Docs Home
AWS v6.71.0 published on Friday, Mar 7, 2025 by Pulumi
aws.cloudtrail.Trail
Explore with Pulumi AI
Provides a CloudTrail resource.
Tip: For a multi-region trail, this resource must be in the home region of the trail.
Tip: For an organization trail, this resource must be in the master account of the organization.
Example Usage
Basic
Enable CloudTrail to capture all compatible management events in region.
For capturing events from services like IAM, include_global_service_events must be enabled.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleBucketV2 = new aws.s3.BucketV2("example", {
bucket: "my-test-trail",
forceDestroy: true,
});
const current = aws.getCallerIdentity({});
const currentGetPartition = aws.getPartition({});
const currentGetRegion = aws.getRegion({});
const example = aws.iam.getPolicyDocumentOutput({
statements: [
{
sid: "AWSCloudTrailAclCheck",
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["cloudtrail.amazonaws.com"],
}],
actions: ["s3:GetBucketAcl"],
resources: [exampleBucketV2.arn],
conditions: [{
test: "StringEquals",
variable: "aws:SourceArn",
values: [Promise.all([currentGetPartition, currentGetRegion, current]).then(([currentGetPartition, currentGetRegion, current]) => `arn:${currentGetPartition.partition}:cloudtrail:${currentGetRegion.name}:${current.accountId}:trail/example`)],
}],
},
{
sid: "AWSCloudTrailWrite",
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["cloudtrail.amazonaws.com"],
}],
actions: ["s3:PutObject"],
resources: [pulumi.all([exampleBucketV2.arn, current]).apply(([arn, current]) => `${arn}/prefix/AWSLogs/${current.accountId}/*`)],
conditions: [
{
test: "StringEquals",
variable: "s3:x-amz-acl",
values: ["bucket-owner-full-control"],
},
{
test: "StringEquals",
variable: "aws:SourceArn",
values: [Promise.all([currentGetPartition, currentGetRegion, current]).then(([currentGetPartition, currentGetRegion, current]) => `arn:${currentGetPartition.partition}:cloudtrail:${currentGetRegion.name}:${current.accountId}:trail/example`)],
},
],
},
],
});
const exampleBucketPolicy = new aws.s3.BucketPolicy("example", {
bucket: exampleBucketV2.id,
policy: example.apply(example => example.json),
});
const exampleTrail = new aws.cloudtrail.Trail("example", {
name: "example",
s3BucketName: exampleBucketV2.id,
s3KeyPrefix: "prefix",
includeGlobalServiceEvents: false,
}, {
dependsOn: [exampleBucketPolicy],
});
import pulumi
import pulumi_aws as aws
example_bucket_v2 = aws.s3.BucketV2("example",
bucket="my-test-trail",
force_destroy=True)
current = aws.get_caller_identity()
current_get_partition = aws.get_partition()
current_get_region = aws.get_region()
example = aws.iam.get_policy_document_output(statements=[
{
"sid": "AWSCloudTrailAclCheck",
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["cloudtrail.amazonaws.com"],
}],
"actions": ["s3:GetBucketAcl"],
"resources": [example_bucket_v2.arn],
"conditions": [{
"test": "StringEquals",
"variable": "aws:SourceArn",
"values": [f"arn:{current_get_partition.partition}:cloudtrail:{current_get_region.name}:{current.account_id}:trail/example"],
}],
},
{
"sid": "AWSCloudTrailWrite",
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["cloudtrail.amazonaws.com"],
}],
"actions": ["s3:PutObject"],
"resources": [example_bucket_v2.arn.apply(lambda arn: f"{arn}/prefix/AWSLogs/{current.account_id}/*")],
"conditions": [
{
"test": "StringEquals",
"variable": "s3:x-amz-acl",
"values": ["bucket-owner-full-control"],
},
{
"test": "StringEquals",
"variable": "aws:SourceArn",
"values": [f"arn:{current_get_partition.partition}:cloudtrail:{current_get_region.name}:{current.account_id}:trail/example"],
},
],
},
])
example_bucket_policy = aws.s3.BucketPolicy("example",
bucket=example_bucket_v2.id,
policy=example.json)
example_trail = aws.cloudtrail.Trail("example",
name="example",
s3_bucket_name=example_bucket_v2.id,
s3_key_prefix="prefix",
include_global_service_events=False,
opts = pulumi.ResourceOptions(depends_on=[example_bucket_policy]))
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleBucketV2, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
Bucket: pulumi.String("my-test-trail"),
ForceDestroy: pulumi.Bool(true),
})
if err != nil {
return err
}
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
currentGetPartition, err := aws.GetPartition(ctx, &aws.GetPartitionArgs{}, nil)
if err != nil {
return err
}
currentGetRegion, err := aws.GetRegion(ctx, &aws.GetRegionArgs{}, nil)
if err != nil {
return err
}
example := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Sid: pulumi.String("AWSCloudTrailAclCheck"),
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("Service"),
Identifiers: pulumi.StringArray{
pulumi.String("cloudtrail.amazonaws.com"),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("s3:GetBucketAcl"),
},
Resources: pulumi.StringArray{
exampleBucketV2.Arn,
},
Conditions: iam.GetPolicyDocumentStatementConditionArray{
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("StringEquals"),
Variable: pulumi.String("aws:SourceArn"),
Values: pulumi.StringArray{
pulumi.Sprintf("arn:%v:cloudtrail:%v:%v:trail/example", currentGetPartition.Partition, currentGetRegion.Name, current.AccountId),
},
},
},
},
&iam.GetPolicyDocumentStatementArgs{
Sid: pulumi.String("AWSCloudTrailWrite"),
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("Service"),
Identifiers: pulumi.StringArray{
pulumi.String("cloudtrail.amazonaws.com"),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("s3:PutObject"),
},
Resources: pulumi.StringArray{
exampleBucketV2.Arn.ApplyT(func(arn string) (string, error) {
return fmt.Sprintf("%v/prefix/AWSLogs/%v/*", arn, current.AccountId), nil
}).(pulumi.StringOutput),
},
Conditions: iam.GetPolicyDocumentStatementConditionArray{
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("StringEquals"),
Variable: pulumi.String("s3:x-amz-acl"),
Values: pulumi.StringArray{
pulumi.String("bucket-owner-full-control"),
},
},
&iam.GetPolicyDocumentStatementConditionArgs{
Test: pulumi.String("StringEquals"),
Variable: pulumi.String("aws:SourceArn"),
Values: pulumi.StringArray{
pulumi.Sprintf("arn:%v:cloudtrail:%v:%v:trail/example", currentGetPartition.Partition, currentGetRegion.Name, current.AccountId),
},
},
},
},
},
}, nil)
exampleBucketPolicy, err := s3.NewBucketPolicy(ctx, "example", &s3.BucketPolicyArgs{
Bucket: exampleBucketV2.ID(),
Policy: pulumi.String(example.ApplyT(func(example iam.GetPolicyDocumentResult) (*string, error) {
return &example.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
Name: pulumi.String("example"),
S3BucketName: exampleBucketV2.ID(),
S3KeyPrefix: pulumi.String("prefix"),
IncludeGlobalServiceEvents: pulumi.Bool(false),
}, pulumi.DependsOn([]pulumi.Resource{
exampleBucketPolicy,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleBucketV2 = new Aws.S3.BucketV2("example", new()
{
Bucket = "my-test-trail",
ForceDestroy = true,
});
var current = Aws.GetCallerIdentity.Invoke();
var currentGetPartition = Aws.GetPartition.Invoke();
var currentGetRegion = Aws.GetRegion.Invoke();
var example = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "AWSCloudTrailAclCheck",
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"cloudtrail.amazonaws.com",
},
},
},
Actions = new[]
{
"s3:GetBucketAcl",
},
Resources = new[]
{
exampleBucketV2.Arn,
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "aws:SourceArn",
Values = new[]
{
$"arn:{currentGetPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:cloudtrail:{currentGetRegion.Apply(getRegionResult => getRegionResult.Name)}:{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:trail/example",
},
},
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "AWSCloudTrailWrite",
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"cloudtrail.amazonaws.com",
},
},
},
Actions = new[]
{
"s3:PutObject",
},
Resources = new[]
{
$"{exampleBucketV2.Arn}/prefix/AWSLogs/{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}/*",
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "s3:x-amz-acl",
Values = new[]
{
"bucket-owner-full-control",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "aws:SourceArn",
Values = new[]
{
$"arn:{currentGetPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:cloudtrail:{currentGetRegion.Apply(getRegionResult => getRegionResult.Name)}:{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:trail/example",
},
},
},
},
},
});
var exampleBucketPolicy = new Aws.S3.BucketPolicy("example", new()
{
Bucket = exampleBucketV2.Id,
Policy = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var exampleTrail = new Aws.CloudTrail.Trail("example", new()
{
Name = "example",
S3BucketName = exampleBucketV2.Id,
S3KeyPrefix = "prefix",
IncludeGlobalServiceEvents = false,
}, new CustomResourceOptions
{
DependsOn =
{
exampleBucketPolicy,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.inputs.GetPartitionArgs;
import com.pulumi.aws.inputs.GetRegionArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleBucketV2 = new BucketV2("exampleBucketV2", BucketV2Args.builder()
.bucket("my-test-trail")
.forceDestroy(true)
.build());
final var current = AwsFunctions.getCallerIdentity();
final var currentGetPartition = AwsFunctions.getPartition();
final var currentGetRegion = AwsFunctions.getRegion();
final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("AWSCloudTrailAclCheck")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("cloudtrail.amazonaws.com")
.build())
.actions("s3:GetBucketAcl")
.resources(exampleBucketV2.arn())
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("aws:SourceArn")
.values(String.format("arn:%s:cloudtrail:%s:%s:trail/example", currentGetPartition.applyValue(getPartitionResult -> getPartitionResult.partition()),currentGetRegion.applyValue(getRegionResult -> getRegionResult.name()),current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("AWSCloudTrailWrite")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("cloudtrail.amazonaws.com")
.build())
.actions("s3:PutObject")
.resources(exampleBucketV2.arn().applyValue(arn -> String.format("%s/prefix/AWSLogs/%s/*", arn,current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))))
.conditions(
GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("s3:x-amz-acl")
.values("bucket-owner-full-control")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("aws:SourceArn")
.values(String.format("arn:%s:cloudtrail:%s:%s:trail/example", currentGetPartition.applyValue(getPartitionResult -> getPartitionResult.partition()),currentGetRegion.applyValue(getRegionResult -> getRegionResult.name()),current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
.build())
.build())
.build());
var exampleBucketPolicy = new BucketPolicy("exampleBucketPolicy", BucketPolicyArgs.builder()
.bucket(exampleBucketV2.id())
.policy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(example -> example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
var exampleTrail = new Trail("exampleTrail", TrailArgs.builder()
.name("example")
.s3BucketName(exampleBucketV2.id())
.s3KeyPrefix("prefix")
.includeGlobalServiceEvents(false)
.build(), CustomResourceOptions.builder()
.dependsOn(exampleBucketPolicy)
.build());
}
}
resources:
exampleTrail:
type: aws:cloudtrail:Trail
name: example
properties:
name: example
s3BucketName: ${exampleBucketV2.id}
s3KeyPrefix: prefix
includeGlobalServiceEvents: false
options:
dependsOn:
- ${exampleBucketPolicy}
exampleBucketV2:
type: aws:s3:BucketV2
name: example
properties:
bucket: my-test-trail
forceDestroy: true
exampleBucketPolicy:
type: aws:s3:BucketPolicy
name: example
properties:
bucket: ${exampleBucketV2.id}
policy: ${example.json}
variables:
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: AWSCloudTrailAclCheck
effect: Allow
principals:
- type: Service
identifiers:
- cloudtrail.amazonaws.com
actions:
- s3:GetBucketAcl
resources:
- ${exampleBucketV2.arn}
conditions:
- test: StringEquals
variable: aws:SourceArn
values:
- arn:${currentGetPartition.partition}:cloudtrail:${currentGetRegion.name}:${current.accountId}:trail/example
- sid: AWSCloudTrailWrite
effect: Allow
principals:
- type: Service
identifiers:
- cloudtrail.amazonaws.com
actions:
- s3:PutObject
resources:
- ${exampleBucketV2.arn}/prefix/AWSLogs/${current.accountId}/*
conditions:
- test: StringEquals
variable: s3:x-amz-acl
values:
- bucket-owner-full-control
- test: StringEquals
variable: aws:SourceArn
values:
- arn:${currentGetPartition.partition}:cloudtrail:${currentGetRegion.name}:${current.accountId}:trail/example
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}
currentGetPartition:
fn::invoke:
function: aws:getPartition
arguments: {}
currentGetRegion:
fn::invoke:
function: aws:getRegion
arguments: {}
Data Event Logging
CloudTrail can log Data Events for certain services such as S3 objects and Lambda function invocations. Additional information about data event configuration can be found in the following links:
- CloudTrail API DataResource documentation (for basic event selector).
- CloudTrail API AdvancedFieldSelector documentation (for advanced event selector).
Logging All Lambda Function Invocations By Using Basic Event Selectors
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
readWriteType: "All",
includeManagementEvents: true,
dataResources: [{
type: "AWS::Lambda::Function",
values: ["arn:aws:lambda"],
}],
}]});
import pulumi
import pulumi_aws as aws
example = aws.cloudtrail.Trail("example", event_selectors=[{
"read_write_type": "All",
"include_management_events": True,
"data_resources": [{
"type": "AWS::Lambda::Function",
"values": ["arn:aws:lambda"],
}],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
ReadWriteType: pulumi.String("All"),
IncludeManagementEvents: pulumi.Bool(true),
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::Lambda::Function"),
Values: pulumi.StringArray{
pulumi.String("arn:aws:lambda"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.CloudTrail.Trail("example", new()
{
EventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
ReadWriteType = "All",
IncludeManagementEvents = true,
DataResources = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "AWS::Lambda::Function",
Values = new[]
{
"arn:aws:lambda",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Trail("example", TrailArgs.builder()
.eventSelectors(TrailEventSelectorArgs.builder()
.readWriteType("All")
.includeManagementEvents(true)
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("AWS::Lambda::Function")
.values("arn:aws:lambda")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:cloudtrail:Trail
properties:
eventSelectors:
- readWriteType: All
includeManagementEvents: true
dataResources:
- type: AWS::Lambda::Function
values:
- arn:aws:lambda
Logging All S3 Object Events By Using Basic Event Selectors
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
readWriteType: "All",
includeManagementEvents: true,
dataResources: [{
type: "AWS::S3::Object",
values: ["arn:aws:s3"],
}],
}]});
import pulumi
import pulumi_aws as aws
example = aws.cloudtrail.Trail("example", event_selectors=[{
"read_write_type": "All",
"include_management_events": True,
"data_resources": [{
"type": "AWS::S3::Object",
"values": ["arn:aws:s3"],
}],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
ReadWriteType: pulumi.String("All"),
IncludeManagementEvents: pulumi.Bool(true),
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::S3::Object"),
Values: pulumi.StringArray{
pulumi.String("arn:aws:s3"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.CloudTrail.Trail("example", new()
{
EventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
ReadWriteType = "All",
IncludeManagementEvents = true,
DataResources = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "AWS::S3::Object",
Values = new[]
{
"arn:aws:s3",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Trail("example", TrailArgs.builder()
.eventSelectors(TrailEventSelectorArgs.builder()
.readWriteType("All")
.includeManagementEvents(true)
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("AWS::S3::Object")
.values("arn:aws:s3")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:cloudtrail:Trail
properties:
eventSelectors:
- readWriteType: All
includeManagementEvents: true
dataResources:
- type: AWS::S3::Object
values:
- arn:aws:s3
Logging Individual S3 Bucket Events By Using Basic Event Selectors
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const important_bucket = aws.s3.getBucket({
bucket: "important-bucket",
});
const example = new aws.cloudtrail.Trail("example", {eventSelectors: [{
readWriteType: "All",
includeManagementEvents: true,
dataResources: [{
type: "AWS::S3::Object",
values: [important_bucket.then(important_bucket => `${important_bucket.arn}/`)],
}],
}]});
import pulumi
import pulumi_aws as aws
important_bucket = aws.s3.get_bucket(bucket="important-bucket")
example = aws.cloudtrail.Trail("example", event_selectors=[{
"read_write_type": "All",
"include_management_events": True,
"data_resources": [{
"type": "AWS::S3::Object",
"values": [f"{important_bucket.arn}/"],
}],
}])
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
important_bucket, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
Bucket: "important-bucket",
}, nil)
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
ReadWriteType: pulumi.String("All"),
IncludeManagementEvents: pulumi.Bool(true),
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::S3::Object"),
Values: pulumi.StringArray{
pulumi.Sprintf("%v/", important_bucket.Arn),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var important_bucket = Aws.S3.GetBucket.Invoke(new()
{
Bucket = "important-bucket",
});
var example = new Aws.CloudTrail.Trail("example", new()
{
EventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
ReadWriteType = "All",
IncludeManagementEvents = true,
DataResources = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "AWS::S3::Object",
Values = new[]
{
important_bucket.Apply(important_bucket => $"{important_bucket.Apply(getBucketResult => getBucketResult.Arn)}/"),
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var important-bucket = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket")
.build());
var example = new Trail("example", TrailArgs.builder()
.eventSelectors(TrailEventSelectorArgs.builder()
.readWriteType("All")
.includeManagementEvents(true)
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("AWS::S3::Object")
.values(String.format("%s/", important_bucket.arn()))
.build())
.build())
.build());
}
}
resources:
example:
type: aws:cloudtrail:Trail
properties:
eventSelectors:
- readWriteType: All
includeManagementEvents: true
dataResources:
- type: AWS::S3::Object
values:
- ${["important-bucket"].arn}/
variables:
important-bucket:
fn::invoke:
function: aws:s3:getBucket
arguments:
bucket: important-bucket
Logging All S3 Object Events Except For Two S3 Buckets By Using Advanced Event Selectors
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const not_important_bucket_1 = aws.s3.getBucket({
bucket: "not-important-bucket-1",
});
const not_important_bucket_2 = aws.s3.getBucket({
bucket: "not-important-bucket-2",
});
const example = new aws.cloudtrail.Trail("example", {advancedEventSelectors: [
{
name: "Log all S3 objects events except for two S3 buckets",
fieldSelectors: [
{
field: "eventCategory",
equals: ["Data"],
},
{
field: "resources.ARN",
notStartsWiths: [
not_important_bucket_1.then(not_important_bucket_1 => `${not_important_bucket_1.arn}/`),
not_important_bucket_2.then(not_important_bucket_2 => `${not_important_bucket_2.arn}/`),
],
},
{
field: "resources.type",
equals: ["AWS::S3::Object"],
},
],
},
{
name: "Log readOnly and writeOnly management events",
fieldSelectors: [{
field: "eventCategory",
equals: ["Management"],
}],
},
]});
import pulumi
import pulumi_aws as aws
not_important_bucket_1 = aws.s3.get_bucket(bucket="not-important-bucket-1")
not_important_bucket_2 = aws.s3.get_bucket(bucket="not-important-bucket-2")
example = aws.cloudtrail.Trail("example", advanced_event_selectors=[
{
"name": "Log all S3 objects events except for two S3 buckets",
"field_selectors": [
{
"field": "eventCategory",
"equals": ["Data"],
},
{
"field": "resources.ARN",
"not_starts_withs": [
f"{not_important_bucket_1.arn}/",
f"{not_important_bucket_2.arn}/",
],
},
{
"field": "resources.type",
"equals": ["AWS::S3::Object"],
},
],
},
{
"name": "Log readOnly and writeOnly management events",
"field_selectors": [{
"field": "eventCategory",
"equals": ["Management"],
}],
},
])
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
not_important_bucket_1, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
Bucket: "not-important-bucket-1",
}, nil)
if err != nil {
return err
}
not_important_bucket_2, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
Bucket: "not-important-bucket-2",
}, nil)
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
AdvancedEventSelectors: cloudtrail.TrailAdvancedEventSelectorArray{
&cloudtrail.TrailAdvancedEventSelectorArgs{
Name: pulumi.String("Log all S3 objects events except for two S3 buckets"),
FieldSelectors: cloudtrail.TrailAdvancedEventSelectorFieldSelectorArray{
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("eventCategory"),
Equals: pulumi.StringArray{
pulumi.String("Data"),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("resources.ARN"),
NotStartsWiths: pulumi.StringArray{
pulumi.Sprintf("%v/", not_important_bucket_1.Arn),
pulumi.Sprintf("%v/", not_important_bucket_2.Arn),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("resources.type"),
Equals: pulumi.StringArray{
pulumi.String("AWS::S3::Object"),
},
},
},
},
&cloudtrail.TrailAdvancedEventSelectorArgs{
Name: pulumi.String("Log readOnly and writeOnly management events"),
FieldSelectors: cloudtrail.TrailAdvancedEventSelectorFieldSelectorArray{
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("eventCategory"),
Equals: pulumi.StringArray{
pulumi.String("Management"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var not_important_bucket_1 = Aws.S3.GetBucket.Invoke(new()
{
Bucket = "not-important-bucket-1",
});
var not_important_bucket_2 = Aws.S3.GetBucket.Invoke(new()
{
Bucket = "not-important-bucket-2",
});
var example = new Aws.CloudTrail.Trail("example", new()
{
AdvancedEventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorArgs
{
Name = "Log all S3 objects events except for two S3 buckets",
FieldSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "eventCategory",
Equals = new[]
{
"Data",
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "resources.ARN",
NotStartsWiths = new[]
{
not_important_bucket_1.Apply(not_important_bucket_1 => $"{not_important_bucket_1.Apply(getBucketResult => getBucketResult.Arn)}/"),
not_important_bucket_2.Apply(not_important_bucket_2 => $"{not_important_bucket_2.Apply(getBucketResult => getBucketResult.Arn)}/"),
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "resources.type",
Equals = new[]
{
"AWS::S3::Object",
},
},
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorArgs
{
Name = "Log readOnly and writeOnly management events",
FieldSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "eventCategory",
Equals = new[]
{
"Management",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var not-important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("not-important-bucket-1")
.build());
final var not-important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("not-important-bucket-2")
.build());
var example = new Trail("example", TrailArgs.builder()
.advancedEventSelectors(
TrailAdvancedEventSelectorArgs.builder()
.name("Log all S3 objects events except for two S3 buckets")
.fieldSelectors(
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("eventCategory")
.equals("Data")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("resources.ARN")
.notStartsWiths(
String.format("%s/", not_important_bucket_1.arn()),
String.format("%s/", not_important_bucket_2.arn()))
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("resources.type")
.equals("AWS::S3::Object")
.build())
.build(),
TrailAdvancedEventSelectorArgs.builder()
.name("Log readOnly and writeOnly management events")
.fieldSelectors(TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("eventCategory")
.equals("Management")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:cloudtrail:Trail
properties:
advancedEventSelectors:
- name: Log all S3 objects events except for two S3 buckets
fieldSelectors:
- field: eventCategory
equals:
- Data
- field: resources.ARN
notStartsWiths:
- ${["not-important-bucket-1"].arn}/
- ${["not-important-bucket-2"].arn}/
- field: resources.type
equals:
- AWS::S3::Object
- name: Log readOnly and writeOnly management events
fieldSelectors:
- field: eventCategory
equals:
- Management
variables:
not-important-bucket-1:
fn::invoke:
function: aws:s3:getBucket
arguments:
bucket: not-important-bucket-1
not-important-bucket-2:
fn::invoke:
function: aws:s3:getBucket
arguments:
bucket: not-important-bucket-2
Logging Individual S3 Buckets And Specific Event Names By Using Advanced Event Selectors
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const important_bucket_1 = aws.s3.getBucket({
bucket: "important-bucket-1",
});
const important_bucket_2 = aws.s3.getBucket({
bucket: "important-bucket-2",
});
const important_bucket_3 = aws.s3.getBucket({
bucket: "important-bucket-3",
});
const example = new aws.cloudtrail.Trail("example", {advancedEventSelectors: [
{
name: "Log PutObject and DeleteObject events for two S3 buckets",
fieldSelectors: [
{
field: "eventCategory",
equals: ["Data"],
},
{
field: "eventName",
equals: [
"PutObject",
"DeleteObject",
],
},
{
field: "resources.ARN",
startsWiths: [
important_bucket_1.then(important_bucket_1 => `${important_bucket_1.arn}/`),
important_bucket_2.then(important_bucket_2 => `${important_bucket_2.arn}/`),
],
},
{
field: "readOnly",
equals: ["false"],
},
{
field: "resources.type",
equals: ["AWS::S3::Object"],
},
],
},
{
name: "Log Delete* events for one S3 bucket",
fieldSelectors: [
{
field: "eventCategory",
equals: ["Data"],
},
{
field: "eventName",
startsWiths: ["Delete"],
},
{
field: "resources.ARN",
equals: [important_bucket_3.then(important_bucket_3 => `${important_bucket_3.arn}/important-prefix`)],
},
{
field: "readOnly",
equals: ["false"],
},
{
field: "resources.type",
equals: ["AWS::S3::Object"],
},
],
},
]});
import pulumi
import pulumi_aws as aws
important_bucket_1 = aws.s3.get_bucket(bucket="important-bucket-1")
important_bucket_2 = aws.s3.get_bucket(bucket="important-bucket-2")
important_bucket_3 = aws.s3.get_bucket(bucket="important-bucket-3")
example = aws.cloudtrail.Trail("example", advanced_event_selectors=[
{
"name": "Log PutObject and DeleteObject events for two S3 buckets",
"field_selectors": [
{
"field": "eventCategory",
"equals": ["Data"],
},
{
"field": "eventName",
"equals": [
"PutObject",
"DeleteObject",
],
},
{
"field": "resources.ARN",
"starts_withs": [
f"{important_bucket_1.arn}/",
f"{important_bucket_2.arn}/",
],
},
{
"field": "readOnly",
"equals": ["false"],
},
{
"field": "resources.type",
"equals": ["AWS::S3::Object"],
},
],
},
{
"name": "Log Delete* events for one S3 bucket",
"field_selectors": [
{
"field": "eventCategory",
"equals": ["Data"],
},
{
"field": "eventName",
"starts_withs": ["Delete"],
},
{
"field": "resources.ARN",
"equals": [f"{important_bucket_3.arn}/important-prefix"],
},
{
"field": "readOnly",
"equals": ["false"],
},
{
"field": "resources.type",
"equals": ["AWS::S3::Object"],
},
],
},
])
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
important_bucket_1, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
Bucket: "important-bucket-1",
}, nil)
if err != nil {
return err
}
important_bucket_2, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
Bucket: "important-bucket-2",
}, nil)
if err != nil {
return err
}
important_bucket_3, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
Bucket: "important-bucket-3",
}, nil)
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
AdvancedEventSelectors: cloudtrail.TrailAdvancedEventSelectorArray{
&cloudtrail.TrailAdvancedEventSelectorArgs{
Name: pulumi.String("Log PutObject and DeleteObject events for two S3 buckets"),
FieldSelectors: cloudtrail.TrailAdvancedEventSelectorFieldSelectorArray{
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("eventCategory"),
Equals: pulumi.StringArray{
pulumi.String("Data"),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("eventName"),
Equals: pulumi.StringArray{
pulumi.String("PutObject"),
pulumi.String("DeleteObject"),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("resources.ARN"),
StartsWiths: pulumi.StringArray{
pulumi.Sprintf("%v/", important_bucket_1.Arn),
pulumi.Sprintf("%v/", important_bucket_2.Arn),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("readOnly"),
Equals: pulumi.StringArray{
pulumi.String("false"),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("resources.type"),
Equals: pulumi.StringArray{
pulumi.String("AWS::S3::Object"),
},
},
},
},
&cloudtrail.TrailAdvancedEventSelectorArgs{
Name: pulumi.String("Log Delete* events for one S3 bucket"),
FieldSelectors: cloudtrail.TrailAdvancedEventSelectorFieldSelectorArray{
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("eventCategory"),
Equals: pulumi.StringArray{
pulumi.String("Data"),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("eventName"),
StartsWiths: pulumi.StringArray{
pulumi.String("Delete"),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("resources.ARN"),
Equals: pulumi.StringArray{
pulumi.Sprintf("%v/important-prefix", important_bucket_3.Arn),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("readOnly"),
Equals: pulumi.StringArray{
pulumi.String("false"),
},
},
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("resources.type"),
Equals: pulumi.StringArray{
pulumi.String("AWS::S3::Object"),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var important_bucket_1 = Aws.S3.GetBucket.Invoke(new()
{
Bucket = "important-bucket-1",
});
var important_bucket_2 = Aws.S3.GetBucket.Invoke(new()
{
Bucket = "important-bucket-2",
});
var important_bucket_3 = Aws.S3.GetBucket.Invoke(new()
{
Bucket = "important-bucket-3",
});
var example = new Aws.CloudTrail.Trail("example", new()
{
AdvancedEventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorArgs
{
Name = "Log PutObject and DeleteObject events for two S3 buckets",
FieldSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "eventCategory",
Equals = new[]
{
"Data",
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "eventName",
Equals = new[]
{
"PutObject",
"DeleteObject",
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "resources.ARN",
StartsWiths = new[]
{
important_bucket_1.Apply(important_bucket_1 => $"{important_bucket_1.Apply(getBucketResult => getBucketResult.Arn)}/"),
important_bucket_2.Apply(important_bucket_2 => $"{important_bucket_2.Apply(getBucketResult => getBucketResult.Arn)}/"),
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "readOnly",
Equals = new[]
{
"false",
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "resources.type",
Equals = new[]
{
"AWS::S3::Object",
},
},
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorArgs
{
Name = "Log Delete* events for one S3 bucket",
FieldSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "eventCategory",
Equals = new[]
{
"Data",
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "eventName",
StartsWiths = new[]
{
"Delete",
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "resources.ARN",
Equals = new[]
{
important_bucket_3.Apply(important_bucket_3 => $"{important_bucket_3.Apply(getBucketResult => getBucketResult.Arn)}/important-prefix"),
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "readOnly",
Equals = new[]
{
"false",
},
},
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "resources.type",
Equals = new[]
{
"AWS::S3::Object",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket-1")
.build());
final var important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket-2")
.build());
final var important-bucket-3 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket-3")
.build());
var example = new Trail("example", TrailArgs.builder()
.advancedEventSelectors(
TrailAdvancedEventSelectorArgs.builder()
.name("Log PutObject and DeleteObject events for two S3 buckets")
.fieldSelectors(
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("eventCategory")
.equals("Data")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("eventName")
.equals(
"PutObject",
"DeleteObject")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("resources.ARN")
.startsWiths(
String.format("%s/", important_bucket_1.arn()),
String.format("%s/", important_bucket_2.arn()))
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("readOnly")
.equals("false")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("resources.type")
.equals("AWS::S3::Object")
.build())
.build(),
TrailAdvancedEventSelectorArgs.builder()
.name("Log Delete* events for one S3 bucket")
.fieldSelectors(
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("eventCategory")
.equals("Data")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("eventName")
.startsWiths("Delete")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("resources.ARN")
.equals(String.format("%s/important-prefix", important_bucket_3.arn()))
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("readOnly")
.equals("false")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("resources.type")
.equals("AWS::S3::Object")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:cloudtrail:Trail
properties:
advancedEventSelectors:
- name: Log PutObject and DeleteObject events for two S3 buckets
fieldSelectors:
- field: eventCategory
equals:
- Data
- field: eventName
equals:
- PutObject
- DeleteObject
- field: resources.ARN
startsWiths:
- ${["important-bucket-1"].arn}/
- ${["important-bucket-2"].arn}/
- field: readOnly
equals:
- 'false'
- field: resources.type
equals:
- AWS::S3::Object
- name: Log Delete* events for one S3 bucket
fieldSelectors:
- field: eventCategory
equals:
- Data
- field: eventName
startsWiths:
- Delete
- field: resources.ARN
equals:
- ${["important-bucket-3"].arn}/important-prefix
- field: readOnly
equals:
- 'false'
- field: resources.type
equals:
- AWS::S3::Object
variables:
important-bucket-1:
fn::invoke:
function: aws:s3:getBucket
arguments:
bucket: important-bucket-1
important-bucket-2:
fn::invoke:
function: aws:s3:getBucket
arguments:
bucket: important-bucket-2
important-bucket-3:
fn::invoke:
function: aws:s3:getBucket
arguments:
bucket: important-bucket-3
Sending Events to CloudWatch Logs
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cloudwatch.LogGroup("example", {name: "Example"});
const exampleTrail = new aws.cloudtrail.Trail("example", {cloudWatchLogsGroupArn: pulumi.interpolate`${example.arn}:*`});
import pulumi
import pulumi_aws as aws
example = aws.cloudwatch.LogGroup("example", name="Example")
example_trail = aws.cloudtrail.Trail("example", cloud_watch_logs_group_arn=example.arn.apply(lambda arn: f"{arn}:*"))
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := cloudwatch.NewLogGroup(ctx, "example", &cloudwatch.LogGroupArgs{
Name: pulumi.String("Example"),
})
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
CloudWatchLogsGroupArn: example.Arn.ApplyT(func(arn string) (string, error) {
return fmt.Sprintf("%v:*", arn), nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.CloudWatch.LogGroup("example", new()
{
Name = "Example",
});
var exampleTrail = new Aws.CloudTrail.Trail("example", new()
{
CloudWatchLogsGroupArn = example.Arn.Apply(arn => $"{arn}:*"),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.cloudwatch.LogGroupArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new LogGroup("example", LogGroupArgs.builder()
.name("Example")
.build());
var exampleTrail = new Trail("exampleTrail", TrailArgs.builder()
.cloudWatchLogsGroupArn(example.arn().applyValue(arn -> String.format("%s:*", arn)))
.build());
}
}
resources:
example:
type: aws:cloudwatch:LogGroup
properties:
name: Example
exampleTrail:
type: aws:cloudtrail:Trail
name: example
properties:
cloudWatchLogsGroupArn: ${example.arn}:*
Create Trail Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Trail(name: string, args: TrailArgs, opts?: CustomResourceOptions);@overload
def Trail(resource_name: str,
args: TrailArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Trail(resource_name: str,
opts: Optional[ResourceOptions] = None,
s3_bucket_name: Optional[str] = None,
enable_logging: Optional[bool] = None,
is_organization_trail: Optional[bool] = None,
enable_log_file_validation: Optional[bool] = None,
advanced_event_selectors: Optional[Sequence[TrailAdvancedEventSelectorArgs]] = None,
event_selectors: Optional[Sequence[TrailEventSelectorArgs]] = None,
include_global_service_events: Optional[bool] = None,
cloud_watch_logs_role_arn: Optional[str] = None,
is_multi_region_trail: Optional[bool] = None,
insight_selectors: Optional[Sequence[TrailInsightSelectorArgs]] = None,
kms_key_id: Optional[str] = None,
name: Optional[str] = None,
cloud_watch_logs_group_arn: Optional[str] = None,
s3_key_prefix: Optional[str] = None,
sns_topic_name: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None)func NewTrail(ctx *Context, name string, args TrailArgs, opts ...ResourceOption) (*Trail, error)public Trail(string name, TrailArgs args, CustomResourceOptions? opts = null)type: aws:cloudtrail:Trail
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var trailResource = new Aws.CloudTrail.Trail("trailResource", new()
{
S3BucketName = "string",
EnableLogging = false,
IsOrganizationTrail = false,
EnableLogFileValidation = false,
AdvancedEventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorArgs
{
FieldSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailAdvancedEventSelectorFieldSelectorArgs
{
Field = "string",
EndsWiths = new[]
{
"string",
},
Equals = new[]
{
"string",
},
NotEndsWiths = new[]
{
"string",
},
NotEquals = new[]
{
"string",
},
NotStartsWiths = new[]
{
"string",
},
StartsWiths = new[]
{
"string",
},
},
},
Name = "string",
},
},
EventSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
DataResources = new[]
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "string",
Values = new[]
{
"string",
},
},
},
ExcludeManagementEventSources = new[]
{
"string",
},
IncludeManagementEvents = false,
ReadWriteType = "string",
},
},
IncludeGlobalServiceEvents = false,
CloudWatchLogsRoleArn = "string",
IsMultiRegionTrail = false,
InsightSelectors = new[]
{
new Aws.CloudTrail.Inputs.TrailInsightSelectorArgs
{
InsightType = "string",
},
},
KmsKeyId = "string",
Name = "string",
CloudWatchLogsGroupArn = "string",
S3KeyPrefix = "string",
SnsTopicName = "string",
Tags =
{
{ "string", "string" },
},
});
example, err := cloudtrail.NewTrail(ctx, "trailResource", &cloudtrail.TrailArgs{
S3BucketName: pulumi.String("string"),
EnableLogging: pulumi.Bool(false),
IsOrganizationTrail: pulumi.Bool(false),
EnableLogFileValidation: pulumi.Bool(false),
AdvancedEventSelectors: cloudtrail.TrailAdvancedEventSelectorArray{
&cloudtrail.TrailAdvancedEventSelectorArgs{
FieldSelectors: cloudtrail.TrailAdvancedEventSelectorFieldSelectorArray{
&cloudtrail.TrailAdvancedEventSelectorFieldSelectorArgs{
Field: pulumi.String("string"),
EndsWiths: pulumi.StringArray{
pulumi.String("string"),
},
Equals: pulumi.StringArray{
pulumi.String("string"),
},
NotEndsWiths: pulumi.StringArray{
pulumi.String("string"),
},
NotEquals: pulumi.StringArray{
pulumi.String("string"),
},
NotStartsWiths: pulumi.StringArray{
pulumi.String("string"),
},
StartsWiths: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Name: pulumi.String("string"),
},
},
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
ExcludeManagementEventSources: pulumi.StringArray{
pulumi.String("string"),
},
IncludeManagementEvents: pulumi.Bool(false),
ReadWriteType: pulumi.String("string"),
},
},
IncludeGlobalServiceEvents: pulumi.Bool(false),
CloudWatchLogsRoleArn: pulumi.String("string"),
IsMultiRegionTrail: pulumi.Bool(false),
InsightSelectors: cloudtrail.TrailInsightSelectorArray{
&cloudtrail.TrailInsightSelectorArgs{
InsightType: pulumi.String("string"),
},
},
KmsKeyId: pulumi.String("string"),
Name: pulumi.String("string"),
CloudWatchLogsGroupArn: pulumi.String("string"),
S3KeyPrefix: pulumi.String("string"),
SnsTopicName: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var trailResource = new Trail("trailResource", TrailArgs.builder()
.s3BucketName("string")
.enableLogging(false)
.isOrganizationTrail(false)
.enableLogFileValidation(false)
.advancedEventSelectors(TrailAdvancedEventSelectorArgs.builder()
.fieldSelectors(TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("string")
.endsWiths("string")
.equals("string")
.notEndsWiths("string")
.notEquals("string")
.notStartsWiths("string")
.startsWiths("string")
.build())
.name("string")
.build())
.eventSelectors(TrailEventSelectorArgs.builder()
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("string")
.values("string")
.build())
.excludeManagementEventSources("string")
.includeManagementEvents(false)
.readWriteType("string")
.build())
.includeGlobalServiceEvents(false)
.cloudWatchLogsRoleArn("string")
.isMultiRegionTrail(false)
.insightSelectors(TrailInsightSelectorArgs.builder()
.insightType("string")
.build())
.kmsKeyId("string")
.name("string")
.cloudWatchLogsGroupArn("string")
.s3KeyPrefix("string")
.snsTopicName("string")
.tags(Map.of("string", "string"))
.build());
trail_resource = aws.cloudtrail.Trail("trailResource",
s3_bucket_name="string",
enable_logging=False,
is_organization_trail=False,
enable_log_file_validation=False,
advanced_event_selectors=[{
"field_selectors": [{
"field": "string",
"ends_withs": ["string"],
"equals": ["string"],
"not_ends_withs": ["string"],
"not_equals": ["string"],
"not_starts_withs": ["string"],
"starts_withs": ["string"],
}],
"name": "string",
}],
event_selectors=[{
"data_resources": [{
"type": "string",
"values": ["string"],
}],
"exclude_management_event_sources": ["string"],
"include_management_events": False,
"read_write_type": "string",
}],
include_global_service_events=False,
cloud_watch_logs_role_arn="string",
is_multi_region_trail=False,
insight_selectors=[{
"insight_type": "string",
}],
kms_key_id="string",
name="string",
cloud_watch_logs_group_arn="string",
s3_key_prefix="string",
sns_topic_name="string",
tags={
"string": "string",
})
const trailResource = new aws.cloudtrail.Trail("trailResource", {
s3BucketName: "string",
enableLogging: false,
isOrganizationTrail: false,
enableLogFileValidation: false,
advancedEventSelectors: [{
fieldSelectors: [{
field: "string",
endsWiths: ["string"],
equals: ["string"],
notEndsWiths: ["string"],
notEquals: ["string"],
notStartsWiths: ["string"],
startsWiths: ["string"],
}],
name: "string",
}],
eventSelectors: [{
dataResources: [{
type: "string",
values: ["string"],
}],
excludeManagementEventSources: ["string"],
includeManagementEvents: false,
readWriteType: "string",
}],
includeGlobalServiceEvents: false,
cloudWatchLogsRoleArn: "string",
isMultiRegionTrail: false,
insightSelectors: [{
insightType: "string",
}],
kmsKeyId: "string",
name: "string",
cloudWatchLogsGroupArn: "string",
s3KeyPrefix: "string",
snsTopicName: "string",
tags: {
string: "string",
},
});
type: aws:cloudtrail:Trail
properties:
advancedEventSelectors:
- fieldSelectors:
- endsWiths:
- string
equals:
- string
field: string
notEndsWiths:
- string
notEquals:
- string
notStartsWiths:
- string
startsWiths:
- string
name: string
cloudWatchLogsGroupArn: string
cloudWatchLogsRoleArn: string
enableLogFileValidation: false
enableLogging: false
eventSelectors:
- dataResources:
- type: string
values:
- string
excludeManagementEventSources:
- string
includeManagementEvents: false
readWriteType: string
includeGlobalServiceEvents: false
insightSelectors:
- insightType: string
isMultiRegionTrail: false
isOrganizationTrail: false
kmsKeyId: string
name: string
s3BucketName: string
s3KeyPrefix: string
snsTopicName: string
tags:
string: string
Trail Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Trail resource accepts the following input properties:
- S3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- Advanced
Event List<TrailSelectors Advanced Event Selector> - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - Cloud
Watch stringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- Cloud
Watch stringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - Enable
Logging bool - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - Event
Selectors List<TrailEvent Selector> - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - Include
Global boolService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - Insight
Selectors List<TrailInsight Selector> - Configuration block for identifying unusual operational activity. See details below.
- Is
Multi boolRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - Is
Organization boolTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - Kms
Key stringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
- Name of the trail.
- S3Key
Prefix string - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- Dictionary<string, string>
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- S3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- Advanced
Event []TrailSelectors Advanced Event Selector Args - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - Cloud
Watch stringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- Cloud
Watch stringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - Enable
Logging bool - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - Event
Selectors []TrailEvent Selector Args - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - Include
Global boolService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - Insight
Selectors []TrailInsight Selector Args - Configuration block for identifying unusual operational activity. See details below.
- Is
Multi boolRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - Is
Organization boolTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - Kms
Key stringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
- Name of the trail.
- S3Key
Prefix string - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- map[string]string
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- s3Bucket
Name String Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- advanced
Event List<TrailSelectors Advanced Event Selector> - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - cloud
Watch StringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch StringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log BooleanFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - enable
Logging Boolean - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - event
Selectors List<TrailEvent Selector> - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - include
Global BooleanService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - insight
Selectors List<TrailInsight Selector> - Configuration block for identifying unusual operational activity. See details below.
- is
Multi BooleanRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - is
Organization BooleanTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - kms
Key StringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name String
- Name of the trail.
- s3Key
Prefix String - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic StringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- Map<String,String>
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- s3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- advanced
Event TrailSelectors Advanced Event Selector[] - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - cloud
Watch stringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch stringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log booleanFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - enable
Logging boolean - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - event
Selectors TrailEvent Selector[] - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - include
Global booleanService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - insight
Selectors TrailInsight Selector[] - Configuration block for identifying unusual operational activity. See details below.
- is
Multi booleanRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - is
Organization booleanTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - kms
Key stringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name string
- Name of the trail.
- s3Key
Prefix string - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic stringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- {[key: string]: string}
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- s3_
bucket_ strname Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- advanced_
event_ Sequence[Trailselectors Advanced Event Selector Args] - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - cloud_
watch_ strlogs_ group_ arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud_
watch_ strlogs_ role_ arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable_
log_ boolfile_ validation - Whether log file integrity validation is enabled. Defaults to
false. - enable_
logging bool - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - event_
selectors Sequence[TrailEvent Selector Args] - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - include_
global_ boolservice_ events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - insight_
selectors Sequence[TrailInsight Selector Args] - Configuration block for identifying unusual operational activity. See details below.
- is_
multi_ boolregion_ trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - is_
organization_ booltrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - kms_
key_ strid - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name str
- Name of the trail.
- s3_
key_ strprefix - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns_
topic_ strname - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- Mapping[str, str]
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- s3Bucket
Name String Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- advanced
Event List<Property Map>Selectors - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - cloud
Watch StringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch StringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log BooleanFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - enable
Logging Boolean - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - event
Selectors List<Property Map> - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - include
Global BooleanService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - insight
Selectors List<Property Map> - Configuration block for identifying unusual operational activity. See details below.
- is
Multi BooleanRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - is
Organization BooleanTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - kms
Key StringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name String
- Name of the trail.
- s3Key
Prefix String - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic StringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- Map<String>
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the Trail resource produces the following output properties:
- Arn string
- ARN of the trail.
- Home
Region string - Region in which the trail was created.
- Id string
- The provider-assigned unique ID for this managed resource.
- Sns
Topic stringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- Dictionary<string, string>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- Arn string
- ARN of the trail.
- Home
Region string - Region in which the trail was created.
- Id string
- The provider-assigned unique ID for this managed resource.
- Sns
Topic stringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- map[string]string
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- ARN of the trail.
- home
Region String - Region in which the trail was created.
- id String
- The provider-assigned unique ID for this managed resource.
- sns
Topic StringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- Map<String,String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn string
- ARN of the trail.
- home
Region string - Region in which the trail was created.
- id string
- The provider-assigned unique ID for this managed resource.
- sns
Topic stringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- {[key: string]: string}
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn str
- ARN of the trail.
- home_
region str - Region in which the trail was created.
- id str
- The provider-assigned unique ID for this managed resource.
- sns_
topic_ strarn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- Mapping[str, str]
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- ARN of the trail.
- home
Region String - Region in which the trail was created.
- id String
- The provider-assigned unique ID for this managed resource.
- sns
Topic StringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- Map<String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
Look up Existing Trail Resource
Get an existing Trail resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: TrailState, opts?: CustomResourceOptions): Trail@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
advanced_event_selectors: Optional[Sequence[TrailAdvancedEventSelectorArgs]] = None,
arn: Optional[str] = None,
cloud_watch_logs_group_arn: Optional[str] = None,
cloud_watch_logs_role_arn: Optional[str] = None,
enable_log_file_validation: Optional[bool] = None,
enable_logging: Optional[bool] = None,
event_selectors: Optional[Sequence[TrailEventSelectorArgs]] = None,
home_region: Optional[str] = None,
include_global_service_events: Optional[bool] = None,
insight_selectors: Optional[Sequence[TrailInsightSelectorArgs]] = None,
is_multi_region_trail: Optional[bool] = None,
is_organization_trail: Optional[bool] = None,
kms_key_id: Optional[str] = None,
name: Optional[str] = None,
s3_bucket_name: Optional[str] = None,
s3_key_prefix: Optional[str] = None,
sns_topic_arn: Optional[str] = None,
sns_topic_name: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None) -> Trailfunc GetTrail(ctx *Context, name string, id IDInput, state *TrailState, opts ...ResourceOption) (*Trail, error)public static Trail Get(string name, Input<string> id, TrailState? state, CustomResourceOptions? opts = null)public static Trail get(String name, Output<String> id, TrailState state, CustomResourceOptions options)resources: _: type: aws:cloudtrail:Trail get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Advanced
Event List<TrailSelectors Advanced Event Selector> - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - Arn string
- ARN of the trail.
- Cloud
Watch stringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- Cloud
Watch stringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - Enable
Logging bool - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - Event
Selectors List<TrailEvent Selector> - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - Home
Region string - Region in which the trail was created.
- Include
Global boolService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - Insight
Selectors List<TrailInsight Selector> - Configuration block for identifying unusual operational activity. See details below.
- Is
Multi boolRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - Is
Organization boolTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - Kms
Key stringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
- Name of the trail.
- S3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- S3Key
Prefix string - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- Sns
Topic stringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- Dictionary<string, string>
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- Advanced
Event []TrailSelectors Advanced Event Selector Args - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - Arn string
- ARN of the trail.
- Cloud
Watch stringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- Cloud
Watch stringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - Enable
Logging bool - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - Event
Selectors []TrailEvent Selector Args - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - Home
Region string - Region in which the trail was created.
- Include
Global boolService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - Insight
Selectors []TrailInsight Selector Args - Configuration block for identifying unusual operational activity. See details below.
- Is
Multi boolRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - Is
Organization boolTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - Kms
Key stringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
- Name of the trail.
- S3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- S3Key
Prefix string - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- Sns
Topic stringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- map[string]string
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- advanced
Event List<TrailSelectors Advanced Event Selector> - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - arn String
- ARN of the trail.
- cloud
Watch StringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch StringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log BooleanFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - enable
Logging Boolean - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - event
Selectors List<TrailEvent Selector> - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - home
Region String - Region in which the trail was created.
- include
Global BooleanService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - insight
Selectors List<TrailInsight Selector> - Configuration block for identifying unusual operational activity. See details below.
- is
Multi BooleanRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - is
Organization BooleanTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - kms
Key StringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name String
- Name of the trail.
- s3Bucket
Name String Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- s3Key
Prefix String - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic StringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- sns
Topic StringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- Map<String,String>
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- advanced
Event TrailSelectors Advanced Event Selector[] - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - arn string
- ARN of the trail.
- cloud
Watch stringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch stringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log booleanFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - enable
Logging boolean - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - event
Selectors TrailEvent Selector[] - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - home
Region string - Region in which the trail was created.
- include
Global booleanService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - insight
Selectors TrailInsight Selector[] - Configuration block for identifying unusual operational activity. See details below.
- is
Multi booleanRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - is
Organization booleanTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - kms
Key stringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name string
- Name of the trail.
- s3Bucket
Name string Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- s3Key
Prefix string - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic stringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- sns
Topic stringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- {[key: string]: string}
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- advanced_
event_ Sequence[Trailselectors Advanced Event Selector Args] - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - arn str
- ARN of the trail.
- cloud_
watch_ strlogs_ group_ arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud_
watch_ strlogs_ role_ arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable_
log_ boolfile_ validation - Whether log file integrity validation is enabled. Defaults to
false. - enable_
logging bool - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - event_
selectors Sequence[TrailEvent Selector Args] - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - home_
region str - Region in which the trail was created.
- include_
global_ boolservice_ events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - insight_
selectors Sequence[TrailInsight Selector Args] - Configuration block for identifying unusual operational activity. See details below.
- is_
multi_ boolregion_ trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - is_
organization_ booltrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - kms_
key_ strid - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name str
- Name of the trail.
- s3_
bucket_ strname Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- s3_
key_ strprefix - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns_
topic_ strarn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- sns_
topic_ strname - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- Mapping[str, str]
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- advanced
Event List<Property Map>Selectors - Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with
event_selector. - arn String
- ARN of the trail.
- cloud
Watch StringLogs Group Arn - Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
- cloud
Watch StringLogs Role Arn - Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log BooleanFile Validation - Whether log file integrity validation is enabled. Defaults to
false. - enable
Logging Boolean - Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging. - event
Selectors List<Property Map> - Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with
advanced_event_selector. - home
Region String - Region in which the trail was created.
- include
Global BooleanService Events - Whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true. - insight
Selectors List<Property Map> - Configuration block for identifying unusual operational activity. See details below.
- is
Multi BooleanRegion Trail - Whether the trail is created in the current region or in all regions. Defaults to
false. - is
Organization BooleanTrail - Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false. - kms
Key StringId - KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name String
- Name of the trail.
- s3Bucket
Name String Name of the S3 bucket designated for publishing log files.
The following arguments are optional:
- s3Key
Prefix String - S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic StringArn - ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered.
- sns
Topic StringName - Name of the Amazon SNS topic defined for notification of log file delivery. Specify the SNS topic ARN if it resides in another region.
- Map<String>
- Map of tags to assign to the trail. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- Map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
Supporting Types
TrailAdvancedEventSelector, TrailAdvancedEventSelectorArgs
- Field
Selectors List<TrailAdvanced Event Selector Field Selector> - Specifies the selector statements in an advanced event selector. Fields documented below.
- Name string
- Name of the trail.
- Field
Selectors []TrailAdvanced Event Selector Field Selector - Specifies the selector statements in an advanced event selector. Fields documented below.
- Name string
- Name of the trail.
- field
Selectors List<TrailAdvanced Event Selector Field Selector> - Specifies the selector statements in an advanced event selector. Fields documented below.
- name String
- Name of the trail.
- field
Selectors TrailAdvanced Event Selector Field Selector[] - Specifies the selector statements in an advanced event selector. Fields documented below.
- name string
- Name of the trail.
- field_
selectors Sequence[TrailAdvanced Event Selector Field Selector] - Specifies the selector statements in an advanced event selector. Fields documented below.
- name str
- Name of the trail.
- field
Selectors List<Property Map> - Specifies the selector statements in an advanced event selector. Fields documented below.
- name String
- Name of the trail.
TrailAdvancedEventSelectorFieldSelector, TrailAdvancedEventSelectorFieldSelectorArgs
- Field string
- Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN. - Ends
Withs List<string> - A list of values that includes events that match the last few characters of the event record field specified as the value of
field. - Equals List<string>
- A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields. - Not
Ends List<string>Withs - A list of values that excludes events that match the last few characters of the event record field specified as the value of
field. - Not
Equals List<string> - A list of values that excludes events that match the exact value of the event record field specified as the value of
field. - Not
Starts List<string>Withs - A list of values that excludes events that match the first few characters of the event record field specified as the value of
field. - Starts
Withs List<string> - A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- Field string
- Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN. - Ends
Withs []string - A list of values that includes events that match the last few characters of the event record field specified as the value of
field. - Equals []string
- A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields. - Not
Ends []stringWiths - A list of values that excludes events that match the last few characters of the event record field specified as the value of
field. - Not
Equals []string - A list of values that excludes events that match the exact value of the event record field specified as the value of
field. - Not
Starts []stringWiths - A list of values that excludes events that match the first few characters of the event record field specified as the value of
field. - Starts
Withs []string - A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- field String
- Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN. - ends
Withs List<String> - A list of values that includes events that match the last few characters of the event record field specified as the value of
field. - equals_ List<String>
- A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields. - not
Ends List<String>Withs - A list of values that excludes events that match the last few characters of the event record field specified as the value of
field. - not
Equals List<String> - A list of values that excludes events that match the exact value of the event record field specified as the value of
field. - not
Starts List<String>Withs - A list of values that excludes events that match the first few characters of the event record field specified as the value of
field. - starts
Withs List<String> - A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- field string
- Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN. - ends
Withs string[] - A list of values that includes events that match the last few characters of the event record field specified as the value of
field. - equals string[]
- A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields. - not
Ends string[]Withs - A list of values that excludes events that match the last few characters of the event record field specified as the value of
field. - not
Equals string[] - A list of values that excludes events that match the exact value of the event record field specified as the value of
field. - not
Starts string[]Withs - A list of values that excludes events that match the first few characters of the event record field specified as the value of
field. - starts
Withs string[] - A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- field str
- Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN. - ends_
withs Sequence[str] - A list of values that includes events that match the last few characters of the event record field specified as the value of
field. - equals Sequence[str]
- A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields. - not_
ends_ Sequence[str]withs - A list of values that excludes events that match the last few characters of the event record field specified as the value of
field. - not_
equals Sequence[str] - A list of values that excludes events that match the exact value of the event record field specified as the value of
field. - not_
starts_ Sequence[str]withs - A list of values that excludes events that match the first few characters of the event record field specified as the value of
field. - starts_
withs Sequence[str] - A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
- field String
- Field in an event record on which to filter events to be logged. You can specify only the following values:
readOnly,eventSource,eventName,eventCategory,resources.type,resources.ARN. - ends
Withs List<String> - A list of values that includes events that match the last few characters of the event record field specified as the value of
field. - equals List<String>
- A list of values that includes events that match the exact value of the event record field specified as the value of
field. This is the only valid operator that you can use with thereadOnly,eventCategory, andresources.typefields. - not
Ends List<String>Withs - A list of values that excludes events that match the last few characters of the event record field specified as the value of
field. - not
Equals List<String> - A list of values that excludes events that match the exact value of the event record field specified as the value of
field. - not
Starts List<String>Withs - A list of values that excludes events that match the first few characters of the event record field specified as the value of
field. - starts
Withs List<String> - A list of values that includes events that match the first few characters of the event record field specified as the value of
field.
TrailEventSelector, TrailEventSelectorArgs
- Data
Resources List<TrailEvent Selector Data Resource> - Configuration block for data events. See details below.
- Exclude
Management List<string>Event Sources - A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this. - Include
Management boolEvents - Whether to include management events for your trail. Defaults to
true. - Read
Write stringType - Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- Data
Resources []TrailEvent Selector Data Resource - Configuration block for data events. See details below.
- Exclude
Management []stringEvent Sources - A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this. - Include
Management boolEvents - Whether to include management events for your trail. Defaults to
true. - Read
Write stringType - Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- data
Resources List<TrailEvent Selector Data Resource> - Configuration block for data events. See details below.
- exclude
Management List<String>Event Sources - A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this. - include
Management BooleanEvents - Whether to include management events for your trail. Defaults to
true. - read
Write StringType - Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- data
Resources TrailEvent Selector Data Resource[] - Configuration block for data events. See details below.
- exclude
Management string[]Event Sources - A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this. - include
Management booleanEvents - Whether to include management events for your trail. Defaults to
true. - read
Write stringType - Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- data_
resources Sequence[TrailEvent Selector Data Resource] - Configuration block for data events. See details below.
- exclude_
management_ Sequence[str]event_ sources - A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this. - include_
management_ boolevents - Whether to include management events for your trail. Defaults to
true. - read_
write_ strtype - Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
- data
Resources List<Property Map> - Configuration block for data events. See details below.
- exclude
Management List<String>Event Sources - A set of event sources to exclude. Valid values include:
kms.amazonaws.comandrdsdata.amazonaws.com.include_management_eventsmust be set totrueto allow this. - include
Management BooleanEvents - Whether to include management events for your trail. Defaults to
true. - read
Write StringType - Type of events to log. Valid values are
ReadOnly,WriteOnly,All. Default value isAll.
TrailEventSelectorDataResource, TrailEventSelectorDataResourceArgs
- Type string
- Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- Values List<string>
- List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- Type string
- Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- Values []string
- List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- type String
- Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- values List<String>
- List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- type string
- Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- values string[]
- List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- type str
- Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- values Sequence[str]
- List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
- type String
- Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
- values List<String>
- List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued
type. For example,arn:aws:s3:::<bucket name>/for all objects in a bucket,arn:aws:s3:::<bucket name>/keyfor specific objects,arn:aws:lambdafor all lambda events within an account,arn:aws:lambda:<region>:<account number>:function:<function name>for a specific Lambda function,arn:aws:dynamodbfor all DDB events for all tables within an account, orarn:aws:dynamodb:<region>:<account number>:table/<table name>for a specific DynamoDB table.
TrailInsightSelector, TrailInsightSelectorArgs
- Insight
Type string - Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- Insight
Type string - Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- insight
Type String - Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- insight
Type string - Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- insight_
type str - Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
- insight
Type String - Type of insights to log on a trail. Valid values are:
ApiCallRateInsightandApiErrorRateInsight.
Import
Using pulumi import, import Cloudtrails using the arn. For example:
$ pulumi import aws:cloudtrail/trail:Trail sample arn:aws:cloudtrail:us-east-1:123456789012:trail/my-sample-trail
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.