic defined for notification of log file delivery.
- Map<String>
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the Trail resource produces the following output properties:
- Arn string
ARN of the trail.
- Home
Region string Region in which the trail was created.
- Id string
The provider-assigned unique ID for this managed resource.
- Dictionary<string, string>
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- Arn string
ARN of the trail.
- Home
Region string Region in which the trail was created.
- Id string
The provider-assigned unique ID for this managed resource.
- map[string]string
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- arn String
ARN of the trail.
- home
Region String Region in which the trail was created.
- id String
The provider-assigned unique ID for this managed resource.
- Map<String,String>
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- arn string
ARN of the trail.
- home
Region string Region in which the trail was created.
- id string
The provider-assigned unique ID for this managed resource.
- {[key: string]: string}
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- arn str
ARN of the trail.
- home_
region str Region in which the trail was created.
- id str
The provider-assigned unique ID for this managed resource.
- Mapping[str, str]
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- arn String
ARN of the trail.
- home
Region String Region in which the trail was created.
- id String
The provider-assigned unique ID for this managed resource.
- Map<String>
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
Look up Existing Trail Resource
Get an existing Trail resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: TrailState, opts?: CustomResourceOptions): Trail@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
advanced_event_selectors: Optional[Sequence[TrailAdvancedEventSelectorArgs]] = None,
arn: Optional[str] = None,
cloud_watch_logs_group_arn: Optional[str] = None,
cloud_watch_logs_role_arn: Optional[str] = None,
enable_log_file_validation: Optional[bool] = None,
enable_logging: Optional[bool] = None,
event_selectors: Optional[Sequence[TrailEventSelectorArgs]] = None,
home_region: Optional[str] = None,
include_global_service_events: Optional[bool] = None,
insight_selectors: Optional[Sequence[TrailInsightSelectorArgs]] = None,
is_multi_region_trail: Optional[bool] = None,
is_organization_trail: Optional[bool] = None,
kms_key_id: Optional[str] = None,
name: Optional[str] = None,
s3_bucket_name: Optional[str] = None,
s3_key_prefix: Optional[str] = None,
sns_topic_name: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None) -> Trailfunc GetTrail(ctx *Context, name string, id IDInput, state *TrailState, opts ...ResourceOption) (*Trail, error)public static Trail Get(string name, Input<string> id, TrailState? state, CustomResourceOptions? opts = null)public static Trail get(String name, Output<String> id, TrailState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Advanced
Event List<TrailSelectors Advanced Event Selector> Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- Arn string
ARN of the trail.
- Cloud
Watch stringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- Cloud
Watch stringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation Whether log file integrity validation is enabled. Defaults to
false.- Enable
Logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- Event
Selectors List<TrailEvent Selector> Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- Home
Region string Region in which the trail was created.
- Include
Global boolService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- Insight
Selectors List<TrailInsight Selector> Configuration block for identifying unusual operational activity. See details below.
- Is
Multi boolRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- Is
Organization boolTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- Kms
Key stringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
Name of the trail.
- S3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- S3Key
Prefix string S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName Name of the Amazon SNS topic defined for notification of log file delivery.
- Dictionary<string, string>
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Dictionary<string, string>
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- Advanced
Event []TrailSelectors Advanced Event Selector Args Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- Arn string
ARN of the trail.
- Cloud
Watch stringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- Cloud
Watch stringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation Whether log file integrity validation is enabled. Defaults to
false.- Enable
Logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- Event
Selectors []TrailEvent Selector Args Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- Home
Region string Region in which the trail was created.
- Include
Global boolService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- Insight
Selectors []TrailInsight Selector Args Configuration block for identifying unusual operational activity. See details below.
- Is
Multi boolRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- Is
Organization boolTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- Kms
Key stringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
Name of the trail.
- S3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- S3Key
Prefix string S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName Name of the Amazon SNS topic defined for notification of log file delivery.
- map[string]string
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- map[string]string
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- advanced
Event List<TrailSelectors Advanced Event Selector> Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- arn String
ARN of the trail.
- cloud
Watch StringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch StringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log BooleanFile Validation Whether log file integrity validation is enabled. Defaults to
false.- enable
Logging Boolean Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event
Selectors List<TrailEvent Selector> Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- home
Region String Region in which the trail was created.
- include
Global BooleanService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- insight
Selectors List<TrailInsight Selector> Configuration block for identifying unusual operational activity. See details below.
- is
Multi BooleanRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- is
Organization BooleanTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms
Key StringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name String
Name of the trail.
- s3Bucket
Name String Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- s3Key
Prefix String S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic StringName Name of the Amazon SNS topic defined for notification of log file delivery.
- Map<String,String>
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Map<String,String>
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- advanced
Event TrailSelectors Advanced Event Selector[] Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- arn string
ARN of the trail.
- cloud
Watch stringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch stringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log booleanFile Validation Whether log file integrity validation is enabled. Defaults to
false.- enable
Logging boolean Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event
Selectors TrailEvent Selector[] Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- home
Region string Region in which the trail was created.
- include
Global booleanService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- insight
Selectors TrailInsight Selector[] Configuration block for identifying unusual operational activity. See details below.
- is
Multi booleanRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- is
Organization booleanTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms
Key stringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name string
Name of the trail.
- s3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- s3Key
Prefix string S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic stringName Name of the Amazon SNS topic defined for notification of log file delivery.
- {[key: string]: string}
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- {[key: string]: string}
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- advanced_
event_ Sequence[Trailselectors Advanced Event Selector Args] Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- arn str
ARN of the trail.
- cloud_
watch_ strlogs_ group_ arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud_
watch_ strlogs_ role_ arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable_
log_ boolfile_ validation Whether log file integrity validation is enabled. Defaults to
false.- enable_
logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event_
selectors Sequence[TrailEvent Selector Args] Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- home_
region str Region in which the trail was created.
- include_
global_ boolservice_ events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- insight_
selectors Sequence[TrailInsight Selector Args] Configuration block for identifying unusual operational activity. See details below.
- is_
multi_ boolregion_ trail Whether the trail is created in the current region or in all regions. Defaults to
false.- is_
organization_ booltrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms_
key_ strid KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name str
Name of the trail.
- s3_
bucket_ strname Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- s3_
key_ strprefix S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns_
topic_ strname Name of the Amazon SNS topic defined for notification of log file delivery.
- Mapping[str, str]
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Mapping[str, str]
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
- advanced
Event List<Property Map>Selectors Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector.- arn String
ARN of the trail.
- cloud
Watch StringLogs Group Arn Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch StringLogs Role Arn Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log BooleanFile Validation Whether log file integrity validation is enabled. Defaults to
false.- enable
Logging Boolean Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event
Selectors List<Property Map> Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector.- home
Region String Region in which the trail was created.
- include
Global BooleanService Events Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- insight
Selectors List<Property Map> Configuration block for identifying unusual operational activity. See details below.
- is
Multi BooleanRegion Trail Whether the trail is created in the current region or in all regions. Defaults to
false.- is
Organization BooleanTrail Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms
Key StringId KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name String
Name of the trail.
- s3Bucket
Name String Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- s3Key
Prefix String S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic StringName Name of the Amazon SNS topic defined for notification of log file delivery.
- Map<String>
Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.- Map<String>
Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.Please use
tagsinstead.
Supporting Types
TrailAdvancedEventSelector, TrailAdvancedEventSelectorArgs
- Field
Selectors List<TrailAdvanced Event Selector Field Selector> Specifies the selector statements in an advanced event selector. Fields documented below.
- Name string
Name of the trail.
- Field
Selectors []TrailAdvanced Event Selector Field Selector Specifies the selector statements in an advanced event selector. Fields documented below.
- Name string
Name of the trail.
- field
Selectors List<TrailAdvanced Event Selector Field Selector> Specifies the selector statements in an advanced event selector. Fields documented below.
- name String
Name of the trail.
- field
Selectors TrailAdvanced Event Selector Field Selector[] Specifies the selector statements in an advanced event selector. Fields documented below.
- name string
Name of the trail.
- field_
selectors Sequence[TrailAdvanced Event Selector Field Selector] Specifies the selector statements in an advanced event selector. Fields documented below.
- name str
Name of the trail.
- field
Selectors List<Property Map> Specifies the selector statements in an advanced event selector. Fields documented below.
- name String
Name of the trail.
TrailAdvancedEventSelectorFieldSelector, TrailAdvancedEventSelectorFieldSelectorArgs
- Field string
Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN.- Ends
Withs List<string> A list of values that includes events that match the last few characters of the event record field specified as the value of
field.- Equals List<string>
A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields.- Not
Ends List<string>Withs A list of values that excludes events that match the last few characters of the event record field specified as the value of
field.- Not
Equals List<string> A list of values that excludes events that match the exact value of the event record field specified as the value of
field.- Not
Starts List<string>Withs A list of values that excludes events that match the first few characters of the event record field specified as the value of
field.- Starts
Withs List<string> A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- Field string
Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN.- Ends
Withs []string A list of values that includes events that match the last few characters of the event record field specified as the value of
field.- Equals []string
A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields.- Not
Ends []stringWiths A list of values that excludes events that match the last few characters of the event record field specified as the value of
field.- Not
Equals []string A list of values that excludes events that match the exact value of the event record field specified as the value of
field.- Not
Starts []stringWiths A list of values that excludes events that match the first few characters of the event record field specified as the value of
field.- Starts
Withs []string A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- field String
Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN.- ends
Withs List<String> A list of values that includes events that match the last few characters of the event record field specified as the value of
field.- equals_ List<String>
A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields.- not
Ends List<String>Withs A list of values that excludes events that match the last few characters of the event record field specified as the value of
field.- not
Equals List<String> A list of values that excludes events that match the exact value of the event record field specified as the value of
field.- not
Starts List<String>Withs A list of values that excludes events that match the first few characters of the event record field specified as the value of
field.- starts
Withs List<String> A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- field string
Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN.- ends
Withs string[] A list of values that includes events that match the last few characters of the event record field specified as the value of
field.- equals string[]
A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields.- not
Ends string[]Withs A list of values that excludes events that match the last few characters of the event record field specified as the value of
field.- not
Equals string[] A list of values that excludes events that match the exact value of the event record field specified as the value of
field.- not
Starts string[]Withs A list of values that excludes events that match the first few characters of the event record field specified as the value of
field.- starts
Withs string[] A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- field str
Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN.- ends_
withs Sequence[str] A list of values that includes events that match the last few characters of the event record field specified as the value of
field.- equals Sequence[str]
A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields.- not_
ends_ Sequence[str]withs A list of values that excludes events that match the last few characters of the event record field specified as the value of
field.- not_
equals Sequence[str] A list of values that excludes events that match the exact value of the event record field specified as the value of
field.- not_
starts_ Sequence[str]withs A list of values that excludes events that match the first few characters of the event record field specified as the value of
field.- starts_
withs Sequence[str] A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- field String
Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN.- ends
Withs List<String> A list of values that includes events that match the last few characters of the event record field specified as the value of
field.- equals List<String>
A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields.- not
Ends List<String>Withs A list of values that excludes events that match the last few characters of the event record field specified as the value of
field.- not
Equals List<String> A list of values that excludes events that match the exact value of the event record field specified as the value of
field.- not
Starts List<String>Withs A list of values that excludes events that match the first few characters of the event record field specified as the value of
field.- starts
Withs List<String> A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
TrailEventSelector, TrailEventSelectorArgs
- Data
Resources List<TrailEvent Selector Data Resource> Configuration block for data events. See details below.
- Exclude
Management List<string>Event Sources A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this.- Include
Management boolEvents Whether to include management events for your trail. Defaults to
true.- Read
Write stringType Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- Data
Resources []TrailEvent Selector Data Resource Configuration block for data events. See details below.
- Exclude
Management []stringEvent Sources A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this.- Include
Management boolEvents Whether to include management events for your trail. Defaults to
true.- Read
Write stringType Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- data
Resources List<TrailEvent Selector Data Resource> Configuration block for data events. See details below.
- exclude
Management List<String>Event Sources A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this.- include
Management BooleanEvents Whether to include management events for your trail. Defaults to
true.- read
Write StringType Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- data
Resources TrailEvent Selector Data Resource[] Configuration block for data events. See details below.
- exclude
Management string[]Event Sources A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this.- include
Management booleanEvents Whether to include management events for your trail. Defaults to
true.- read
Write stringType Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- data_
resources Sequence[TrailEvent Selector Data Resource] Configuration block for data events. See details below.
- exclude_
management_ Sequence[str]event_ sources A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this.- include_
management_ boolevents Whether to include management events for your trail. Defaults to
true.- read_
write_ strtype Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- data
Resources List<Property Map> Configuration block for data events. See details below.
- exclude
Management List<String>Event Sources A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this.- include
Management BooleanEvents Whether to include management events for your trail. Defaults to
true.- read
Write StringType Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
TrailEventSelectorDataResource, TrailEventSelectorDataResourceArgs
- Type string
Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- Values List<string>
List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- Type string
Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- Values []string
List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- type String
Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- values List<String>
List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- type string
Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- values string[]
List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- type str
Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- values Sequence[str]
List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- type String
Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- values List<String>
List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
TrailInsightSelector, TrailInsightSelectorArgs
- Insight
Type string Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- Insight
Type string Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- insight
Type String Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- insight
Type string Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- insight_
type str Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- insight
Type String Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
Import
Using pulumi import, import Cloudtrails using the arn. For example:
$ pulumi import aws:cloudtrail/trail:Trail sample arn:aws:cloudtrail:us-east-1:123456789012:trail/my-sample-trail
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
awsTerraform Provider.
Try AWS Native preview for resources not in the classic version.