aws logo
AWS Classic v5.41.0, May 15 23

aws.cloudtrail.Trail

Explore with Pulumi AI

Provides a CloudTrail resource.

Tip: For a multi-region trail, this resource must be in the home region of the trail.

Tip: For an organization trail, this resource must be in the master account of the organization.

Example Usage

Basic

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var current = Aws.GetCallerIdentity.Invoke();

    var fooBucketV2 = new Aws.S3.BucketV2("fooBucketV2", new()
    {
        ForceDestroy = true,
    });

    var foobar = new Aws.CloudTrail.Trail("foobar", new()
    {
        S3BucketName = fooBucketV2.Id,
        S3KeyPrefix = "prefix",
        IncludeGlobalServiceEvents = false,
    });

    var fooPolicyDocument = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Sid = "AWSCloudTrailAclCheck",
                Effect = "Allow",
                Principals = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                    {
                        Type = "Service",
                        Identifiers = new[]
                        {
                            "cloudtrail.amazonaws.com",
                        },
                    },
                },
                Actions = new[]
                {
                    "s3:GetBucketAcl",
                },
                Resources = new[]
                {
                    fooBucketV2.Arn,
                },
            },
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Sid = "AWSCloudTrailWrite",
                Effect = "Allow",
                Principals = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                    {
                        Type = "Service",
                        Identifiers = new[]
                        {
                            "cloudtrail.amazonaws.com",
                        },
                    },
                },
                Actions = new[]
                {
                    "s3:PutObject",
                },
                Resources = new[]
                {
                    $"{fooBucketV2.Arn}/prefix/AWSLogs/{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}/*",
                },
                Conditions = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                    {
                        Test = "StringEquals",
                        Variable = "s3:x-amz-acl",
                        Values = new[]
                        {
                            "bucket-owner-full-control",
                        },
                    },
                },
            },
        },
    });

    var fooBucketPolicy = new Aws.S3.BucketPolicy("fooBucketPolicy", new()
    {
        Bucket = fooBucketV2.Id,
        Policy = fooPolicyDocument.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });

});
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws"
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/cloudtrail"
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/s3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := aws.GetCallerIdentity(ctx, nil, nil)
		if err != nil {
			return err
		}
		fooBucketV2, err := s3.NewBucketV2(ctx, "fooBucketV2", &s3.BucketV2Args{
			ForceDestroy: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = cloudtrail.NewTrail(ctx, "foobar", &cloudtrail.TrailArgs{
			S3BucketName:               fooBucketV2.ID(),
			S3KeyPrefix:                pulumi.String("prefix"),
			IncludeGlobalServiceEvents: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		fooPolicyDocument := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
			Statements: iam.GetPolicyDocumentStatementArray{
				&iam.GetPolicyDocumentStatementArgs{
					Sid:    pulumi.String("AWSCloudTrailAclCheck"),
					Effect: pulumi.String("Allow"),
					Principals: iam.GetPolicyDocumentStatementPrincipalArray{
						&iam.GetPolicyDocumentStatementPrincipalArgs{
							Type: pulumi.String("Service"),
							Identifiers: pulumi.StringArray{
								pulumi.String("cloudtrail.amazonaws.com"),
							},
						},
					},
					Actions: pulumi.StringArray{
						pulumi.String("s3:GetBucketAcl"),
					},
					Resources: pulumi.StringArray{
						fooBucketV2.Arn,
					},
				},
				&iam.GetPolicyDocumentStatementArgs{
					Sid:    pulumi.String("AWSCloudTrailWrite"),
					Effect: pulumi.String("Allow"),
					Principals: iam.GetPolicyDocumentStatementPrincipalArray{
						&iam.GetPolicyDocumentStatementPrincipalArgs{
							Type: pulumi.String("Service"),
							Identifiers: pulumi.StringArray{
								pulumi.String("cloudtrail.amazonaws.com"),
							},
						},
					},
					Actions: pulumi.StringArray{
						pulumi.String("s3:PutObject"),
					},
					Resources: pulumi.StringArray{
						fooBucketV2.Arn.ApplyT(func(arn string) (string, error) {
							return fmt.Sprintf("%v/prefix/AWSLogs/%v/*", arn, current.AccountId), nil
						}).(pulumi.StringOutput),
					},
					Conditions: iam.GetPolicyDocumentStatementConditionArray{
						&iam.GetPolicyDocumentStatementConditionArgs{
							Test:     pulumi.String("StringEquals"),
							Variable: pulumi.String("s3:x-amz-acl"),
							Values: pulumi.StringArray{
								pulumi.String("bucket-owner-full-control"),
							},
						},
					},
				},
			},
		}, nil)
		_, err = s3.NewBucketPolicy(ctx, "fooBucketPolicy", &s3.BucketPolicyArgs{
			Bucket: fooBucketV2.ID(),
			Policy: fooPolicyDocument.ApplyT(func(fooPolicyDocument iam.GetPolicyDocumentResult) (*string, error) {
				return &fooPolicyDocument.Json, nil
			}).(pulumi.StringPtrOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AwsFunctions.getCallerIdentity();

        var fooBucketV2 = new BucketV2("fooBucketV2", BucketV2Args.builder()        
            .forceDestroy(true)
            .build());

        var foobar = new Trail("foobar", TrailArgs.builder()        
            .s3BucketName(fooBucketV2.id())
            .s3KeyPrefix("prefix")
            .includeGlobalServiceEvents(false)
            .build());

        final var fooPolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(            
                GetPolicyDocumentStatementArgs.builder()
                    .sid("AWSCloudTrailAclCheck")
                    .effect("Allow")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("cloudtrail.amazonaws.com")
                        .build())
                    .actions("s3:GetBucketAcl")
                    .resources(fooBucketV2.arn())
                    .build(),
                GetPolicyDocumentStatementArgs.builder()
                    .sid("AWSCloudTrailWrite")
                    .effect("Allow")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("cloudtrail.amazonaws.com")
                        .build())
                    .actions("s3:PutObject")
                    .resources(fooBucketV2.arn().applyValue(arn -> String.format("%s/prefix/AWSLogs/%s/*", arn,current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))))
                    .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                        .test("StringEquals")
                        .variable("s3:x-amz-acl")
                        .values("bucket-owner-full-control")
                        .build())
                    .build())
            .build());

        var fooBucketPolicy = new BucketPolicy("fooBucketPolicy", BucketPolicyArgs.builder()        
            .bucket(fooBucketV2.id())
            .policy(fooPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(fooPolicyDocument -> fooPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
            .build());

    }
}
import pulumi
import pulumi_aws as aws

current = aws.get_caller_identity()
foo_bucket_v2 = aws.s3.BucketV2("fooBucketV2", force_destroy=True)
foobar = aws.cloudtrail.Trail("foobar",
    s3_bucket_name=foo_bucket_v2.id,
    s3_key_prefix="prefix",
    include_global_service_events=False)
foo_policy_document = aws.iam.get_policy_document_output(statements=[
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="AWSCloudTrailAclCheck",
        effect="Allow",
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["cloudtrail.amazonaws.com"],
        )],
        actions=["s3:GetBucketAcl"],
        resources=[foo_bucket_v2.arn],
    ),
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="AWSCloudTrailWrite",
        effect="Allow",
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["cloudtrail.amazonaws.com"],
        )],
        actions=["s3:PutObject"],
        resources=[foo_bucket_v2.arn.apply(lambda arn: f"{arn}/prefix/AWSLogs/{current.account_id}/*")],
        conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
            test="StringEquals",
            variable="s3:x-amz-acl",
            values=["bucket-owner-full-control"],
        )],
    ),
])
foo_bucket_policy = aws.s3.BucketPolicy("fooBucketPolicy",
    bucket=foo_bucket_v2.id,
    policy=foo_policy_document.json)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const current = aws.getCallerIdentity({});
const fooBucketV2 = new aws.s3.BucketV2("fooBucketV2", {forceDestroy: true});
const foobar = new aws.cloudtrail.Trail("foobar", {
    s3BucketName: fooBucketV2.id,
    s3KeyPrefix: "prefix",
    includeGlobalServiceEvents: false,
});
const fooPolicyDocument = aws.iam.getPolicyDocumentOutput({
    statements: [
        {
            sid: "AWSCloudTrailAclCheck",
            effect: "Allow",
            principals: [{
                type: "Service",
                identifiers: ["cloudtrail.amazonaws.com"],
            }],
            actions: ["s3:GetBucketAcl"],
            resources: [fooBucketV2.arn],
        },
        {
            sid: "AWSCloudTrailWrite",
            effect: "Allow",
            principals: [{
                type: "Service",
                identifiers: ["cloudtrail.amazonaws.com"],
            }],
            actions: ["s3:PutObject"],
            resources: [pulumi.all([fooBucketV2.arn, current]).apply(([arn, current]) => `${arn}/prefix/AWSLogs/${current.accountId}/*`)],
            conditions: [{
                test: "StringEquals",
                variable: "s3:x-amz-acl",
                values: ["bucket-owner-full-control"],
            }],
        },
    ],
});
const fooBucketPolicy = new aws.s3.BucketPolicy("fooBucketPolicy", {
    bucket: fooBucketV2.id,
    policy: fooPolicyDocument.apply(fooPolicyDocument => fooPolicyDocument.json),
});
resources:
  foobar:
    type: aws:cloudtrail:Trail
    properties:
      s3BucketName: ${fooBucketV2.id}
      s3KeyPrefix: prefix
      includeGlobalServiceEvents: false
  fooBucketV2:
    type: aws:s3:BucketV2
    properties:
      forceDestroy: true
  fooBucketPolicy:
    type: aws:s3:BucketPolicy
    properties:
      bucket: ${fooBucketV2.id}
      policy: ${fooPolicyDocument.json}
variables:
  current:
    fn::invoke:
      Function: aws:getCallerIdentity
      Arguments: {}
  fooPolicyDocument:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - sid: AWSCloudTrailAclCheck
            effect: Allow
            principals:
              - type: Service
                identifiers:
                  - cloudtrail.amazonaws.com
            actions:
              - s3:GetBucketAcl
            resources:
              - ${fooBucketV2.arn}
          - sid: AWSCloudTrailWrite
            effect: Allow
            principals:
              - type: Service
                identifiers:
                  - cloudtrail.amazonaws.com
            actions:
              - s3:PutObject
            resources:
              - ${fooBucketV2.arn}/prefix/AWSLogs/${current.accountId}/*
            conditions:
              - test: StringEquals
                variable: s3:x-amz-acl
                values:
                  - bucket-owner-full-control

Logging All Lambda Function Invocations By Using Basic Event Selectors

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.CloudTrail.Trail("example", new()
    {
        EventSelectors = new[]
        {
            new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
            {
                DataResources = new[]
                {
                    new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
                    {
                        Type = "AWS::Lambda::Function",
                        Values = new[]
                        {
                            "arn:aws:lambda",
                        },
                    },
                },
                IncludeManagementEvents = true,
                ReadWriteType = "All",
            },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/cloudtrail"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
			EventSelectors: cloudtrail.TrailEventSelectorArray{
				&cloudtrail.TrailEventSelectorArgs{
					DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
						&cloudtrail.TrailEventSelectorDataResourceArgs{
							Type: pulumi.String("AWS::Lambda::Function"),
							Values: pulumi.StringArray{
								pulumi.String("arn:aws:lambda"),
							},
						},
					},
					IncludeManagementEvents: pulumi.Bool(true),
					ReadWriteType:           pulumi.String("All"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Trail("example", TrailArgs.builder()        
            .eventSelectors(TrailEventSelectorArgs.builder()
                .dataResources(TrailEventSelectorDataResourceArgs.builder()
                    .type("AWS::Lambda::Function")
                    .values("arn:aws:lambda")
                    .build())
                .includeManagementEvents(true)
                .readWriteType("All")
                .build())
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.cloudtrail.Trail("example", event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
    data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
        type="AWS::Lambda::Function",
        values=["arn:aws:lambda"],
    )],
    include_management_events=True,
    read_write_type="All",
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
    dataResources: [{
        type: "AWS::Lambda::Function",
        values: ["arn:aws:lambda"],
    }],
    includeManagementEvents: true,
    readWriteType: "All",
}]});
resources:
  example:
    type: aws:cloudtrail:Trail
    properties:
      eventSelectors:
        - dataResources:
            - type: AWS::Lambda::Function
              values:
                - arn:aws:lambda
          includeManagementEvents: true
          readWriteType: All

Logging All S3 Object Events By Using Basic Event Selectors

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.CloudTrail.Trail("example", new()
    {
        EventSelectors = new[]
        {
            new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
            {
                DataResources = new[]
                {
                    new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
                    {
                        Type = "AWS::S3::Object",
                        Values = new[]
                        {
                            "arn:aws:s3",
                        },
                    },
                },
                IncludeManagementEvents = true,
                ReadWriteType = "All",
            },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/cloudtrail"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
			EventSelectors: cloudtrail.TrailEventSelectorArray{
				&cloudtrail.TrailEventSelectorArgs{
					DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
						&cloudtrail.TrailEventSelectorDataResourceArgs{
							Type: pulumi.String("AWS::S3::Object"),
							Values: pulumi.StringArray{
								pulumi.String("arn:aws:s3"),
							},
						},
					},
					IncludeManagementEvents: pulumi.Bool(true),
					ReadWriteType:           pulumi.String("All"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Trail("example", TrailArgs.builder()        
            .eventSelectors(TrailEventSelectorArgs.builder()
                .dataResources(TrailEventSelectorDataResourceArgs.builder()
                    .type("AWS::S3::Object")
                    .values("arn:aws:s3")
                    .build())
                .includeManagementEvents(true)
                .readWriteType("All")
                .build())
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.cloudtrail.Trail("example", event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
    data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
        type="AWS::S3::Object",
        values=["arn:aws:s3"],
    )],
    include_management_events=True,
    read_write_type="All",
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
    dataResources: [{
        type: "AWS::S3::Object",
        values: ["arn:aws:s3"],
    }],
    includeManagementEvents: true,
    readWriteType: "All",
}]});
resources:
  example:
    type: aws:cloudtrail:Trail
    properties:
      eventSelectors:
        - dataResources:
            - type: AWS::S3::Object
              values:
                - arn:aws:s3
          includeManagementEvents: true
          readWriteType: All

Logging Individual S3 Bucket Events By Using Basic Event Selectors

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var important_bucket = Aws.S3.GetBucket.Invoke(new()
    {
        Bucket = "important-bucket",
    });

    var example = new Aws.CloudTrail.Trail("example", new()
    {
        EventSelectors = new[]
        {
            new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
            {
                DataResources = new[]
                {
                    new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
                    {
                        Type = "AWS::S3::Object",
                        Values = new[]
                        {
                            important_bucket.Apply(important_bucket => $"{important_bucket.Apply(getBucketResult => getBucketResult.Arn)}/"),
                        },
                    },
                },
                IncludeManagementEvents = true,
                ReadWriteType = "All",
            },
        },
    });

});
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/cloudtrail"
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/s3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		important_bucket, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
			Bucket: "important-bucket",
		}, nil)
		if err != nil {
			return err
		}
		_, err = cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
			EventSelectors: cloudtrail.TrailEventSelectorArray{
				&cloudtrail.TrailEventSelectorArgs{
					DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
						&cloudtrail.TrailEventSelectorDataResourceArgs{
							Type: pulumi.String("AWS::S3::Object"),
							Values: pulumi.StringArray{
								pulumi.String(fmt.Sprintf("%v/", important_bucket.Arn)),
							},
						},
					},
					IncludeManagementEvents: pulumi.Bool(true),
					ReadWriteType:           pulumi.String("All"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var important-bucket = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("important-bucket")
            .build());

        var example = new Trail("example", TrailArgs.builder()        
            .eventSelectors(TrailEventSelectorArgs.builder()
                .dataResources(TrailEventSelectorDataResourceArgs.builder()
                    .type("AWS::S3::Object")
                    .values(String.format("%s/", important_bucket.arn()))
                    .build())
                .includeManagementEvents(true)
                .readWriteType("All")
                .build())
            .build());

    }
}
import pulumi
import pulumi_aws as aws

important_bucket = aws.s3.get_bucket(bucket="important-bucket")
example = aws.cloudtrail.Trail("example", event_selectors=[aws.cloudtrail.TrailEventSelectorArgs(
    data_resources=[aws.cloudtrail.TrailEventSelectorDataResourceArgs(
        type="AWS::S3::Object",
        values=[f"{important_bucket.arn}/"],
    )],
    include_management_events=True,
    read_write_type="All",
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const important-bucket = aws.s3.getBucket({
    bucket: "important-bucket",
});
const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
    dataResources: [{
        type: "AWS::S3::Object",
        values: [important_bucket.then(important_bucket => `${important_bucket.arn}/`)],
    }],
    includeManagementEvents: true,
    readWriteType: "All",
}]});
resources:
  example:
    type: aws:cloudtrail:Trail
    properties:
      eventSelectors:
        - dataResources:
            - type: AWS::S3::Object
              values:
                - ${["important-bucket"].arn}/
          includeManagementEvents: true
          readWriteType: All
variables:
  important-bucket:
    fn::invoke:
      Function: aws:s3:getBucket
      Arguments:
        bucket: important-bucket

Logging All S3 Object Events Except For Two S3 Buckets By Using Advanced Event Selectors

Coming soon!

Coming soon!

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var not-important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("not-important-bucket-1")
            .build());

        final var not-important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("not-important-bucket-2")
            .build());

        var example = new Trail("example", TrailArgs.builder()        
            .advancedEventSelectors(            
                TrailAdvancedEventSelectorArgs.builder()
                    .fieldSelectors(                    
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("Data")
                            .field("eventCategory")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .field("resources.ARN")
                            .notStartsWith(                            
                                String.format("%s/", not_important_bucket_1.arn()),
                                String.format("%s/", not_important_bucket_2.arn()))
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("AWS::S3::Object")
                            .field("resources.type")
                            .build())
                    .name("Log all S3 objects events except for two S3 buckets")
                    .build(),
                TrailAdvancedEventSelectorArgs.builder()
                    .fieldSelectors(TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                        .equals("Management")
                        .field("eventCategory")
                        .build())
                    .name("Log readOnly and writeOnly management events")
                    .build())
            .build());

    }
}

Coming soon!

Coming soon!

resources:
  example:
    type: aws:cloudtrail:Trail
    properties:
      advancedEventSelectors:
        - fieldSelectors:
            - equals:
                - Data
              field: eventCategory
            - field: resources.ARN
              notStartsWith:
                - ${["not-important-bucket-1"].arn}/
                - ${["not-important-bucket-2"].arn}/
            - equals:
                - AWS::S3::Object
              field: resources.type
          name: Log all S3 objects events except for two S3 buckets
        - fieldSelectors:
            - equals:
                - Management
              field: eventCategory
          name: Log readOnly and writeOnly management events
variables:
  not-important-bucket-1:
    fn::invoke:
      Function: aws:s3:getBucket
      Arguments:
        bucket: not-important-bucket-1
  not-important-bucket-2:
    fn::invoke:
      Function: aws:s3:getBucket
      Arguments:
        bucket: not-important-bucket-2

Logging Individual S3 Buckets And Specific Event Names By Using Advanced Event Selectors

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var exampleLogGroup = new Aws.CloudWatch.LogGroup("exampleLogGroup");

    var exampleTrail = new Aws.CloudTrail.Trail("exampleTrail", new()
    {
        CloudWatchLogsGroupArn = exampleLogGroup.Arn.Apply(arn => $"{arn}:*"),
    });

    // CloudTrail requires the Log Stream wildcard
});
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/cloudtrail"
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/cloudwatch"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleLogGroup, err := cloudwatch.NewLogGroup(ctx, "exampleLogGroup", nil)
		if err != nil {
			return err
		}
		_, err = cloudtrail.NewTrail(ctx, "exampleTrail", &cloudtrail.TrailArgs{
			CloudWatchLogsGroupArn: exampleLogGroup.Arn.ApplyT(func(arn string) (string, error) {
				return fmt.Sprintf("%v:*", arn), nil
			}).(pulumi.StringOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("important-bucket-1")
            .build());

        final var important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("important-bucket-2")
            .build());

        final var important-bucket-3 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("important-bucket-3")
            .build());

        var example = new Trail("example", TrailArgs.builder()        
            .advancedEventSelectors(            
                TrailAdvancedEventSelectorArgs.builder()
                    .fieldSelectors(                    
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("Data")
                            .field("eventCategory")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals(                            
                                "PutObject",
                                "DeleteObject")
                            .field("eventName")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals(                            
                                String.format("%s/", important_bucket_1.arn()),
                                String.format("%s/", important_bucket_2.arn()))
                            .field("resources.ARN")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("false")
                            .field("readOnly")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("AWS::S3::Object")
                            .field("resources.type")
                            .build())
                    .name("Log PutObject and DeleteObject events for two S3 buckets")
                    .build(),
                TrailAdvancedEventSelectorArgs.builder()
                    .fieldSelectors(                    
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("Data")
                            .field("eventCategory")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .field("eventName")
                            .startsWith("Delete")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals(String.format("%s/important-prefix", important_bucket_3.arn()))
                            .field("resources.ARN")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("false")
                            .field("readOnly")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("AWS::S3::Object")
                            .field("resources.type")
                            .build())
                    .name("Log Delete* events for one S3 bucket")
                    .build())
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example_log_group = aws.cloudwatch.LogGroup("exampleLogGroup")
example_trail = aws.cloudtrail.Trail("exampleTrail", cloud_watch_logs_group_arn=example_log_group.arn.apply(lambda arn: f"{arn}:*"))
# CloudTrail requires the Log Stream wildcard
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const exampleLogGroup = new aws.cloudwatch.LogGroup("exampleLogGroup", {});
const exampleTrail = new aws.cloudtrail.Trail("exampleTrail", {cloudWatchLogsGroupArn: pulumi.interpolate`${exampleLogGroup.arn}:*`});
// CloudTrail requires the Log Stream wildcard
resources:
  example:
    type: aws:cloudtrail:Trail
    properties:
      advancedEventSelectors:
        - fieldSelectors:
            - equals:
                - Data
              field: eventCategory
            - equals:
                - PutObject
                - DeleteObject
              field: eventName
            - equals:
                - ${["important-bucket-1"].arn}/
                - ${["important-bucket-2"].arn}/
              field: resources.ARN
            - equals:
                - 'false'
              field: readOnly
            - equals:
                - AWS::S3::Object
              field: resources.type
          name: Log PutObject and DeleteObject events for two S3 buckets
        - fieldSelectors:
            - equals:
                - Data
              field: eventCategory
            - field: eventName
              startsWith:
                - Delete
            - equals:
                - ${["important-bucket-3"].arn}/important-prefix
              field: resources.ARN
            - equals:
                - 'false'
              field: readOnly
            - equals:
                - AWS::S3::Object
              field: resources.type
          name: Log Delete* events for one S3 bucket
variables:
  important-bucket-1:
    fn::invoke:
      Function: aws:s3:getBucket
      Arguments:
        bucket: important-bucket-1
  important-bucket-2:
    fn::invoke:
      Function: aws:s3:getBucket
      Arguments:
        bucket: important-bucket-2
  important-bucket-3:
    fn::invoke:
      Function: aws:s3:getBucket
      Arguments:
        bucket: important-bucket-3

Sending Events to CloudWatch Logs

Coming soon!

Coming soon!

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var exampleLogGroup = new LogGroup("exampleLogGroup");

        var exampleTrail = new Trail("exampleTrail", TrailArgs.builder()        
            .cloudWatchLogsGroupArn(exampleLogGroup.arn().applyValue(arn -> String.format("%s:*", arn)))
            .build());

    }
}

Coming soon!

Coming soon!

resources:
  exampleLogGroup:
    type: aws:cloudwatch:LogGroup
  exampleTrail:
    type: aws:cloudtrail:Trail
    properties:
      cloudWatchLogsGroupArn: ${exampleLogGroup.arn}:*

Create Trail Resource

new Trail(name: string, args: TrailArgs, opts?: CustomResourceOptions);
@overload
def Trail(resource_name: str,
          opts: Optional[ResourceOptions] = None,
          advanced_event_selectors: Optional[Sequence[TrailAdvancedEventSelectorArgs]] = None,
          cloud_watch_logs_group_arn: Optional[str] = None,
          cloud_watch_logs_role_arn: Optional[str] = None,
          enable_log_file_validation: Optional[bool] = None,
          enable_logging: Optional[bool] = None,
          event_selectors: Optional[Sequence[TrailEventSelectorArgs]] = None,
          include_global_service_events: Optional[bool] = None,
          insight_selectors: Optional[Sequence[TrailInsightSelectorArgs]] = None,
          is_multi_region_trail: Optional[bool] = None,
          is_organization_trail: Optional[bool] = None,
          kms_key_id: Optional[str] = None,
          name: Optional[str] = None,
          s3_bucket_name: Optional[str] = None,
          s3_key_prefix: Optional[str] = None,
          sns_topic_name: Optional[str] = None,
          tags: Optional[Mapping[str, str]] = None)
@overload
def Trail(resource_name: str,
          args: TrailArgs,
          opts: Optional[ResourceOptions] = None)
func NewTrail(ctx *Context, name string, args TrailArgs, opts ...ResourceOption) (*Trail, error)
public Trail(string name, TrailArgs args, CustomResourceOptions? opts = null)
public Trail(String name, TrailArgs args)
public Trail(String name, TrailArgs args, CustomResourceOptions options)
type: aws:cloudtrail:Trail
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args TrailArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args TrailArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args TrailArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args TrailArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args TrailArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Trail Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Trail resource accepts the following input properties:

S3BucketName string

Name of the S3 bucket designated for publishing log files.

AdvancedEventSelectors List<TrailAdvancedEventSelectorArgs>

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

CloudWatchLogsGroupArn string

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

CloudWatchLogsRoleArn string

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

EnableLogFileValidation bool

Whether log file integrity validation is enabled. Defaults to false.

EnableLogging bool

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

EventSelectors List<TrailEventSelectorArgs>

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

IncludeGlobalServiceEvents bool

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

InsightSelectors List<TrailInsightSelectorArgs>

Configuration block for identifying unusual operational activity. See details below.

IsMultiRegionTrail bool

Whether the trail is created in the current region or in all regions. Defaults to false.

IsOrganizationTrail bool

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

KmsKeyId string

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

Name string

Name of the trail.

S3KeyPrefix string

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

SnsTopicName string

Name of the Amazon SNS topic defined for notification of log file delivery.

Tags Dictionary<string, string>

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

S3BucketName string

Name of the S3 bucket designated for publishing log files.

AdvancedEventSelectors []TrailAdvancedEventSelectorArgs

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

CloudWatchLogsGroupArn string

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

CloudWatchLogsRoleArn string

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

EnableLogFileValidation bool

Whether log file integrity validation is enabled. Defaults to false.

EnableLogging bool

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

EventSelectors []TrailEventSelectorArgs

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

IncludeGlobalServiceEvents bool

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

InsightSelectors []TrailInsightSelectorArgs

Configuration block for identifying unusual operational activity. See details below.

IsMultiRegionTrail bool

Whether the trail is created in the current region or in all regions. Defaults to false.

IsOrganizationTrail bool

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

KmsKeyId string

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

Name string

Name of the trail.

S3KeyPrefix string

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

SnsTopicName string

Name of the Amazon SNS topic defined for notification of log file delivery.

Tags map[string]string

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

s3BucketName String

Name of the S3 bucket designated for publishing log files.

advancedEventSelectors List<TrailAdvancedEventSelectorArgs>

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

cloudWatchLogsGroupArn String

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

cloudWatchLogsRoleArn String

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

enableLogFileValidation Boolean

Whether log file integrity validation is enabled. Defaults to false.

enableLogging Boolean

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

eventSelectors List<TrailEventSelectorArgs>

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

includeGlobalServiceEvents Boolean

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

insightSelectors List<TrailInsightSelectorArgs>

Configuration block for identifying unusual operational activity. See details below.

isMultiRegionTrail Boolean

Whether the trail is created in the current region or in all regions. Defaults to false.

isOrganizationTrail Boolean

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

kmsKeyId String

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

name String

Name of the trail.

s3KeyPrefix String

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

snsTopicName String

Name of the Amazon SNS topic defined for notification of log file delivery.

tags Map<String,String>

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

s3BucketName string

Name of the S3 bucket designated for publishing log files.

advancedEventSelectors TrailAdvancedEventSelectorArgs[]

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

cloudWatchLogsGroupArn string

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

cloudWatchLogsRoleArn string

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

enableLogFileValidation boolean

Whether log file integrity validation is enabled. Defaults to false.

enableLogging boolean

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

eventSelectors TrailEventSelectorArgs[]

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

includeGlobalServiceEvents boolean

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

insightSelectors TrailInsightSelectorArgs[]

Configuration block for identifying unusual operational activity. See details below.

isMultiRegionTrail boolean

Whether the trail is created in the current region or in all regions. Defaults to false.

isOrganizationTrail boolean

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

kmsKeyId string

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

name string

Name of the trail.

s3KeyPrefix string

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

snsTopicName string

Name of the Amazon SNS topic defined for notification of log file delivery.

tags {[key: string]: string}

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

s3_bucket_name str

Name of the S3 bucket designated for publishing log files.

advanced_event_selectors Sequence[TrailAdvancedEventSelectorArgs]

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

cloud_watch_logs_group_arn str

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

cloud_watch_logs_role_arn str

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

enable_log_file_validation bool

Whether log file integrity validation is enabled. Defaults to false.

enable_logging bool

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

event_selectors Sequence[TrailEventSelectorArgs]

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

include_global_service_events bool

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

insight_selectors Sequence[TrailInsightSelectorArgs]

Configuration block for identifying unusual operational activity. See details below.

is_multi_region_trail bool

Whether the trail is created in the current region or in all regions. Defaults to false.

is_organization_trail bool

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

kms_key_id str

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

name str

Name of the trail.

s3_key_prefix str

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

sns_topic_name str

Name of the Amazon SNS topic defined for notification of log file delivery.

tags Mapping[str, str]

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

s3BucketName String

Name of the S3 bucket designated for publishing log files.

advancedEventSelectors List<Property Map>

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

cloudWatchLogsGroupArn String

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

cloudWatchLogsRoleArn String

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

enableLogFileValidation Boolean

Whether log file integrity validation is enabled. Defaults to false.

enableLogging Boolean

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

eventSelectors List<Property Map>

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

includeGlobalServiceEvents Boolean

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

insightSelectors List<Property Map>

Configuration block for identifying unusual operational activity. See details below.

isMultiRegionTrail Boolean

Whether the trail is created in the current region or in all regions. Defaults to false.

isOrganizationTrail Boolean

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

kmsKeyId String

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

name String

Name of the trail.

s3KeyPrefix String

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

snsTopicName String

Name of the Amazon SNS topic defined for notification of log file delivery.

tags Map<String>

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Outputs

All input properties are implicitly available as output properties. Additionally, the Trail resource produces the following output properties:

Arn string

ARN of the trail.

HomeRegion string

Region in which the trail was created.

Id string

The provider-assigned unique ID for this managed resource.

TagsAll Dictionary<string, string>

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Arn string

ARN of the trail.

HomeRegion string

Region in which the trail was created.

Id string

The provider-assigned unique ID for this managed resource.

TagsAll map[string]string

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

arn String

ARN of the trail.

homeRegion String

Region in which the trail was created.

id String

The provider-assigned unique ID for this managed resource.

tagsAll Map<String,String>

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

arn string

ARN of the trail.

homeRegion string

Region in which the trail was created.

id string

The provider-assigned unique ID for this managed resource.

tagsAll {[key: string]: string}

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

arn str

ARN of the trail.

home_region str

Region in which the trail was created.

id str

The provider-assigned unique ID for this managed resource.

tags_all Mapping[str, str]

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

arn String

ARN of the trail.

homeRegion String

Region in which the trail was created.

id String

The provider-assigned unique ID for this managed resource.

tagsAll Map<String>

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Look up Existing Trail Resource

Get an existing Trail resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: TrailState, opts?: CustomResourceOptions): Trail
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        advanced_event_selectors: Optional[Sequence[TrailAdvancedEventSelectorArgs]] = None,
        arn: Optional[str] = None,
        cloud_watch_logs_group_arn: Optional[str] = None,
        cloud_watch_logs_role_arn: Optional[str] = None,
        enable_log_file_validation: Optional[bool] = None,
        enable_logging: Optional[bool] = None,
        event_selectors: Optional[Sequence[TrailEventSelectorArgs]] = None,
        home_region: Optional[str] = None,
        include_global_service_events: Optional[bool] = None,
        insight_selectors: Optional[Sequence[TrailInsightSelectorArgs]] = None,
        is_multi_region_trail: Optional[bool] = None,
        is_organization_trail: Optional[bool] = None,
        kms_key_id: Optional[str] = None,
        name: Optional[str] = None,
        s3_bucket_name: Optional[str] = None,
        s3_key_prefix: Optional[str] = None,
        sns_topic_name: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None) -> Trail
func GetTrail(ctx *Context, name string, id IDInput, state *TrailState, opts ...ResourceOption) (*Trail, error)
public static Trail Get(string name, Input<string> id, TrailState? state, CustomResourceOptions? opts = null)
public static Trail get(String name, Output<String> id, TrailState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AdvancedEventSelectors List<TrailAdvancedEventSelectorArgs>

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

Arn string

ARN of the trail.

CloudWatchLogsGroupArn string

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

CloudWatchLogsRoleArn string

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

EnableLogFileValidation bool

Whether log file integrity validation is enabled. Defaults to false.

EnableLogging bool

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

EventSelectors List<TrailEventSelectorArgs>

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

HomeRegion string

Region in which the trail was created.

IncludeGlobalServiceEvents bool

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

InsightSelectors List<TrailInsightSelectorArgs>

Configuration block for identifying unusual operational activity. See details below.

IsMultiRegionTrail bool

Whether the trail is created in the current region or in all regions. Defaults to false.

IsOrganizationTrail bool

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

KmsKeyId string

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

Name string

Name of the trail.

S3BucketName string

Name of the S3 bucket designated for publishing log files.

S3KeyPrefix string

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

SnsTopicName string

Name of the Amazon SNS topic defined for notification of log file delivery.

Tags Dictionary<string, string>

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

TagsAll Dictionary<string, string>

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

AdvancedEventSelectors []TrailAdvancedEventSelectorArgs

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

Arn string

ARN of the trail.

CloudWatchLogsGroupArn string

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

CloudWatchLogsRoleArn string

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

EnableLogFileValidation bool

Whether log file integrity validation is enabled. Defaults to false.

EnableLogging bool

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

EventSelectors []TrailEventSelectorArgs

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

HomeRegion string

Region in which the trail was created.

IncludeGlobalServiceEvents bool

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

InsightSelectors []TrailInsightSelectorArgs

Configuration block for identifying unusual operational activity. See details below.

IsMultiRegionTrail bool

Whether the trail is created in the current region or in all regions. Defaults to false.

IsOrganizationTrail bool

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

KmsKeyId string

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

Name string

Name of the trail.

S3BucketName string

Name of the S3 bucket designated for publishing log files.

S3KeyPrefix string

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

SnsTopicName string

Name of the Amazon SNS topic defined for notification of log file delivery.

Tags map[string]string

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

TagsAll map[string]string

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

advancedEventSelectors List<TrailAdvancedEventSelectorArgs>

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

arn String

ARN of the trail.

cloudWatchLogsGroupArn String

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

cloudWatchLogsRoleArn String

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

enableLogFileValidation Boolean

Whether log file integrity validation is enabled. Defaults to false.

enableLogging Boolean

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

eventSelectors List<TrailEventSelectorArgs>

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

homeRegion String

Region in which the trail was created.

includeGlobalServiceEvents Boolean

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

insightSelectors List<TrailInsightSelectorArgs>

Configuration block for identifying unusual operational activity. See details below.

isMultiRegionTrail Boolean

Whether the trail is created in the current region or in all regions. Defaults to false.

isOrganizationTrail Boolean

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

kmsKeyId String

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

name String

Name of the trail.

s3BucketName String

Name of the S3 bucket designated for publishing log files.

s3KeyPrefix String

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

snsTopicName String

Name of the Amazon SNS topic defined for notification of log file delivery.

tags Map<String,String>

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll Map<String,String>

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

advancedEventSelectors TrailAdvancedEventSelectorArgs[]

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

arn string

ARN of the trail.

cloudWatchLogsGroupArn string

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

cloudWatchLogsRoleArn string

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

enableLogFileValidation boolean

Whether log file integrity validation is enabled. Defaults to false.

enableLogging boolean

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

eventSelectors TrailEventSelectorArgs[]

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

homeRegion string

Region in which the trail was created.

includeGlobalServiceEvents boolean

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

insightSelectors TrailInsightSelectorArgs[]

Configuration block for identifying unusual operational activity. See details below.

isMultiRegionTrail boolean

Whether the trail is created in the current region or in all regions. Defaults to false.

isOrganizationTrail boolean

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

kmsKeyId string

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

name string

Name of the trail.

s3BucketName string

Name of the S3 bucket designated for publishing log files.

s3KeyPrefix string

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

snsTopicName string

Name of the Amazon SNS topic defined for notification of log file delivery.

tags {[key: string]: string}

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll {[key: string]: string}

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

advanced_event_selectors Sequence[TrailAdvancedEventSelectorArgs]

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

arn str

ARN of the trail.

cloud_watch_logs_group_arn str

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

cloud_watch_logs_role_arn str

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

enable_log_file_validation bool

Whether log file integrity validation is enabled. Defaults to false.

enable_logging bool

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

event_selectors Sequence[TrailEventSelectorArgs]

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

home_region str

Region in which the trail was created.

include_global_service_events bool

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

insight_selectors Sequence[TrailInsightSelectorArgs]

Configuration block for identifying unusual operational activity. See details below.

is_multi_region_trail bool

Whether the trail is created in the current region or in all regions. Defaults to false.

is_organization_trail bool

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

kms_key_id str

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

name str

Name of the trail.

s3_bucket_name str

Name of the S3 bucket designated for publishing log files.

s3_key_prefix str

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

sns_topic_name str

Name of the Amazon SNS topic defined for notification of log file delivery.

tags Mapping[str, str]

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tags_all Mapping[str, str]

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

advancedEventSelectors List<Property Map>

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

arn String

ARN of the trail.

cloudWatchLogsGroupArn String

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

cloudWatchLogsRoleArn String

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

enableLogFileValidation Boolean

Whether log file integrity validation is enabled. Defaults to false.

enableLogging Boolean

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

eventSelectors List<Property Map>

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

homeRegion String

Region in which the trail was created.

includeGlobalServiceEvents Boolean

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

insightSelectors List<Property Map>

Configuration block for identifying unusual operational activity. See details below.

isMultiRegionTrail Boolean

Whether the trail is created in the current region or in all regions. Defaults to false.

isOrganizationTrail Boolean

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

kmsKeyId String

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

name String

Name of the trail.

s3BucketName String

Name of the S3 bucket designated for publishing log files.

s3KeyPrefix String

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

snsTopicName String

Name of the Amazon SNS topic defined for notification of log file delivery.

tags Map<String>

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll Map<String>

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Supporting Types

TrailAdvancedEventSelector

FieldSelectors List<TrailAdvancedEventSelectorFieldSelector>

Specifies the selector statements in an advanced event selector. Fields documented below.

Name string

Name of the trail.

FieldSelectors []TrailAdvancedEventSelectorFieldSelector

Specifies the selector statements in an advanced event selector. Fields documented below.

Name string

Name of the trail.

fieldSelectors List<TrailAdvancedEventSelectorFieldSelector>

Specifies the selector statements in an advanced event selector. Fields documented below.

name String

Name of the trail.

fieldSelectors TrailAdvancedEventSelectorFieldSelector[]

Specifies the selector statements in an advanced event selector. Fields documented below.

name string

Name of the trail.

field_selectors Sequence[TrailAdvancedEventSelectorFieldSelector]

Specifies the selector statements in an advanced event selector. Fields documented below.

name str

Name of the trail.

fieldSelectors List<Property Map>

Specifies the selector statements in an advanced event selector. Fields documented below.

name String

Name of the trail.

TrailAdvancedEventSelectorFieldSelector

Field string

Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

EndsWiths List<string>

A list of values that includes events that match the last few characters of the event record field specified as the value of field.

Equals List<string>

A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

NotEndsWiths List<string>

A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

NotEquals List<string>

A list of values that excludes events that match the exact value of the event record field specified as the value of field.

NotStartsWiths List<string>

A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

StartsWiths List<string>

A list of values that includes events that match the first few characters of the event record field specified as the value of field.

Field string

Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

EndsWiths []string

A list of values that includes events that match the last few characters of the event record field specified as the value of field.

Equals []string

A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

NotEndsWiths []string

A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

NotEquals []string

A list of values that excludes events that match the exact value of the event record field specified as the value of field.

NotStartsWiths []string

A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

StartsWiths []string

A list of values that includes events that match the first few characters of the event record field specified as the value of field.

field String

Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

endsWiths List<String>

A list of values that includes events that match the last few characters of the event record field specified as the value of field.

equals_ List<String>

A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

notEndsWiths List<String>

A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

notEquals List<String>

A list of values that excludes events that match the exact value of the event record field specified as the value of field.

notStartsWiths List<String>

A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

startsWiths List<String>

A list of values that includes events that match the first few characters of the event record field specified as the value of field.

field string

Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

endsWiths string[]

A list of values that includes events that match the last few characters of the event record field specified as the value of field.

equals string[]

A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

notEndsWiths string[]

A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

notEquals string[]

A list of values that excludes events that match the exact value of the event record field specified as the value of field.

notStartsWiths string[]

A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

startsWiths string[]

A list of values that includes events that match the first few characters of the event record field specified as the value of field.

field str

Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

ends_withs Sequence[str]

A list of values that includes events that match the last few characters of the event record field specified as the value of field.

equals Sequence[str]

A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

not_ends_withs Sequence[str]

A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

not_equals Sequence[str]

A list of values that excludes events that match the exact value of the event record field specified as the value of field.

not_starts_withs Sequence[str]

A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

starts_withs Sequence[str]

A list of values that includes events that match the first few characters of the event record field specified as the value of field.

field String

Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.

endsWiths List<String>

A list of values that includes events that match the last few characters of the event record field specified as the value of field.

equals List<String>

A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

notEndsWiths List<String>

A list of values that excludes events that match the last few characters of the event record field specified as the value of field.

notEquals List<String>

A list of values that excludes events that match the exact value of the event record field specified as the value of field.

notStartsWiths List<String>

A list of values that excludes events that match the first few characters of the event record field specified as the value of field.

startsWiths List<String>

A list of values that includes events that match the first few characters of the event record field specified as the value of field.

TrailEventSelector

DataResources List<TrailEventSelectorDataResource>

Configuration block for data events. See details below.

ExcludeManagementEventSources List<string>

A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

IncludeManagementEvents bool

Whether to include management events for your trail. Defaults to true.

ReadWriteType string

Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

DataResources []TrailEventSelectorDataResource

Configuration block for data events. See details below.

ExcludeManagementEventSources []string

A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

IncludeManagementEvents bool

Whether to include management events for your trail. Defaults to true.

ReadWriteType string

Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

dataResources List<TrailEventSelectorDataResource>

Configuration block for data events. See details below.

excludeManagementEventSources List<String>

A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

includeManagementEvents Boolean

Whether to include management events for your trail. Defaults to true.

readWriteType String

Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

dataResources TrailEventSelectorDataResource[]

Configuration block for data events. See details below.

excludeManagementEventSources string[]

A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

includeManagementEvents boolean

Whether to include management events for your trail. Defaults to true.

readWriteType string

Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

data_resources Sequence[TrailEventSelectorDataResource]

Configuration block for data events. See details below.

exclude_management_event_sources Sequence[str]

A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

include_management_events bool

Whether to include management events for your trail. Defaults to true.

read_write_type str

Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

dataResources List<Property Map>

Configuration block for data events. See details below.

excludeManagementEventSources List<String>

A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.

includeManagementEvents Boolean

Whether to include management events for your trail. Defaults to true.

readWriteType String

Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

TrailEventSelectorDataResource

Type string

Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

Values List<string>

List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

Type string

Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

Values []string

List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

type String

Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

values List<String>

List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

type string

Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

values string[]

List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

type str

Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

values Sequence[str]

List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

type String

Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".

values List<String>

List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

TrailInsightSelector

InsightType string

Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

InsightType string

Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

insightType String

Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

insightType string

Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

insight_type str

Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

insightType String

Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

Import

Cloudtrails can be imported using the name, e.g.,

 $ pulumi import aws:cloudtrail/trail:Trail sample my-sample-trail

Package Details

Repository
AWS Classic pulumi/pulumi-aws
License
Apache-2.0
Notes

This Pulumi package is based on the aws Terraform Provider.