aws::cloudtrail¶

Creates a Cloud Trail.

Example¶

aws::cloudtrail example-cloudtrail
    name: "example-cloudtrail"
    bucket: $(external-query aws::s3-bucket { name: "example-gyro-trail-bucket" })

    event-selector
        read-write-type: "All"
        include-management-events: true
        data-resource
            type: 'AWS::S3::Object'
            values: ['arn:aws:s3:::example-gyro-trail-bucket/']
        end
        data-resource
            type: 'AWS::Lambda::Function'
            values: ['arn:aws:lambda']
        end
        management-event-sources-to-exclude: ["kms.amazonaws.com"]
    end

    insight-selector
        insight-type: "ApiCallRateInsight"
    end

    tags: {
        "example-key": "example-value"
    }
end

Attributes¶

Attribute	Description
name	The name of the trail. (Required)
bucket	The Amazon S3 bucket designated for publishing log files. (Required)
bucket-key-prefix	The Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.
sns-topic-name	The Amazon SNS topic defined for notification of log file delivery.
include-global-service-events	Option to publish events from global services.
is-multi-region-trail	Option to specify if the trail is created in the current region or in all regions.
enable-log-file-validation	Option to enable log file validation.
log-group-arn	The log group to which CloudTrail logs will be delivered. Can only be set if `logs-role` is set.
logs-role	The role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
key	The KMS key to use to encrypt the logs delivered by CloudTrail.
is-organization-trail	Option to specify if the trail is is created for all accounts in an organization or the current AWS account.
tags map	The list of tags.
event-selector subresource	The list of management and data event settings for the trail. data-resource list The Amazon S3 buckets or AWS Lambda functions that you specify in your event selectors for your trail to log data events. (Required) management-event-sources-to-exclude list The list of service event sources from which management events should not be logged. include-management-events Option to specify if the event selector should include management events. read-write-type The type of events to be logged by the trail. Valid values are `ReadOnly`, `WriteOnly` or `All`.
insight-selector list	The list of insight types that are logged on the trail.
enable-logging	Enable the recording of AWS API calls and log file delivery for a trail. Defaults to `false`.

Outputs¶

Attribute	Description
arn	The Amazon Resource Number of the trail.
latest-cloud-watch-logs-delivery-time	The most recent date and time when CloudTrail delivered logs to CloudWatch Logs.
latest-s3-delivery-time	The most recent date and time when CloudTrail delivered logs to the S3 bucket.
latest-digest-delivery-time	The most recent date and time when CloudTrail delivered a digest file to the S3 bucket.
start-logging-time	The most recent date and time when CloudTrail started recording API calls for an AWS account.
stop-logging-time	The most recent date and time when CloudTrail stopped recording API calls for an AWS account.