Trail
Provides a CloudTrail resource.
NOTE: For a multi-region trail, this resource must be in the home region of the trail.
NOTE: For an organization trail, this resource must be in the master account of the organization.
Example Usage
Basic
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var current = Output.Create(Aws.GetCallerIdentity.InvokeAsync());
var foo = new Aws.S3.Bucket("foo", new Aws.S3.BucketArgs
{
ForceDestroy = true,
Policy = current.Apply(current => @$"{{
""Version"": ""2012-10-17"",
""Statement"": [
{{
""Sid"": ""AWSCloudTrailAclCheck"",
""Effect"": ""Allow"",
""Principal"": {{
""Service"": ""cloudtrail.amazonaws.com""
}},
""Action"": ""s3:GetBucketAcl"",
""Resource"": ""arn:aws:s3:::tf-test-trail""
}},
{{
""Sid"": ""AWSCloudTrailWrite"",
""Effect"": ""Allow"",
""Principal"": {{
""Service"": ""cloudtrail.amazonaws.com""
}},
""Action"": ""s3:PutObject"",
""Resource"": ""arn:aws:s3:::tf-test-trail/prefix/AWSLogs/{current.AccountId}/*"",
""Condition"": {{
""StringEquals"": {{
""s3:x-amz-acl"": ""bucket-owner-full-control""
}}
}}
}}
]
}}
"),
});
var foobar = new Aws.CloudTrail.Trail("foobar", new Aws.CloudTrail.TrailArgs
{
IncludeGlobalServiceEvents = false,
S3BucketName = foo.Id,
S3KeyPrefix = "prefix",
});
}
}
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, nil, nil)
if err != nil {
return err
}
foo, err := s3.NewBucket(ctx, "foo", &s3.BucketArgs{
ForceDestroy: pulumi.Bool(true),
Policy: pulumi.String(fmt.Sprintf("%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v%v", "{\n", " \"Version\": \"2012-10-17\",\n", " \"Statement\": [\n", " {\n", " \"Sid\": \"AWSCloudTrailAclCheck\",\n", " \"Effect\": \"Allow\",\n", " \"Principal\": {\n", " \"Service\": \"cloudtrail.amazonaws.com\"\n", " },\n", " \"Action\": \"s3:GetBucketAcl\",\n", " \"Resource\": \"arn:aws:s3:::tf-test-trail\"\n", " },\n", " {\n", " \"Sid\": \"AWSCloudTrailWrite\",\n", " \"Effect\": \"Allow\",\n", " \"Principal\": {\n", " \"Service\": \"cloudtrail.amazonaws.com\"\n", " },\n", " \"Action\": \"s3:PutObject\",\n", " \"Resource\": \"arn:aws:s3:::tf-test-trail/prefix/AWSLogs/", current.AccountId, "/*\",\n", " \"Condition\": {\n", " \"StringEquals\": {\n", " \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n", " }\n", " }\n", " }\n", " ]\n", "}\n", "\n")),
})
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "foobar", &cloudtrail.TrailArgs{
IncludeGlobalServiceEvents: pulumi.Bool(false),
S3BucketName: foo.ID(),
S3KeyPrefix: pulumi.String("prefix"),
})
if err != nil {
return err
}
return nil
})
}import pulumi
import pulumi_aws as aws
current = aws.get_caller_identity()
foo = aws.s3.Bucket("foo",
force_destroy=True,
policy=f"""{{
"Version": "2012-10-17",
"Statement": [
{{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {{
"Service": "cloudtrail.amazonaws.com"
}},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-test-trail"
}},
{{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {{
"Service": "cloudtrail.amazonaws.com"
}},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-test-trail/prefix/AWSLogs/{current.account_id}/*",
"Condition": {{
"StringEquals": {{
"s3:x-amz-acl": "bucket-owner-full-control"
}}
}}
}}
]
}}
""")
foobar = aws.cloudtrail.Trail("foobar",
include_global_service_events=False,
s3_bucket_name=foo.id,
s3_key_prefix="prefix")import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = pulumi.output(aws.getCallerIdentity({ async: true }));
const foo = new aws.s3.Bucket("foo", {
forceDestroy: true,
policy: pulumi.interpolate`{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-test-trail"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-test-trail/prefix/AWSLogs/${current.accountId}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
`,
});
const foobar = new aws.cloudtrail.Trail("foobar", {
includeGlobalServiceEvents: false,
s3BucketName: foo.id,
s3KeyPrefix: "prefix",
});Logging All Lambda Function Invocations
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var example = new Aws.CloudTrail.Trail("example", new Aws.CloudTrail.TrailArgs
{
EventSelectors =
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
DataResources =
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "AWS::Lambda::Function",
Values =
{
"arn:aws:lambda",
},
},
},
IncludeManagementEvents = true,
ReadWriteType = "All",
},
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/cloudtrail"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::Lambda::Function"),
Values: pulumi.StringArray{
pulumi.String("arn:aws:lambda"),
},
},
},
IncludeManagementEvents: pulumi.Bool(true),
ReadWriteType: pulumi.String("All"),
},
},
})
if err != nil {
return err
}
return nil
})
}import pulumi
import pulumi_aws as aws
example = aws.cloudtrail.Trail("example", event_selectors=[{
"dataResources": [{
"type": "AWS::Lambda::Function",
"values": ["arn:aws:lambda"],
}],
"includeManagementEvents": True,
"readWriteType": "All",
}])import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cloudtrail.Trail("example", {
eventSelectors: [{
dataResources: [{
type: "AWS::Lambda::Function",
values: ["arn:aws:lambda"],
}],
includeManagementEvents: true,
readWriteType: "All",
}],
});Logging All S3 Bucket Object Events
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var example = new Aws.CloudTrail.Trail("example", new Aws.CloudTrail.TrailArgs
{
EventSelectors =
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
DataResources =
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "AWS::S3::Object",
Values =
{
"arn:aws:s3:::",
},
},
},
IncludeManagementEvents = true,
ReadWriteType = "All",
},
},
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/cloudtrail"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::S3::Object"),
Values: pulumi.StringArray{
pulumi.String("arn:aws:s3:::"),
},
},
},
IncludeManagementEvents: pulumi.Bool(true),
ReadWriteType: pulumi.String("All"),
},
},
})
if err != nil {
return err
}
return nil
})
}import pulumi
import pulumi_aws as aws
example = aws.cloudtrail.Trail("example", event_selectors=[{
"dataResources": [{
"type": "AWS::S3::Object",
"values": ["arn:aws:s3:::"],
}],
"includeManagementEvents": True,
"readWriteType": "All",
}])import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.cloudtrail.Trail("example", {
eventSelectors: [{
dataResources: [{
type: "AWS::S3::Object",
values: ["arn:aws:s3:::"],
}],
includeManagementEvents: true,
readWriteType: "All",
}],
});Logging Individual S3 Bucket Events
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var important_bucket = Output.Create(Aws.S3.GetBucket.InvokeAsync(new Aws.S3.GetBucketArgs
{
Bucket = "important-bucket",
}));
var example = new Aws.CloudTrail.Trail("example", new Aws.CloudTrail.TrailArgs
{
EventSelectors =
{
new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
{
DataResources =
{
new Aws.CloudTrail.Inputs.TrailEventSelectorDataResourceArgs
{
Type = "AWS::S3::Object",
Values =
{
important_bucket.Apply(important_bucket => $"{important_bucket.Arn}/"),
},
},
},
IncludeManagementEvents = true,
ReadWriteType = "All",
},
},
});
}
}
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/cloudtrail"
"github.com/pulumi/pulumi-aws/sdk/v2/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
important_bucket, err := s3.LookupBucket(ctx, &s3.LookupBucketArgs{
Bucket: "important-bucket",
}, nil)
if err != nil {
return err
}
_, err = cloudtrail.NewTrail(ctx, "example", &cloudtrail.TrailArgs{
EventSelectors: cloudtrail.TrailEventSelectorArray{
&cloudtrail.TrailEventSelectorArgs{
DataResources: cloudtrail.TrailEventSelectorDataResourceArray{
&cloudtrail.TrailEventSelectorDataResourceArgs{
Type: pulumi.String("AWS::S3::Object"),
Values: pulumi.StringArray{
pulumi.String(fmt.Sprintf("%v%v", important_bucket.Arn, "/")),
},
},
},
IncludeManagementEvents: pulumi.Bool(true),
ReadWriteType: pulumi.String("All"),
},
},
})
if err != nil {
return err
}
return nil
})
}import pulumi
import pulumi_aws as aws
important_bucket = aws.s3.get_bucket(bucket="important-bucket")
example = aws.cloudtrail.Trail("example", event_selectors=[{
"dataResources": [{
"type": "AWS::S3::Object",
"values": [f"{important_bucket.arn}/"],
}],
"includeManagementEvents": True,
"readWriteType": "All",
}])import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const important_bucket = pulumi.output(aws.s3.getBucket({
bucket: "important-bucket",
}, { async: true }));
const example = new aws.cloudtrail.Trail("example", {
eventSelectors: [{
dataResources: [{
type: "AWS::S3::Object",
// Make sure to append a trailing '/' to your ARN if you want
// to monitor all objects in a bucket.
values: [pulumi.interpolate`${important_bucket.arn}/`],
}],
includeManagementEvents: true,
readWriteType: "All",
}],
});Create a Trail Resource
new Trail(name: string, args: TrailArgs, opts?: CustomResourceOptions);def Trail(resource_name, opts=None, cloud_watch_logs_group_arn=None, cloud_watch_logs_role_arn=None, enable_log_file_validation=None, enable_logging=None, event_selectors=None, include_global_service_events=None, is_multi_region_trail=None, is_organization_trail=None, kms_key_id=None, name=None, s3_bucket_name=None, s3_key_prefix=None, sns_topic_name=None, tags=None, __props__=None);public Trail(string name, TrailArgs args, CustomResourceOptions? opts = null)- name string
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args TrailArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
Trail Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The Trail resource accepts the following input properties:
- S3Bucket
Name string Specifies the name of the S3 bucket designated for publishing log files.
- Cloud
Watch stringLogs Group Arn Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
- Cloud
Watch stringLogs Role Arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation Specifies whether log file integrity validation is enabled. Defaults to
false.- Enable
Logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- Event
Selectors List<TrailEvent Selector Args> Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
- Include
Global boolService Events Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- Is
Multi boolRegion Trail Specifies whether the trail is created in the current region or in all regions. Defaults to
false.- Is
Organization boolTrail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- Kms
Key stringId Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
Specifies the name of the trail.
- S3Key
Prefix string Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
- Dictionary<string, string>
A map of tags to assign to the trail
- S3Bucket
Name string Specifies the name of the S3 bucket designated for publishing log files.
- Cloud
Watch stringLogs Group Arn Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
- Cloud
Watch stringLogs Role Arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation Specifies whether log file integrity validation is enabled. Defaults to
false.- Enable
Logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- Event
Selectors []TrailEvent Selector Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
- Include
Global boolService Events Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- Is
Multi boolRegion Trail Specifies whether the trail is created in the current region or in all regions. Defaults to
false.- Is
Organization boolTrail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- Kms
Key stringId Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
Specifies the name of the trail.
- S3Key
Prefix string Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
- map[string]string
A map of tags to assign to the trail
- s3Bucket
Name string Specifies the name of the S3 bucket designated for publishing log files.
- cloud
Watch stringLogs Group Arn Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
- cloud
Watch stringLogs Role Arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log booleanFile Validation Specifies whether log file integrity validation is enabled. Defaults to
false.- enable
Logging boolean Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event
Selectors TrailEvent Selector[] Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
- include
Global booleanService Events Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- is
Multi booleanRegion Trail Specifies whether the trail is created in the current region or in all regions. Defaults to
false.- is
Organization booleanTrail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms
Key stringId Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name string
Specifies the name of the trail.
- s3Key
Prefix string Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic stringName Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
- {[key: string]: string}
A map of tags to assign to the trail
- s3_
bucket_ strname Specifies the name of the S3 bucket designated for publishing log files.
- cloud_
watch_ strlogs_ group_ arn Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
- cloud_
watch_ strlogs_ role_ arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable_
log_ boolfile_ validation Specifies whether log file integrity validation is enabled. Defaults to
false.- enable_
logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event_
selectors List[TrailEvent Selector] Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
- include_
global_ boolservice_ events Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- is_
multi_ boolregion_ trail Specifies whether the trail is created in the current region or in all regions. Defaults to
false.- is_
organization_ booltrail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms_
key_ strid Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name str
Specifies the name of the trail.
- s3_
key_ strprefix Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns_
topic_ strname Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
- Dict[str, str]
A map of tags to assign to the trail
Outputs
All input properties are implicitly available as output properties. Additionally, the Trail resource produces the following output properties:
Look up an Existing Trail Resource
Get an existing Trail resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: TrailState, opts?: CustomResourceOptions): Trailstatic get(resource_name, id, opts=None, arn=None, cloud_watch_logs_group_arn=None, cloud_watch_logs_role_arn=None, enable_log_file_validation=None, enable_logging=None, event_selectors=None, home_region=None, include_global_service_events=None, is_multi_region_trail=None, is_organization_trail=None, kms_key_id=None, name=None, s3_bucket_name=None, s3_key_prefix=None, sns_topic_name=None, tags=None, __props__=None);func GetTrail(ctx *Context, name string, id IDInput, state *TrailState, opts ...ResourceOption) (*Trail, error)public static Trail Get(string name, Input<string> id, TrailState? state, CustomResourceOptions? opts = null)- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Arn string
The Amazon Resource Name of the trail.
- Cloud
Watch stringLogs Group Arn Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
- Cloud
Watch stringLogs Role Arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation Specifies whether log file integrity validation is enabled. Defaults to
false.- Enable
Logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- Event
Selectors List<TrailEvent Selector Args> Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
- Home
Region string The region in which the trail was created.
- Include
Global boolService Events Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- Is
Multi boolRegion Trail Specifies whether the trail is created in the current region or in all regions. Defaults to
false.- Is
Organization boolTrail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- Kms
Key stringId Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
Specifies the name of the trail.
- S3Bucket
Name string Specifies the name of the S3 bucket designated for publishing log files.
- S3Key
Prefix string Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
- Dictionary<string, string>
A map of tags to assign to the trail
- Arn string
The Amazon Resource Name of the trail.
- Cloud
Watch stringLogs Group Arn Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
- Cloud
Watch stringLogs Role Arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- Enable
Log boolFile Validation Specifies whether log file integrity validation is enabled. Defaults to
false.- Enable
Logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- Event
Selectors []TrailEvent Selector Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
- Home
Region string The region in which the trail was created.
- Include
Global boolService Events Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- Is
Multi boolRegion Trail Specifies whether the trail is created in the current region or in all regions. Defaults to
false.- Is
Organization boolTrail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- Kms
Key stringId Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- Name string
Specifies the name of the trail.
- S3Bucket
Name string Specifies the name of the S3 bucket designated for publishing log files.
- S3Key
Prefix string Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- Sns
Topic stringName Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
- map[string]string
A map of tags to assign to the trail
- arn string
The Amazon Resource Name of the trail.
- cloud
Watch stringLogs Group Arn Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
- cloud
Watch stringLogs Role Arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable
Log booleanFile Validation Specifies whether log file integrity validation is enabled. Defaults to
false.- enable
Logging boolean Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event
Selectors TrailEvent Selector[] Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
- home
Region string The region in which the trail was created.
- include
Global booleanService Events Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- is
Multi booleanRegion Trail Specifies whether the trail is created in the current region or in all regions. Defaults to
false.- is
Organization booleanTrail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms
Key stringId Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name string
Specifies the name of the trail.
- s3Bucket
Name string Specifies the name of the S3 bucket designated for publishing log files.
- s3Key
Prefix string Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns
Topic stringName Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
- {[key: string]: string}
A map of tags to assign to the trail
- arn str
The Amazon Resource Name of the trail.
- cloud_
watch_ strlogs_ group_ arn Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.
- cloud_
watch_ strlogs_ role_ arn Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
- enable_
log_ boolfile_ validation Specifies whether log file integrity validation is enabled. Defaults to
false.- enable_
logging bool Enables logging for the trail. Defaults to
true. Setting this tofalsewill pause logging.- event_
selectors List[TrailEvent Selector] Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.
- home_
region str The region in which the trail was created.
- include_
global_ boolservice_ events Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to
true.- is_
multi_ boolregion_ trail Specifies whether the trail is created in the current region or in all regions. Defaults to
false.- is_
organization_ booltrail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to
false.- kms_
key_ strid Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.
- name str
Specifies the name of the trail.
- s3_
bucket_ strname Specifies the name of the S3 bucket designated for publishing log files.
- s3_
key_ strprefix Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.
- sns_
topic_ strname Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
- Dict[str, str]
A map of tags to assign to the trail
Supporting Types
TrailEventSelector
- Data
Resources List<TrailEvent Selector Data Resource Args> Specifies logging data events. Fields documented below.
- Include
Management boolEvents Specify if you want your event selector to include management events for your trail.
- Read
Write stringType Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults to
All.
- Data
Resources []TrailEvent Selector Data Resource Specifies logging data events. Fields documented below.
- Include
Management boolEvents Specify if you want your event selector to include management events for your trail.
- Read
Write stringType Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults to
All.
- data
Resources TrailEvent Selector Data Resource[] Specifies logging data events. Fields documented below.
- include
Management booleanEvents Specify if you want your event selector to include management events for your trail.
- read
Write stringType Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults to
All.
- data
Resources List[TrailEvent Selector Data Resource] Specifies logging data events. Fields documented below.
- include
Management boolEvents Specify if you want your event selector to include management events for your trail.
- read
Write strType Specify if you want your trail to log read-only events, write-only events, or all. By default, the value is All. You can specify only the following value: “ReadOnly”, “WriteOnly”, “All”. Defaults to
All.
TrailEventSelectorDataResource
- Type string
The resource type in which you want to log data events. You can specify only the following value: “AWS::S3::Object”, “AWS::Lambda::Function”
- Values List<string>
A list of ARN for the specified S3 buckets and object prefixes..
Package Details
- Repository
- https://github.com/pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.