awscc.cloudtrail_trail¶
Filters¶
event
reduce
value
Actions¶
delete¶
Parent base class for filters and actions.
properties:
type:
enum:
- delete
required:
- type
Permissions - CloudTrail:DeleteTrail
update¶
Parent base class for filters and actions.
definitions:
DataResource:
additionalProperties: false
description: CloudTrail supports data event logging for Amazon S3 objects and
AWS Lambda functions. You can specify up to 250 resources for an individual
event selector, but the total number of data resources cannot exceed 250 across
all event selectors in a trail. This limit does not apply if you configure resource
logging for all data events.
properties:
Type:
description: The resource type in which you want to log data events. You can
specify AWS::S3::Object or AWS::Lambda::Function resources.
type: string
Values:
description: An array of Amazon Resource Name (ARN) strings or partial ARN
strings for the specified objects.
insertionOrder: false
items:
type: string
type: array
uniqueItems: true
required:
- Type
type: object
EventSelector:
additionalProperties: false
description: The type of email sending events to publish to the event destination.
properties:
DataResources:
insertionOrder: false
items:
additionalProperties: false
description: CloudTrail supports data event logging for Amazon S3 objects
and AWS Lambda functions. You can specify up to 250 resources for an individual
event selector, but the total number of data resources cannot exceed 250
across all event selectors in a trail. This limit does not apply if you
configure resource logging for all data events.
properties:
Type:
description: The resource type in which you want to log data events.
You can specify AWS::S3::Object or AWS::Lambda::Function resources.
type: string
Values:
description: An array of Amazon Resource Name (ARN) strings or partial
ARN strings for the specified objects.
insertionOrder: false
items:
type: string
type: array
uniqueItems: true
required:
- Type
type: object
type: array
uniqueItems: true
ExcludeManagementEventSources:
description: An optional list of service event sources from which you do not
want management events to be logged on your trail. In this release, the
list can be empty (disables the filter), or it can filter out AWS Key Management
Service events by containing "kms.amazonaws.com". By default, ExcludeManagementEventSources
is empty, and AWS KMS events are included in events that are logged to your
trail.
insertionOrder: false
items:
type: string
type: array
uniqueItems: true
IncludeManagementEvents:
description: Specify if you want your event selector to include management
events for your trail.
type: boolean
ReadWriteType:
description: Specify if you want your trail to log read-only events, write-only
events, or all. For example, the EC2 GetConsoleOutput is a read-only API
operation and RunInstances is a write-only API operation.
enum:
- All
- ReadOnly
- WriteOnly
type: string
type: object
InsightSelector:
additionalProperties: false
description: A string that contains insight types that are logged on a trail.
properties:
InsightType:
description: The type of insight to log on a trail.
type: string
type: object
Tag:
additionalProperties: false
description: An arbitrary set of tags (key-value pairs) for this trail.
properties:
Key:
description: 'The key name of the tag. You can specify a value that is 1 to
127 Unicode characters in length and cannot be prefixed with aws:. You can
use any of the following characters: the set of Unicode letters, digits,
whitespace, _, ., /, =, +, and -.'
type: string
Value:
description: 'The value for the tag. You can specify a value that is 1 to
255 Unicode characters in length and cannot be prefixed with aws:. You can
use any of the following characters: the set of Unicode letters, digits,
whitespace, _, ., /, =, +, and -.'
type: string
required:
- Value
- Key
type: object
properties:
CloudWatchLogsLogGroupArn:
description: Specifies a log group name using an Amazon Resource Name (ARN), a
unique identifier that represents the log group to which CloudTrail logs will
be delivered. Not required unless you specify CloudWatchLogsRoleArn.
type: string
CloudWatchLogsRoleArn:
description: Specifies the role for the CloudWatch Logs endpoint to assume to
write to a user's log group.
type: string
EnableLogFileValidation:
description: Specifies whether log file validation is enabled. The default is
false.
type: boolean
EventSelectors:
description: Use event selectors to further specify the management and data event
settings for your trail. By default, trails created without specific event selectors
will be configured to log all read and write management events, and no data
events. When an event occurs in your account, CloudTrail evaluates the event
selector for all trails. For each trail, if the event matches any event selector,
the trail processes and logs the event. If the event doesn't match any event
selector, the trail doesn't log the event. You can configure up to five event
selectors for a trail.
insertionOrder: false
items:
additionalProperties: false
description: The type of email sending events to publish to the event destination.
properties:
DataResources:
insertionOrder: false
items:
additionalProperties: false
description: CloudTrail supports data event logging for Amazon S3 objects
and AWS Lambda functions. You can specify up to 250 resources for an
individual event selector, but the total number of data resources cannot
exceed 250 across all event selectors in a trail. This limit does not
apply if you configure resource logging for all data events.
properties:
Type:
description: The resource type in which you want to log data events.
You can specify AWS::S3::Object or AWS::Lambda::Function resources.
type: string
Values:
description: An array of Amazon Resource Name (ARN) strings or partial
ARN strings for the specified objects.
insertionOrder: false
items:
type: string
type: array
uniqueItems: true
required:
- Type
type: object
type: array
uniqueItems: true
ExcludeManagementEventSources:
description: An optional list of service event sources from which you do
not want management events to be logged on your trail. In this release,
the list can be empty (disables the filter), or it can filter out AWS
Key Management Service events by containing "kms.amazonaws.com". By default,
ExcludeManagementEventSources is empty, and AWS KMS events are included
in events that are logged to your trail.
insertionOrder: false
items:
type: string
type: array
uniqueItems: true
IncludeManagementEvents:
description: Specify if you want your event selector to include management
events for your trail.
type: boolean
ReadWriteType:
description: Specify if you want your trail to log read-only events, write-only
events, or all. For example, the EC2 GetConsoleOutput is a read-only API
operation and RunInstances is a write-only API operation.
enum:
- All
- ReadOnly
- WriteOnly
type: string
type: object
maxItems: 5
type: array
uniqueItems: true
IncludeGlobalServiceEvents:
description: Specifies whether the trail is publishing events from global services
such as IAM to the log files.
type: boolean
InsightSelectors:
description: Lets you enable Insights event logging by specifying the Insights
selectors that you want to enable on an existing trail.
insertionOrder: false
items:
additionalProperties: false
description: A string that contains insight types that are logged on a trail.
properties:
InsightType:
description: The type of insight to log on a trail.
type: string
type: object
type: array
uniqueItems: true
IsLogging:
description: Whether the CloudTrail is currently logging AWS API calls.
type: boolean
IsMultiRegionTrail:
description: Specifies whether the trail applies only to the current region or
to all regions. The default is false. If the trail exists only in the current
region and this value is set to true, shadow trails (replications of the trail)
will be created in the other regions. If the trail exists in all regions and
this value is set to false, the trail will remain in the region where it was
created, and its shadow trails in other regions will be deleted. As a best practice,
consider using trails that log events in all regions.
type: boolean
IsOrganizationTrail:
description: Specifies whether the trail is created for all accounts in an organization
in AWS Organizations, or only for the current AWS account. The default is false,
and cannot be true unless the call is made on behalf of an AWS account that
is the master account for an organization in AWS Organizations.
type: boolean
KMSKeyId:
description: Specifies the KMS key ID to use to encrypt the logs delivered by
CloudTrail. The value can be an alias name prefixed by 'alias/', a fully specified
ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
type: string
S3BucketName:
description: Specifies the name of the Amazon S3 bucket designated for publishing
log files. See Amazon S3 Bucket Naming Requirements.
type: string
S3KeyPrefix:
description: Specifies the Amazon S3 key prefix that comes after the name of the
bucket you have designated for log file delivery. For more information, see
Finding Your CloudTrail Log Files. The maximum length is 200 characters.
maxLength: 200
type: string
SnsTopicName:
description: Specifies the name of the Amazon SNS topic defined for notification
of log file delivery. The maximum length is 256 characters.
maxLength: 256
type: string
Tags:
insertionOrder: false
items:
additionalProperties: false
description: An arbitrary set of tags (key-value pairs) for this trail.
properties:
Key:
description: 'The key name of the tag. You can specify a value that is 1
to 127 Unicode characters in length and cannot be prefixed with aws:.
You can use any of the following characters: the set of Unicode letters,
digits, whitespace, _, ., /, =, +, and -.'
type: string
Value:
description: 'The value for the tag. You can specify a value that is 1 to
255 Unicode characters in length and cannot be prefixed with aws:. You
can use any of the following characters: the set of Unicode letters, digits,
whitespace, _, ., /, =, +, and -.'
type: string
required:
- Value
- Key
type: object
type: array
uniqueItems: false
type:
enum:
- update
Permissions - CloudTrail:UpdateTrail, CloudTrail:StartLogging, CloudTrail:StopLogging, CloudTrail:AddTags, CloudTrail:RemoveTags, CloudTrail:PutEventSelectors, CloudTrail:PutInsightSelectors, iam:GetRole, iam:PassRole, iam:CreateServiceLinkedRole, organizations:DescribeOrganization, organizations:ListAWSServiceAccessForOrganization, CloudTrail:GetTrail, CloudTrail:DescribeTrails