1. Packages
  2. AWS Classic
  3. API Docs
  4. cloudtrail
  5. Trail

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.13.1 published on Tuesday, Dec 5, 2023 by Pulumi

aws.cloudtrail.Trail

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.13.1 published on Tuesday, Dec 5, 2023 by Pulumi

    Provides a CloudTrail resource.

    Tip: For a multi-region trail, this resource must be in the home region of the trail.

    Tip: For an organization trail, this resource must be in the master account of the organization.

    Example Usage

    Basic

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var exampleBucketV2 = new Aws.S3.BucketV2("exampleBucketV2", new()
        {
            ForceDestroy = true,
        });
    
        var currentCallerIdentity = Aws.GetCallerIdentity.Invoke();
    
        var currentPartition = Aws.GetPartition.Invoke();
    
        var currentRegion = Aws.GetRegion.Invoke();
    
        var examplePolicyDocument = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "AWSCloudTrailAclCheck",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "cloudtrail.amazonaws.com",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "s3:GetBucketAcl",
                    },
                    Resources = new[]
                    {
                        exampleBucketV2.Arn,
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "StringEquals",
                            Variable = "aws:SourceArn",
                            Values = new[]
                            {
                                $"arn:{currentPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:cloudtrail:{currentRegion.Apply(getRegionResult => getRegionResult.Name)}:{currentCallerIdentity.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:trail/example",
                            },
                        },
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "AWSCloudTrailWrite",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "cloudtrail.amazonaws.com",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "s3:PutObject",
                    },
                    Resources = new[]
                    {
                        $"{exampleBucketV2.Arn}/prefix/AWSLogs/{currentCallerIdentity.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}/*",
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "StringEquals",
                            Variable = "s3:x-amz-acl",
                            Values = new[]
                            {
                                "bucket-owner-full-control",
                            },
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "StringEquals",
                            Variable = "aws:SourceArn",
                            Values = new[]
                            {
                                $"arn:{currentPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:cloudtrail:{currentRegion.Apply(getRegionResult => getRegionResult.Name)}:{currentCallerIdentity.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:trail/example",
                            },
                        },
                    },
                },
            },
        });
    
        var exampleBucketPolicy = new Aws.S3.BucketPolicy("exampleBucketPolicy", new()
        {
            Bucket = exampleBucketV2.Id,
            Policy = examplePolicyDocument.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
        var exampleTrail = new Aws.CloudTrail.Trail("exampleTrail", new()
        {
            S3BucketName = exampleBucketV2.Id,
            S3KeyPrefix = "prefix",
            IncludeGlobalServiceEvents = false,
        }, new CustomResourceOptions
        {
            DependsOn = new[]
            {
                exampleBucketPolicy,
            },
        });
    
    });
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		exampleBucketV2, err := s3.NewBucketV2(ctx, "exampleBucketV2", &s3.BucketV2Args{
    			ForceDestroy: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		currentCallerIdentity, err := aws.GetCallerIdentity(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		currentPartition, err := aws.GetPartition(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		currentRegion, err := aws.GetRegion(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		examplePolicyDocument := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
    			Statements: iam.GetPolicyDocumentStatementArray{
    				&iam.GetPolicyDocumentStatementArgs{
    					Sid:    pulumi.String("AWSCloudTrailAclCheck"),
    					Effect: pulumi.String("Allow"),
    					Principals: iam.GetPolicyDocumentStatementPrincipalArray{
    						&iam.GetPolicyDocumentStatementPrincipalArgs{
    							Type: pulumi.String("Service"),
    							Identifiers: pulumi.StringArray{
    								pulumi.String("cloudtrail.amazonaws.com"),
    							},
    						},
    					},
    					Actions: pulumi.StringArray{
    						pulumi.String("s3:GetBucketAcl"),
    					},
    					Resources: pulumi.StringArray{
    						exampleBucketV2.Arn,
    					},
    					Conditions: iam.GetPolicyDocumentStatementConditionArray{
    						&iam.GetPolicyDocumentStatementConditionArgs{
    							Test:     pulumi.String("StringEquals"),
    							Variable: pulumi.String("aws:SourceArn"),
    							Values: pulumi.StringArray{
    								pulumi.String(fmt.Sprintf("arn:%v:cloudtrail:%v:%v:trail/example", currentPartition.Partition, currentRegion.Name, currentCallerIdentity.AccountId)),
    							},
    						},
    					},
    				},
    				&iam.GetPolicyDocumentStatementArgs{
    					Sid:    pulumi.String("AWSCloudTrailWrite"),
    					Effect: pulumi.String("Allow"),
    					Principals: iam.GetPolicyDocumentStatementPrincipalArray{
    						&iam.GetPolicyDocumentStatementPrincipalArgs{
    							Type: pulumi.String("Service"),
    							Identifiers: pulumi.StringArray{
    								pulumi.String("cloudtrail.amazonaws.com"),
    							},
    						},
    					},
    					Actions: pulumi.StringArray{
    						pulumi.String("s3:PutObject"),
    					},
    					Resources: pulumi.StringArray{
    						exampleBucketV2.Arn.ApplyT(func(arn string) (string, error) {
    							return fmt.Sprintf("%v/prefix/AWSLogs/%v/*", arn, currentCallerIdentity.AccountId), nil
    						}).(pulumi.StringOutput),
    					},
    					Conditions: iam.GetPolicyDocumentStatementConditionArray{
    						&iam.GetPolicyDocumentStatementConditionArgs{
    							Test:     pulumi.String("StringEquals"),
    							Variable: pulumi.String("s3:x-amz-acl"),
    							Values: pulumi.StringArray{
    								pulumi.String("bucket-owner-full-control"),
    							},
    						},
    						&iam.GetPolicyDocumentStatementConditionArgs{
    							Test:     pulumi.String("StringEquals"),
    							Variable: pulumi.String("aws:SourceArn"),
    							Values: pulumi.StringArray{
    								pulumi.String(fmt.Sprintf("arn:%v:cloudtrail:%v:%v:trail/example", currentPartition.Partition, currentRegion.Name, currentCallerIdentity.AccountId)),
    							},
    						},
    					},
    				},
    			},
    		}, nil)
    		exampleBucketPolicy, err := s3.NewBucketPolicy(ctx, "exampleBucketPolicy", &s3.BucketPolicyArgs{
    			Bucket: exampleBucketV2.ID(),
    			Policy: examplePolicyDocument.ApplyT(func(examplePolicyDocument iam.GetPolicyDocumentResult) (*string, error) {
    				return &examplePolicyDocument.Json, nil
    			}).(pulumi.StringPtrOutput),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = cloudtrail.NewTrail(ctx, "exampleTrail", &cloudtrail.TrailArgs{
    			S3BucketName:               exampleBucketV2.ID(),
    			S3KeyPrefix:                pulumi.String("prefix"),
    			IncludeGlobalServiceEvents: pulumi.Bool(false),
    		}, pulumi.DependsOn([]pulumi.Resource{
    			exampleBucketPolicy,
    		}))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.s3.BucketV2;
    import com.pulumi.aws.s3.BucketV2Args;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.inputs.GetPartitionArgs;
    import com.pulumi.aws.inputs.GetRegionArgs;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.s3.BucketPolicy;
    import com.pulumi.aws.s3.BucketPolicyArgs;
    import com.pulumi.aws.cloudtrail.Trail;
    import com.pulumi.aws.cloudtrail.TrailArgs;
    import com.pulumi.resources.CustomResourceOptions;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var exampleBucketV2 = new BucketV2("exampleBucketV2", BucketV2Args.builder()        
                .forceDestroy(true)
                .build());
    
            final var currentCallerIdentity = AwsFunctions.getCallerIdentity();
    
            final var currentPartition = AwsFunctions.getPartition();
    
            final var currentRegion = AwsFunctions.getRegion();
    
            final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("AWSCloudTrailAclCheck")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("Service")
                            .identifiers("cloudtrail.amazonaws.com")
                            .build())
                        .actions("s3:GetBucketAcl")
                        .resources(exampleBucketV2.arn())
                        .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                            .test("StringEquals")
                            .variable("aws:SourceArn")
                            .values(String.format("arn:%s:cloudtrail:%s:%s:trail/example", currentPartition.applyValue(getPartitionResult -> getPartitionResult.partition()),currentRegion.applyValue(getRegionResult -> getRegionResult.name()),currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                            .build())
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("AWSCloudTrailWrite")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("Service")
                            .identifiers("cloudtrail.amazonaws.com")
                            .build())
                        .actions("s3:PutObject")
                        .resources(exampleBucketV2.arn().applyValue(arn -> String.format("%s/prefix/AWSLogs/%s/*", arn,currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))))
                        .conditions(                    
                            GetPolicyDocumentStatementConditionArgs.builder()
                                .test("StringEquals")
                                .variable("s3:x-amz-acl")
                                .values("bucket-owner-full-control")
                                .build(),
                            GetPolicyDocumentStatementConditionArgs.builder()
                                .test("StringEquals")
                                .variable("aws:SourceArn")
                                .values(String.format("arn:%s:cloudtrail:%s:%s:trail/example", currentPartition.applyValue(getPartitionResult -> getPartitionResult.partition()),currentRegion.applyValue(getRegionResult -> getRegionResult.name()),currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
                                .build())
                        .build())
                .build());
    
            var exampleBucketPolicy = new BucketPolicy("exampleBucketPolicy", BucketPolicyArgs.builder()        
                .bucket(exampleBucketV2.id())
                .policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(examplePolicyDocument -> examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
                .build());
    
            var exampleTrail = new Trail("exampleTrail", TrailArgs.builder()        
                .s3BucketName(exampleBucketV2.id())
                .s3KeyPrefix("prefix")
                .includeGlobalServiceEvents(false)
                .build(), CustomResourceOptions.builder()
                    .dependsOn(exampleBucketPolicy)
                    .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example_bucket_v2 = aws.s3.BucketV2("exampleBucketV2", force_destroy=True)
    current_caller_identity = aws.get_caller_identity()
    current_partition = aws.get_partition()
    current_region = aws.get_region()
    example_policy_document = aws.iam.get_policy_document_output(statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            sid="AWSCloudTrailAclCheck",
            effect="Allow",
            principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                type="Service",
                identifiers=["cloudtrail.amazonaws.com"],
            )],
            actions=["s3:GetBucketAcl"],
            resources=[example_bucket_v2.arn],
            conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
                test="StringEquals",
                variable="aws:SourceArn",
                values=[f"arn:{current_partition.partition}:cloudtrail:{current_region.name}:{current_caller_identity.account_id}:trail/example"],
            )],
        ),
        aws.iam.GetPolicyDocumentStatementArgs(
            sid="AWSCloudTrailWrite",
            effect="Allow",
            principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                type="Service",
                identifiers=["cloudtrail.amazonaws.com"],
            )],
            actions=["s3:PutObject"],
            resources=[example_bucket_v2.arn.apply(lambda arn: f"{arn}/prefix/AWSLogs/{current_caller_identity.account_id}/*")],
            conditions=[
                aws.iam.GetPolicyDocumentStatementConditionArgs(
                    test="StringEquals",
                    variable="s3:x-amz-acl",
                    values=["bucket-owner-full-control"],
                ),
                aws.iam.GetPolicyDocumentStatementConditionArgs(
                    test="StringEquals",
                    variable="aws:SourceArn",
                    values=[f"arn:{current_partition.partition}:cloudtrail:{current_region.name}:{current_caller_identity.account_id}:trail/example"],
                ),
            ],
        ),
    ])
    example_bucket_policy = aws.s3.BucketPolicy("exampleBucketPolicy",
        bucket=example_bucket_v2.id,
        policy=example_policy_document.json)
    example_trail = aws.cloudtrail.Trail("exampleTrail",
        s3_bucket_name=example_bucket_v2.id,
        s3_key_prefix="prefix",
        include_global_service_events=False,
        opts=pulumi.ResourceOptions(depends_on=[example_bucket_policy]))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const exampleBucketV2 = new aws.s3.BucketV2("exampleBucketV2", {forceDestroy: true});
    const currentCallerIdentity = aws.getCallerIdentity({});
    const currentPartition = aws.getPartition({});
    const currentRegion = aws.getRegion({});
    const examplePolicyDocument = aws.iam.getPolicyDocumentOutput({
        statements: [
            {
                sid: "AWSCloudTrailAclCheck",
                effect: "Allow",
                principals: [{
                    type: "Service",
                    identifiers: ["cloudtrail.amazonaws.com"],
                }],
                actions: ["s3:GetBucketAcl"],
                resources: [exampleBucketV2.arn],
                conditions: [{
                    test: "StringEquals",
                    variable: "aws:SourceArn",
                    values: [Promise.all([currentPartition, currentRegion, currentCallerIdentity]).then(([currentPartition, currentRegion, currentCallerIdentity]) => `arn:${currentPartition.partition}:cloudtrail:${currentRegion.name}:${currentCallerIdentity.accountId}:trail/example`)],
                }],
            },
            {
                sid: "AWSCloudTrailWrite",
                effect: "Allow",
                principals: [{
                    type: "Service",
                    identifiers: ["cloudtrail.amazonaws.com"],
                }],
                actions: ["s3:PutObject"],
                resources: [pulumi.all([exampleBucketV2.arn, currentCallerIdentity]).apply(([arn, currentCallerIdentity]) => `${arn}/prefix/AWSLogs/${currentCallerIdentity.accountId}/*`)],
                conditions: [
                    {
                        test: "StringEquals",
                        variable: "s3:x-amz-acl",
                        values: ["bucket-owner-full-control"],
                    },
                    {
                        test: "StringEquals",
                        variable: "aws:SourceArn",
                        values: [Promise.all([currentPartition, currentRegion, currentCallerIdentity]).then(([currentPartition, currentRegion, currentCallerIdentity]) => `arn:${currentPartition.partition}:cloudtrail:${currentRegion.name}:${currentCallerIdentity.accountId}:trail/example`)],
                    },
                ],
            },
        ],
    });
    const exampleBucketPolicy = new aws.s3.BucketPolicy("exampleBucketPolicy", {
        bucket: exampleBucketV2.id,
        policy: examplePolicyDocument.apply(examplePolicyDocument => examplePolicyDocument.json),
    });
    const exampleTrail = new aws.cloudtrail.Trail("exampleTrail", {
        s3BucketName: exampleBucketV2.id,
        s3KeyPrefix: "prefix",
        includeGlobalServiceEvents: false,
    }, {
        dependsOn: [exampleBucketPolicy],
    });
    
    resources:
      exampleTrail:
        type: aws:cloudtrail:Trail
        properties:
          s3BucketName: ${exampleBucketV2.id}
          s3KeyPrefix: prefix
          includeGlobalServiceEvents: false
        options:
          dependson:
            - ${exampleBucketPolicy}
      exampleBucketV2:
        type: aws:s3:BucketV2
        properties:
          forceDestroy: true
      exampleBucketPolicy:
        type: aws:s3:BucketPolicy
        properties:
          bucket: ${exampleBucketV2.id}
          policy: ${examplePolicyDocument.json}
    variables:
      examplePolicyDocument:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: AWSCloudTrailAclCheck
                effect: Allow
                principals:
                  - type: Service
                    identifiers:
                      - cloudtrail.amazonaws.com
                actions:
                  - s3:GetBucketAcl
                resources:
                  - ${exampleBucketV2.arn}
                conditions:
                  - test: StringEquals
                    variable: aws:SourceArn
                    values:
                      - arn:${currentPartition.partition}:cloudtrail:${currentRegion.name}:${currentCallerIdentity.accountId}:trail/example
              - sid: AWSCloudTrailWrite
                effect: Allow
                principals:
                  - type: Service
                    identifiers:
                      - cloudtrail.amazonaws.com
                actions:
                  - s3:PutObject
                resources:
                  - ${exampleBucketV2.arn}/prefix/AWSLogs/${currentCallerIdentity.accountId}/*
                conditions:
                  - test: StringEquals
                    variable: s3:x-amz-acl
                    values:
                      - bucket-owner-full-control
                  - test: StringEquals
                    variable: aws:SourceArn
                    values:
                      - arn:${currentPartition.partition}:cloudtrail:${currentRegion.name}:${currentCallerIdentity.accountId}:trail/example
      currentCallerIdentity:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
      currentPartition:
        fn::invoke:
          Function: aws:getPartition
          Arguments: {}
      currentRegion:
        fn::invoke:
          Function: aws:getRegion
          Arguments: {}
    

    Logging All Lambda Function Invocations By Using Basic Event Selectors

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.CloudTrail.Trail("example", new()
        {
            EventSelectors = new[]
            {
                new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
                {
                    DataResources = new[]
                    {
                        new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
                        {
                            Type = "AWS::Lambda::Function",
                            Values = new[]
                            {
                                "arn:aws:lambda",
                            },
                        },
                    },
                    IncludeManagementEvents = true,
                    ReadWriteType = "All",
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
    			EventSelectors: cloudtrail.TrailEventSelectorArray{
    				&cloudtrail.TrailEventSelectorArgs{
    					DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
    						&cloudtrail.TrailEventSelectorDataResourceArgs{
    							Type: pulumi.String("AWS::Lambda::Function"),
    							Values: pulumi.StringArray{
    								pulumi.String("arn:aws:lambda"),
    							},
    						},
    					},
    					IncludeManagementEvents: pulumi.Bool(true),
    					ReadWriteType:           pulumi.String("All"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cloudtrail.Trail;
    import com.pulumi.aws.cloudtrail.TrailArgs;
    import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Trail("example", TrailArgs.builder()        
                .eventSelectors(TrailEventSelectorArgs.builder()
                    .dataResources(TrailEventSelectorDataResourceArgs.builder()
                        .type("AWS::Lambda::Function")
                        .values("arn:aws:lambda")
                        .build())
                    .includeManagementEvents(true)
                    .readWriteType("All")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.cloudtrail.Trail("example", event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
        data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
            type="AWS::Lambda::Function",
            values=["arn:aws:lambda"],
        )],
        include_management_events=True,
        read_write_type="All",
    )])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
        dataResources: [{
            type: "AWS::Lambda::Function",
            values: ["arn:aws:lambda"],
        }],
        includeManagementEvents: true,
        readWriteType: "All",
    }]});
    
    resources:
      example:
        type: aws:cloudtrail:Trail
        properties:
          eventSelectors:
            - dataResources:
                - type: AWS::Lambda::Function
                  values:
                    - arn:aws:lambda
              includeManagementEvents: true
              readWriteType: All
    

    Logging All S3 Object Events By Using Basic Event Selectors

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.CloudTrail.Trail("example", new()
        {
            EventSelectors = new[]
            {
                new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
                {
                    DataResources = new[]
                    {
                        new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
                        {
                            Type = "AWS::S3::Object",
                            Values = new[]
                            {
                                "arn:aws:s3",
                            },
                        },
                    },
                    IncludeManagementEvents = true,
                    ReadWriteType = "All",
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
    			EventSelectors: cloudtrail.TrailEventSelectorArray{
    				&cloudtrail.TrailEventSelectorArgs{
    					DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
    						&cloudtrail.TrailEventSelectorDataResourceArgs{
    							Type: pulumi.String("AWS::S3::Object"),
    							Values: pulumi.StringArray{
    								pulumi.String("arn:aws:s3"),
    							},
    						},
    					},
    					IncludeManagementEvents: pulumi.Bool(true),
    					ReadWriteType:           pulumi.String("All"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cloudtrail.Trail;
    import com.pulumi.aws.cloudtrail.TrailArgs;
    import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Trail("example", TrailArgs.builder()        
                .eventSelectors(TrailEventSelectorArgs.builder()
                    .dataResources(TrailEventSelectorDataResourceArgs.builder()
                        .type("AWS::S3::Object")
                        .values("arn:aws:s3")
                        .build())
                    .includeManagementEvents(true)
                    .readWriteType("All")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.cloudtrail.Trail("example", event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
        data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
            type="AWS::S3::Object",
            values=["arn:aws:s3"],
        )],
        include_management_events=True,
        read_write_type="All",
    )])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
        dataResources: [{
            type: "AWS::S3::Object",
            values: ["arn:aws:s3"],
        }],
        includeManagementEvents: true,
        readWriteType: "All",
    }]});
    
    resources:
      example:
        type: aws:cloudtrail:Trail
        properties:
          eventSelectors:
            - dataResources:
                - type: AWS::S3::Object
                  values:
                    - arn:aws:s3
              includeManagementEvents: true
              readWriteType: All
    

    Logging Individual S3 Bucket Events By Using Basic Event Selectors

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var important_bucket = Aws.S3.GetBucket.Invoke(new()
        {
            Bucket = "important-bucket",
        });
    
        var example = new Aws.CloudTrail.Trail("example", new()
        {
            EventSelectors = new[]
            {
                new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
                {
                    DataResources = new[]
                    {
                        new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
                        {
                            Type = "AWS::S3::Object",
                            Values = new[]
                            {
                                important_bucket.Apply(important_bucket => $"{important_bucket.Apply(getBucketResult => getBucketResult.Arn)}/"),
                            },
                        },
                    },
                    IncludeManagementEvents = true,
                    ReadWriteType = "All",
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		important_bucket, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
    			Bucket: "important-bucket",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
    			EventSelectors: cloudtrail.TrailEventSelectorArray{
    				&cloudtrail.TrailEventSelectorArgs{
    					DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
    						&cloudtrail.TrailEventSelectorDataResourceArgs{
    							Type: pulumi.String("AWS::S3::Object"),
    							Values: pulumi.StringArray{
    								pulumi.String(fmt.Sprintf("%v/", important_bucket.Arn)),
    							},
    						},
    					},
    					IncludeManagementEvents: pulumi.Bool(true),
    					ReadWriteType:           pulumi.String("All"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.s3.S3Functions;
    import com.pulumi.aws.s3.inputs.GetBucketArgs;
    import com.pulumi.aws.cloudtrail.Trail;
    import com.pulumi.aws.cloudtrail.TrailArgs;
    import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var important-bucket = S3Functions.getBucket(GetBucketArgs.builder()
                .bucket("important-bucket")
                .build());
    
            var example = new Trail("example", TrailArgs.builder()        
                .eventSelectors(TrailEventSelectorArgs.builder()
                    .dataResources(TrailEventSelectorDataResourceArgs.builder()
                        .type("AWS::S3::Object")
                        .values(String.format("%s/", important_bucket.arn()))
                        .build())
                    .includeManagementEvents(true)
                    .readWriteType("All")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    important_bucket = aws.s3.get_bucket(bucket="important-bucket")
    example = aws.cloudtrail.Trail("example", event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
        data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
            type="AWS::S3::Object",
            values=[f"{important_bucket.arn}/"],
        )],
        include_management_events=True,
        read_write_type="All",
    )])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const important-bucket = aws.s3.getBucket({
        bucket: "important-bucket",
    });
    const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
        dataResources: [{
            type: "AWS::S3::Object",
            values: [important_bucket.then(important_bucket => `${important_bucket.arn}/`)],
        }],
        includeManagementEvents: true,
        readWriteType: "All",
    }]});
    
    resources:
      example:
        type: aws:cloudtrail:Trail
        properties:
          eventSelectors:
            - dataResources:
                - type: AWS::S3::Object
                  values:
                    - ${["important-bucket"].arn}/
              includeManagementEvents: true
              readWriteType: All
    variables:
      important-bucket:
        fn::invoke:
          Function: aws:s3:getBucket
          Arguments:
            bucket: important-bucket
    

    Logging All S3 Object Events Except For Two S3 Buckets By Using Advanced Event Selectors

    Coming soon!

    Coming soon!

    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.s3.S3Functions;
    import com.pulumi.aws.s3.inputs.GetBucketArgs;
    import com.pulumi.aws.cloudtrail.Trail;
    import com.pulumi.aws.cloudtrail.TrailArgs;
    import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var not-important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
                .bucket("not-important-bucket-1")
                .build());
    
            final var not-important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
                .bucket("not-important-bucket-2")
                .build());
    
            var example = new Trail("example", TrailArgs.builder()        
                .advancedEventSelectors(            
                    TrailAdvancedEventSelectorArgs.builder()
                        .fieldSelectors(                    
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals("Data")
                                .field("eventCategory")
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .field("resources.ARN")
                                .notStartsWith(                            
                                    String.format("%s/", not_important_bucket_1.arn()),
                                    String.format("%s/", not_important_bucket_2.arn()))
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals("AWS::S3::Object")
                                .field("resources.type")
                                .build())
                        .name("Log all S3 objects events except for two S3 buckets")
                        .build(),
                    TrailAdvancedEventSelectorArgs.builder()
                        .fieldSelectors(TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("Management")
                            .field("eventCategory")
                            .build())
                        .name("Log readOnly and writeOnly management events")
                        .build())
                .build());
    
        }
    }
    

    Coming soon!

    Coming soon!

    resources:
      example:
        type: aws:cloudtrail:Trail
        properties:
          advancedEventSelectors:
            - fieldSelectors:
                - equals:
                    - Data
                  field: eventCategory
                - field: resources.ARN
                  notStartsWith:
                    - ${["not-important-bucket-1"].arn}/
                    - ${["not-important-bucket-2"].arn}/
                - equals:
                    - AWS::S3::Object
                  field: resources.type
              name: Log all S3 objects events except for two S3 buckets
            - fieldSelectors:
                - equals:
                    - Management
                  field: eventCategory
              name: Log readOnly and writeOnly management events
    variables:
      not-important-bucket-1:
        fn::invoke:
          Function: aws:s3:getBucket
          Arguments:
            bucket: not-important-bucket-1
      not-important-bucket-2:
        fn::invoke:
          Function: aws:s3:getBucket
          Arguments:
            bucket: not-important-bucket-2
    

    Logging Individual S3 Buckets And Specific Event Names By Using Advanced Event Selectors

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var exampleLogGroup = new Aws.CloudWatch.LogGroup("exampleLogGroup");
    
        var exampleTrail = new Aws.CloudTrail.Trail("exampleTrail", new()
        {
            CloudWatchLogsGroupArn = exampleLogGroup.Arn.Apply(arn => $"{arn}:*"),
        });
    
        // CloudTrail requires the Log Stream wildcard
    });
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		exampleLogGroup, err := cloudwatch.NewLogGroup(ctx, "exampleLogGroup", nil)
    		if err != nil {
    			return err
    		}
    		_, err = cloudtrail.NewTrail(ctx, "exampleTrail", &cloudtrail.TrailArgs{
    			CloudWatchLogsGroupArn: exampleLogGroup.Arn.ApplyT(func(arn string) (string, error) {
    				return fmt.Sprintf("%v:*", arn), nil
    			}).(pulumi.StringOutput),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.s3.S3Functions;
    import com.pulumi.aws.s3.inputs.GetBucketArgs;
    import com.pulumi.aws.cloudtrail.Trail;
    import com.pulumi.aws.cloudtrail.TrailArgs;
    import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
                .bucket("important-bucket-1")
                .build());
    
            final var important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
                .bucket("important-bucket-2")
                .build());
    
            final var important-bucket-3 = S3Functions.getBucket(GetBucketArgs.builder()
                .bucket("important-bucket-3")
                .build());
    
            var example = new Trail("example", TrailArgs.builder()        
                .advancedEventSelectors(            
                    TrailAdvancedEventSelectorArgs.builder()
                        .fieldSelectors(                    
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals("Data")
                                .field("eventCategory")
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals(                            
                                    "PutObject",
                                    "DeleteObject")
                                .field("eventName")
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .field("resources.ARN")
                                .startsWith(                            
                                    String.format("%s/", important_bucket_1.arn()),
                                    String.format("%s/", important_bucket_2.arn()))
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals("false")
                                .field("readOnly")
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals("AWS::S3::Object")
                                .field("resources.type")
                                .build())
                        .name("Log PutObject and DeleteObject events for two S3 buckets")
                        .build(),
                    TrailAdvancedEventSelectorArgs.builder()
                        .fieldSelectors(                    
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals("Data")
                                .field("eventCategory")
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .field("eventName")
                                .startsWith("Delete")
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals(String.format("%s/important-prefix", important_bucket_3.arn()))
                                .field("resources.ARN")
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals("false")
                                .field("readOnly")
                                .build(),
                            TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                                .equals("AWS::S3::Object")
                                .field("resources.type")
                                .build())
                        .name("Log Delete* events for one S3 bucket")
                        .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example_log_group = aws.cloudwatch.LogGroup("exampleLogGroup")
    example_trail = aws.cloudtrail.Trail("exampleTrail", cloud_watch_logs_group_arn=example_log_group.arn.apply(lambda arn: f"{arn}:*"))
    # CloudTrail requires the Log Stream wildcard
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const exampleLogGroup = new aws.cloudwatch.LogGroup("exampleLogGroup", {});
    const exampleTrail = new aws.cloudtrail.Trail("exampleTrail", {cloudWatchLogsGroupArn: pulumi.interpolate`${exampleLogGroup.arn}:*`});
    // CloudTrail requires the Log Stream wildcard
    
    resources:
      example:
        type: aws:cloudtrail:Trail
        properties:
          advancedEventSelectors:
            - fieldSelectors:
                - equals:
                    - Data
                  field: eventCategory
                - equals:
                    - PutObject
                    - DeleteObject
                  field: eventName
                - field: resources.ARN
                  startsWith:
                    - ${["important-bucket-1"].arn}/
                    - ${["important-bucket-2"].arn}/
                - equals:
                    - 'false'
                  field: readOnly
                - equals:
                    - AWS::S3::Object
                  field: resources.type
              name: Log PutObject and DeleteObject events for two S3 buckets
            - fieldSelectors:
                - equals:
                    - Data
                  field: eventCategory
                - field: eventName
                  startsWith:
                    - Delete
                - equals:
                    - ${["important-bucket-3"].arn}/important-prefix
                  field: resources.ARN
                - equals:
                    - 'false'
                  field: readOnly
                - equals:
                    - AWS::S3::Object
                  field: resources.type
              name: Log Delete* events for one S3 bucket
    variables:
      important-bucket-1:
        fn::invoke:
          Function: aws:s3:getBucket
          Arguments:
            bucket: important-bucket-1
      important-bucket-2:
        fn::invoke:
          Function: aws:s3:getBucket
          Arguments:
            bucket: important-bucket-2
      important-bucket-3:
        fn::invoke:
          Function: aws:s3:getBucket
          Arguments:
            bucket: important-bucket-3
    

    Sending Events to CloudWatch Logs

    Coming soon!

    Coming soon!

    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cloudwatch.LogGroup;
    import com.pulumi.aws.cloudtrail.Trail;
    import com.pulumi.aws.cloudtrail.TrailArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var exampleLogGroup = new LogGroup("exampleLogGroup");
    
            var exampleTrail = new Trail("exampleTrail", TrailArgs.builder()        
                .cloudWatchLogsGroupArn(exampleLogGroup.arn().applyValue(arn -> String.format("%s:*", arn)))
                .build());
    
        }
    }
    

    Coming soon!

    Coming soon!

    resources:
      exampleLogGroup:
        type: aws:cloudwatch:LogGroup
      exampleTrail:
        type: aws:cloudtrail:Trail
        properties:
          cloudWatchLogsGroupArn: ${exampleLogGroup.arn}:*
    

    Create Trail Resource

    new Trail(name: string, args: TrailArgs, opts?: CustomResourceOptions);
    @overload
    def Trail(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              advanced_event_selectors: Optional[Sequence[TrailAdvancedEventSelectorArgs]] = None,
              cloud_watch_logs_group_arn: Optional[str] = None,
              cloud_watch_logs_role_arn: Optional[str] = None,
              enable_log_file_validation: Optional[bool] = None,
              enable_logging: Optional[bool] = None,
              event_selectors: Optional[Sequence[TrailEventSelectorArgs]] = None,
              include_global_service_events: Optional[bool] = None,
              insight_selectors: Optional[Sequence[TrailInsightSelectorArgs]] = None,
              is_multi_region_trail: Optional[bool] = None,
              is_organization_trail: Optional[bool] = None,
              kms_key_id: Optional[str] = None,
              name: Optional[str] = None,
              s3_bucket_name: Optional[str] = None,
              s3_key_prefix: Optional[str] = None,
              sns_topic_name: Optional[str] = None,
              tags: Optional[Mapping[str, str]] = None)
    @overload
    def Trail(resource_name: str,
              args: TrailArgs,
              opts: Optional[ResourceOptions] = None)
    func NewTrail(ctx *Context, name string, args TrailArgs, opts ...ResourceOption) (*Trail, error)
    public Trail(string name, TrailArgs args, CustomResourceOptions? opts = null)
    public Trail(String name, TrailArgs args)
    public Trail(String name, TrailArgs args, CustomResourceOptions options)
    
    type: aws:cloudtrail:Trail
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args TrailArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args TrailArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args TrailArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args TrailArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args TrailArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Trail Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Trail resource accepts the following input properties:

    S3BucketName string

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    AdvancedEventSelectors List<TrailAdvancedEventSelector>

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    CloudWatchLogsGroupArn string

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    CloudWatchLogsRoleArn string

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    EnableLogFileValidation bool

    Whether log file integrity validation is enabled. Defaults to false.

    EnableLogging bool

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    EventSelectors List<TrailEventSelector>

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    IncludeGlobalServiceEvents bool

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    InsightSelectors List<TrailInsightSelector>

    Configuration block for identifying unusual operational activity. See details below.

    IsMultiRegionTrail bool

    Whether the trail is created in the current region or in all regions. Defaults to false.

    IsOrganizationTrail bool

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    KmsKeyId string

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    Name string

    Name of the trail.

    S3KeyPrefix string

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    SnsTopicName string

    Name of the Amazon SNS topic defined for notification of log file delivery.

    Tags Dictionary<string, string>

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    S3BucketName string

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    AdvancedEventSelectors []TrailAdvancedEventSelectorArgs

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    CloudWatchLogsGroupArn string

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    CloudWatchLogsRoleArn string

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    EnableLogFileValidation bool

    Whether log file integrity validation is enabled. Defaults to false.

    EnableLogging bool

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    EventSelectors []TrailEventSelectorArgs

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    IncludeGlobalServiceEvents bool

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    InsightSelectors []TrailInsightSelectorArgs

    Configuration block for identifying unusual operational activity. See details below.

    IsMultiRegionTrail bool

    Whether the trail is created in the current region or in all regions. Defaults to false.

    IsOrganizationTrail bool

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    KmsKeyId string

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    Name string

    Name of the trail.

    S3KeyPrefix string

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    SnsTopicName string

    Name of the Amazon SNS topic defined for notification of log file delivery.

    Tags map[string]string

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    s3BucketName String

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    advancedEventSelectors List<TrailAdvancedEventSelector>

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    cloudWatchLogsGroupArn String

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    cloudWatchLogsRoleArn String

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    enableLogFileValidation Boolean

    Whether log file integrity validation is enabled. Defaults to false.

    enableLogging Boolean

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    eventSelectors List<TrailEventSelector>

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    includeGlobalServiceEvents Boolean

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    insightSelectors List<TrailInsightSelector>

    Configuration block for identifying unusual operational activity. See details below.

    isMultiRegionTrail Boolean

    Whether the trail is created in the current region or in all regions. Defaults to false.

    isOrganizationTrail Boolean

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    kmsKeyId String

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    name String

    Name of the trail.

    s3KeyPrefix String

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    snsTopicName String

    Name of the Amazon SNS topic defined for notification of log file delivery.

    tags Map<String,String>

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    s3BucketName string

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    advancedEventSelectors TrailAdvancedEventSelector[]

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    cloudWatchLogsGroupArn string

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    cloudWatchLogsRoleArn string

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    enableLogFileValidation boolean

    Whether log file integrity validation is enabled. Defaults to false.

    enableLogging boolean

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    eventSelectors TrailEventSelector[]

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    includeGlobalServiceEvents boolean

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    insightSelectors TrailInsightSelector[]

    Configuration block for identifying unusual operational activity. See details below.

    isMultiRegionTrail boolean

    Whether the trail is created in the current region or in all regions. Defaults to false.

    isOrganizationTrail boolean

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    kmsKeyId string

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    name string

    Name of the trail.

    s3KeyPrefix string

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    snsTopicName string

    Name of the Amazon SNS topic defined for notification of log file delivery.

    tags {[key: string]: string}

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    s3_bucket_name str

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    advanced_event_selectors Sequence[TrailAdvancedEventSelectorArgs]

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    cloud_watch_logs_group_arn str

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    cloud_watch_logs_role_arn str

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    enable_log_file_validation bool

    Whether log file integrity validation is enabled. Defaults to false.

    enable_logging bool

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    event_selectors Sequence[TrailEventSelectorArgs]

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    include_global_service_events bool

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    insight_selectors Sequence[TrailInsightSelectorArgs]

    Configuration block for identifying unusual operational activity. See details below.

    is_multi_region_trail bool

    Whether the trail is created in the current region or in all regions. Defaults to false.

    is_organization_trail bool

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    kms_key_id str

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    name str

    Name of the trail.

    s3_key_prefix str

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    sns_topic_name str

    Name of the Amazon SNS topic defined for notification of log file delivery.

    tags Mapping[str, str]

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    s3BucketName String

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    advancedEventSelectors List<Property Map>

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    cloudWatchLogsGroupArn String

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    cloudWatchLogsRoleArn String

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    enableLogFileValidation Boolean

    Whether log file integrity validation is enabled. Defaults to false.

    enableLogging Boolean

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    eventSelectors List<Property Map>

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    includeGlobalServiceEvents Boolean

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    insightSelectors List<Property Map>

    Configuration block for identifying unusual operational activity. See details below.

    isMultiRegionTrail Boolean

    Whether the trail is created in the current region or in all regions. Defaults to false.

    isOrganizationTrail Boolean

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    kmsKeyId String

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    name String

    Name of the trail.

    s3KeyPrefix String

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    snsTopicName String

    Name of the Amazon SNS topic defined for notification of log file delivery.

    tags Map<String>

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Trail resource produces the following output properties:

    Arn string

    ARN of the trail.

    HomeRegion string

    Region in which the trail was created.

    Id string

    The provider-assigned unique ID for this managed resource.

    TagsAll Dictionary<string, string>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    Arn string

    ARN of the trail.

    HomeRegion string

    Region in which the trail was created.

    Id string

    The provider-assigned unique ID for this managed resource.

    TagsAll map[string]string

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn String

    ARN of the trail.

    homeRegion String

    Region in which the trail was created.

    id String

    The provider-assigned unique ID for this managed resource.

    tagsAll Map<String,String>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn string

    ARN of the trail.

    homeRegion string

    Region in which the trail was created.

    id string

    The provider-assigned unique ID for this managed resource.

    tagsAll {[key: string]: string}

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn str

    ARN of the trail.

    home_region str

    Region in which the trail was created.

    id str

    The provider-assigned unique ID for this managed resource.

    tags_all Mapping[str, str]

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    arn String

    ARN of the trail.

    homeRegion String

    Region in which the trail was created.

    id String

    The provider-assigned unique ID for this managed resource.

    tagsAll Map<String>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    Look up Existing Trail Resource

    Get an existing Trail resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: TrailState, opts?: CustomResourceOptions): Trail
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            advanced_event_selectors: Optional[Sequence[TrailAdvancedEventSelectorArgs]] = None,
            arn: Optional[str] = None,
            cloud_watch_logs_group_arn: Optional[str] = None,
            cloud_watch_logs_role_arn: Optional[str] = None,
            enable_log_file_validation: Optional[bool] = None,
            enable_logging: Optional[bool] = None,
            event_selectors: Optional[Sequence[TrailEventSelectorArgs]] = None,
            home_region: Optional[str] = None,
            include_global_service_events: Optional[bool] = None,
            insight_selectors: Optional[Sequence[TrailInsightSelectorArgs]] = None,
            is_multi_region_trail: Optional[bool] = None,
            is_organization_trail: Optional[bool] = None,
            kms_key_id: Optional[str] = None,
            name: Optional[str] = None,
            s3_bucket_name: Optional[str] = None,
            s3_key_prefix: Optional[str] = None,
            sns_topic_name: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None) -> Trail
    func GetTrail(ctx *Context, name string, id IDInput, state *TrailState, opts ...ResourceOption) (*Trail, error)
    public static Trail Get(string name, Input<string> id, TrailState? state, CustomResourceOptions? opts = null)
    public static Trail get(String name, Output<String> id, TrailState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AdvancedEventSelectors List<TrailAdvancedEventSelector>

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    Arn string

    ARN of the trail.

    CloudWatchLogsGroupArn string

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    CloudWatchLogsRoleArn string

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    EnableLogFileValidation bool

    Whether log file integrity validation is enabled. Defaults to false.

    EnableLogging bool

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    EventSelectors List<TrailEventSelector>

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    HomeRegion string

    Region in which the trail was created.

    IncludeGlobalServiceEvents bool

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    InsightSelectors List<TrailInsightSelector>

    Configuration block for identifying unusual operational activity. See details below.

    IsMultiRegionTrail bool

    Whether the trail is created in the current region or in all regions. Defaults to false.

    IsOrganizationTrail bool

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    KmsKeyId string

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    Name string

    Name of the trail.

    S3BucketName string

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    S3KeyPrefix string

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    SnsTopicName string

    Name of the Amazon SNS topic defined for notification of log file delivery.

    Tags Dictionary<string, string>

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    TagsAll Dictionary<string, string>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    AdvancedEventSelectors []TrailAdvancedEventSelectorArgs

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    Arn string

    ARN of the trail.

    CloudWatchLogsGroupArn string

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    CloudWatchLogsRoleArn string

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    EnableLogFileValidation bool

    Whether log file integrity validation is enabled. Defaults to false.

    EnableLogging bool

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    EventSelectors []TrailEventSelectorArgs

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    HomeRegion string

    Region in which the trail was created.

    IncludeGlobalServiceEvents bool

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    InsightSelectors []TrailInsightSelectorArgs

    Configuration block for identifying unusual operational activity. See details below.

    IsMultiRegionTrail bool

    Whether the trail is created in the current region or in all regions. Defaults to false.

    IsOrganizationTrail bool

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    KmsKeyId string

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    Name string

    Name of the trail.

    S3BucketName string

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    S3KeyPrefix string

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    SnsTopicName string

    Name of the Amazon SNS topic defined for notification of log file delivery.

    Tags map[string]string

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    TagsAll map[string]string

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    advancedEventSelectors List<TrailAdvancedEventSelector>

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    arn String

    ARN of the trail.

    cloudWatchLogsGroupArn String

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    cloudWatchLogsRoleArn String

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    enableLogFileValidation Boolean

    Whether log file integrity validation is enabled. Defaults to false.

    enableLogging Boolean

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    eventSelectors List<TrailEventSelector>

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    homeRegion String

    Region in which the trail was created.

    includeGlobalServiceEvents Boolean

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    insightSelectors List<TrailInsightSelector>

    Configuration block for identifying unusual operational activity. See details below.

    isMultiRegionTrail Boolean

    Whether the trail is created in the current region or in all regions. Defaults to false.

    isOrganizationTrail Boolean

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    kmsKeyId String

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    name String

    Name of the trail.

    s3BucketName String

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    s3KeyPrefix String

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    snsTopicName String

    Name of the Amazon SNS topic defined for notification of log file delivery.

    tags Map<String,String>

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll Map<String,String>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    advancedEventSelectors TrailAdvancedEventSelector[]

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    arn string

    ARN of the trail.

    cloudWatchLogsGroupArn string

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    cloudWatchLogsRoleArn string

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    enableLogFileValidation boolean

    Whether log file integrity validation is enabled. Defaults to false.

    enableLogging boolean

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    eventSelectors TrailEventSelector[]

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    homeRegion string

    Region in which the trail was created.

    includeGlobalServiceEvents boolean

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    insightSelectors TrailInsightSelector[]

    Configuration block for identifying unusual operational activity. See details below.

    isMultiRegionTrail boolean

    Whether the trail is created in the current region or in all regions. Defaults to false.

    isOrganizationTrail boolean

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    kmsKeyId string

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    name string

    Name of the trail.

    s3BucketName string

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    s3KeyPrefix string

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    snsTopicName string

    Name of the Amazon SNS topic defined for notification of log file delivery.

    tags {[key: string]: string}

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll {[key: string]: string}

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    advanced_event_selectors Sequence[TrailAdvancedEventSelectorArgs]

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    arn str

    ARN of the trail.

    cloud_watch_logs_group_arn str

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    cloud_watch_logs_role_arn str

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    enable_log_file_validation bool

    Whether log file integrity validation is enabled. Defaults to false.

    enable_logging bool

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    event_selectors Sequence[TrailEventSelectorArgs]

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    home_region str

    Region in which the trail was created.

    include_global_service_events bool

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    insight_selectors Sequence[TrailInsightSelectorArgs]

    Configuration block for identifying unusual operational activity. See details below.

    is_multi_region_trail bool

    Whether the trail is created in the current region or in all regions. Defaults to false.

    is_organization_trail bool

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    kms_key_id str

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    name str

    Name of the trail.

    s3_bucket_name str

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    s3_key_prefix str

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    sns_topic_name str

    Name of the Amazon SNS topic defined for notification of log file delivery.

    tags Mapping[str, str]

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tags_all Mapping[str, str]

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    advancedEventSelectors List<Property Map>

    Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

    arn String

    ARN of the trail.

    cloudWatchLogsGroupArn String

    Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

    cloudWatchLogsRoleArn String

    Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

    enableLogFileValidation Boolean

    Whether log file integrity validation is enabled. Defaults to false.

    enableLogging Boolean

    Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

    eventSelectors List<Property Map>

    Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

    homeRegion String

    Region in which the trail was created.

    includeGlobalServiceEvents Boolean

    Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

    insightSelectors List<Property Map>

    Configuration block for identifying unusual operational activity. See details below.

    isMultiRegionTrail Boolean

    Whether the trail is created in the current region or in all regions. Defaults to false.

    isOrganizationTrail Boolean

    Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

    kmsKeyId String

    KMS key ARN to use to encrypt the logs delivered by CloudTrail.

    name String

    Name of the trail.

    s3BucketName String

    Name of the S3 bucket designated for publishing log files.

    The following arguments are optional:

    s3KeyPrefix String

    S3 key prefix that follows the name of the bucket you have designated for log file delivery.

    snsTopicName String

    Name of the Amazon SNS topic defined for notification of log file delivery.

    tags Map<String>

    Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll Map<String>

    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:

    Please use tags instead.

    Supporting Types

    TrailAdvancedEventSelector, TrailAdvancedEventSelectorArgs

    FieldSelectors List<TrailAdvancedEventSelectorFieldSelector>

    Specifies the selector statements in an advanced event selector. Fields documented below.

    Name string

    Name of the trail.

    FieldSelectors []TrailAdvancedEventSelectorFieldSelector

    Specifies the selector statements in an advanced event selector. Fields documented below.

    Name string

    Name of the trail.

    fieldSelectors List<TrailAdvancedEventSelectorFieldSelector>

    Specifies the selector statements in an advanced event selector. Fields documented below.

    name String

    Name of the trail.

    fieldSelectors TrailAdvancedEventSelectorFieldSelector[]

    Specifies the selector statements in an advanced event selector. Fields documented below.

    name string

    Name of the trail.

    field_selectors Sequence[TrailAdvancedEventSelectorFieldSelector]

    Specifies the selector statements in an advanced event selector. Fields documented below.

    name str

    Name of the trail.

    fieldSelectors List<Property Map>

    Specifies the selector statements in an advanced event selector. Fields documented below.

    name String

    Name of the trail.

    TrailAdvancedEventSelectorFieldSelector, TrailAdvancedEventSelectorFieldSelectorArgs

    Field string

    Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

    EndsWiths List<string>

    A list of values that includes events that match the last few characters of the event record field specified as the value of field.

    Equals List<string>

    A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

    NotEndsWiths List<string>

    A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

    NotEquals List<string>

    A list of values that excludes events that match the exact value of the event record field specified as the value of field.

    NotStartsWiths List<string>

    A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

    StartsWiths List<string>

    A list of values that includes events that match the first few characters of the event record field specified as the value of field.

    Field string

    Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

    EndsWiths []string

    A list of values that includes events that match the last few characters of the event record field specified as the value of field.

    Equals []string

    A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

    NotEndsWiths []string

    A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

    NotEquals []string

    A list of values that excludes events that match the exact value of the event record field specified as the value of field.

    NotStartsWiths []string

    A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

    StartsWiths []string

    A list of values that includes events that match the first few characters of the event record field specified as the value of field.

    field String

    Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

    endsWiths List<String>

    A list of values that includes events that match the last few characters of the event record field specified as the value of field.

    equals_ List<String>

    A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

    notEndsWiths List<String>

    A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

    notEquals List<String>

    A list of values that excludes events that match the exact value of the event record field specified as the value of field.

    notStartsWiths List<String>

    A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

    startsWiths List<String>

    A list of values that includes events that match the first few characters of the event record field specified as the value of field.

    field string

    Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

    endsWiths string[]

    A list of values that includes events that match the last few characters of the event record field specified as the value of field.

    equals string[]

    A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

    notEndsWiths string[]

    A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

    notEquals string[]

    A list of values that excludes events that match the exact value of the event record field specified as the value of field.

    notStartsWiths string[]

    A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

    startsWiths string[]

    A list of values that includes events that match the first few characters of the event record field specified as the value of field.

    field str

    Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

    ends_withs Sequence[str]

    A list of values that includes events that match the last few characters of the event record field specified as the value of field.

    equals Sequence[str]

    A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

    not_ends_withs Sequence[str]

    A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

    not_equals Sequence[str]

    A list of values that excludes events that match the exact value of the event record field specified as the value of field.

    not_starts_withs Sequence[str]

    A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

    starts_withs Sequence[str]

    A list of values that includes events that match the first few characters of the event record field specified as the value of field.

    field String

    Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

    endsWiths List<String>

    A list of values that includes events that match the last few characters of the event record field specified as the value of field.

    equals List<String>

    A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

    notEndsWiths List<String>

    A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

    notEquals List<String>

    A list of values that excludes events that match the exact value of the event record field specified as the value of field.

    notStartsWiths List<String>

    A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

    startsWiths List<String>

    A list of values that includes events that match the first few characters of the event record field specified as the value of field.

    TrailEventSelector, TrailEventSelectorArgs

    DataResources List<TrailEventSelectorDataResource>

    Configuration block for data events. See details below.

    ExcludeManagementEventSources List<string>

    A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

    IncludeManagementEvents bool

    Whether to include management events for your trail. Defaults to true.

    ReadWriteType string

    Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

    DataResources []TrailEventSelectorDataResource

    Configuration block for data events. See details below.

    ExcludeManagementEventSources []string

    A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

    IncludeManagementEvents bool

    Whether to include management events for your trail. Defaults to true.

    ReadWriteType string

    Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

    dataResources List<TrailEventSelectorDataResource>

    Configuration block for data events. See details below.

    excludeManagementEventSources List<String>

    A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

    includeManagementEvents Boolean

    Whether to include management events for your trail. Defaults to true.

    readWriteType String

    Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

    dataResources TrailEventSelectorDataResource[]

    Configuration block for data events. See details below.

    excludeManagementEventSources string[]

    A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

    includeManagementEvents boolean

    Whether to include management events for your trail. Defaults to true.

    readWriteType string

    Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

    data_resources Sequence[TrailEventSelectorDataResource]

    Configuration block for data events. See details below.

    exclude_management_event_sources Sequence[str]

    A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

    include_management_events bool

    Whether to include management events for your trail. Defaults to true.

    read_write_type str

    Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

    dataResources List<Property Map>

    Configuration block for data events. See details below.

    excludeManagementEventSources List<String>

    A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

    includeManagementEvents Boolean

    Whether to include management events for your trail. Defaults to true.

    readWriteType String

    Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

    TrailEventSelectorDataResource, TrailEventSelectorDataResourceArgs

    Type string

    Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

    Values List<string>

    List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

    Type string

    Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

    Values []string

    List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

    type String

    Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

    values List<String>

    List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

    type string

    Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

    values string[]

    List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

    type str

    Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

    values Sequence[str]

    List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

    type String

    Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

    values List<String>

    List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

    TrailInsightSelector, TrailInsightSelectorArgs

    InsightType string

    Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

    InsightType string

    Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

    insightType String

    Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

    insightType string

    Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

    insight_type str

    Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

    insightType String

    Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

    Import

    Using pulumi import, import Cloudtrails using the arn. For example:

     $ pulumi import aws:cloudtrail/trail:Trail sample arn:aws:cloudtrail:us-east-1:123456789012:trail/my-sample-trail
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the aws Terraform Provider.

    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.13.1 published on Tuesday, Dec 5, 2023 by Pulumi