Class Trail

Provides a CloudTrail resource.

NOTE: For a multi-region trail, this resource must be in the home region of the trail.

NOTE: For an organization trail, this resource must be in the master account of the organization.

Example Usage

Basic

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var current = Output.Create(Aws.GetCallerIdentity.InvokeAsync());
    var foo = new Aws.S3.Bucket("foo", new Aws.S3.BucketArgs
    {
        ForceDestroy = true,
        Policy = current.Apply(current => @$"{{
""Version"": ""2012-10-17"",
""Statement"": [
    {{
        ""Sid"": ""AWSCloudTrailAclCheck"",
        ""Effect"": ""Allow"",
        ""Principal"": {{
          ""Service"": ""cloudtrail.amazonaws.com""
        }},
        ""Action"": ""s3:GetBucketAcl"",
        ""Resource"": ""arn:aws:s3:::tf-test-trail""
    }},
    {{
        ""Sid"": ""AWSCloudTrailWrite"",
        ""Effect"": ""Allow"",
        ""Principal"": {{
          ""Service"": ""cloudtrail.amazonaws.com""
        }},
        ""Action"": ""s3:PutObject"",
        ""Resource"": ""arn:aws:s3:::tf-test-trail/prefix/AWSLogs/{current.AccountId}/*"",
        ""Condition"": {{
            ""StringEquals"": {{
                ""s3:x-amz-acl"": ""bucket-owner-full-control""
            }}
        }}
    }}
]
}}

"),
    });
    var foobar = new Aws.CloudTrail.Trail("foobar", new Aws.CloudTrail.TrailArgs
    {
        IncludeGlobalServiceEvents = false,
        S3BucketName = foo.Id,
        S3KeyPrefix = "prefix",
    });
}

}

Logging All Lambda Function Invocations

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var example = new Aws.CloudTrail.Trail("example", new Aws.CloudTrail.TrailArgs
    {
        EventSelectors = 
        {
            new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
            {
                DataResource = 
                {

                    {
                        { "type", "AWS::Lambda::Function" },
                        { "values", 
                        {
                            "arn:aws:lambda",
                        } },
                    },
                },
                IncludeManagementEvents = true,
                ReadWriteType = "All",
            },
        },
    });
}

}

Logging All S3 Bucket Object Events

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var example = new Aws.CloudTrail.Trail("example", new Aws.CloudTrail.TrailArgs
    {
        EventSelectors = 
        {
            new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
            {
                DataResource = 
                {

                    {
                        { "type", "AWS::S3::Object" },
                        { "values", 
                        {
                            "arn:aws:s3:::",
                        } },
                    },
                },
                IncludeManagementEvents = true,
                ReadWriteType = "All",
            },
        },
    });
}

}

Logging Individual S3 Bucket Events

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var important_bucket = Output.Create(Aws.S3.GetBucket.InvokeAsync(new Aws.S3.GetBucketArgs
    {
        Bucket = "important-bucket",
    }));
    var example = new Aws.CloudTrail.Trail("example", new Aws.CloudTrail.TrailArgs
    {
        EventSelectors = 
        {
            new Aws.CloudTrail.Inputs.TrailEventSelectorArgs
            {
                DataResource = 
                {

                    {
                        { "type", "AWS::S3::Object" },
                        { "values", 
                        {
                            important_bucket.Apply(important_bucket => $"{important_bucket.Arn}/"),
                        } },
                    },
                },
                IncludeManagementEvents = true,
                ReadWriteType = "All",
            },
        },
    });
}

}
Inheritance
System.Object
Resource
CustomResource
Trail
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Aws.CloudTrail
Assembly: Pulumi.Aws.dll
Syntax
public class Trail : CustomResource

Constructors

View Source

Trail(String, TrailArgs, CustomResourceOptions)

Create a Trail resource with the given unique name, arguments, and options.

Declaration
public Trail(string name, TrailArgs args, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
TrailArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

Arn

The Amazon Resource Name of the trail.

Declaration
public Output<string> Arn { get; }
Property Value
Type Description
Output<System.String>
View Source

CloudWatchLogsGroupArn

Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.

Declaration
public Output<string> CloudWatchLogsGroupArn { get; }
Property Value
Type Description
Output<System.String>
View Source

CloudWatchLogsRoleArn

Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

Declaration
public Output<string> CloudWatchLogsRoleArn { get; }
Property Value
Type Description
Output<System.String>
View Source

EnableLogFileValidation

Specifies whether log file integrity validation is enabled. Defaults to false.

Declaration
public Output<bool?> EnableLogFileValidation { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

EnableLogging

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

Declaration
public Output<bool?> EnableLogging { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

EventSelectors

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.

Declaration
public Output<ImmutableArray<TrailEventSelector>> EventSelectors { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<TrailEventSelector>>
View Source

HomeRegion

The region in which the trail was created.

Declaration
public Output<string> HomeRegion { get; }
Property Value
Type Description
Output<System.String>
View Source

IncludeGlobalServiceEvents

Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

Declaration
public Output<bool?> IncludeGlobalServiceEvents { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

IsMultiRegionTrail

Specifies whether the trail is created in the current region or in all regions. Defaults to false.

Declaration
public Output<bool?> IsMultiRegionTrail { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

IsOrganizationTrail

Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

Declaration
public Output<bool?> IsOrganizationTrail { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

KmsKeyId

Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.

Declaration
public Output<string> KmsKeyId { get; }
Property Value
Type Description
Output<System.String>
View Source

Name

Specifies the name of the trail.

Declaration
public Output<string> Name { get; }
Property Value
Type Description
Output<System.String>
View Source

S3BucketName

Specifies the name of the S3 bucket designated for publishing log files.

Declaration
public Output<string> S3BucketName { get; }
Property Value
Type Description
Output<System.String>
View Source

S3KeyPrefix

Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.

Declaration
public Output<string> S3KeyPrefix { get; }
Property Value
Type Description
Output<System.String>
View Source

SnsTopicName

Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

Declaration
public Output<string> SnsTopicName { get; }
Property Value
Type Description
Output<System.String>
View Source

Tags

A map of tags to assign to the trail

Declaration
public Output<ImmutableDictionary<string, object>> Tags { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableDictionary<System.String, System.Object>>

Methods

View Source

Get(String, Input<String>, TrailState, CustomResourceOptions)

Get an existing Trail resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static Trail Get(string name, Input<string> id, TrailState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
TrailState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
Trail