aws::cloudtrail

Creates a Cloud Trail.

Example

aws::cloudtrail example-cloudtrail
    name: "example-cloudtrail"
    bucket: $(external-query aws::s3-bucket { name: "example-gyro-trail-bucket" })

    event-selector
        read-write-type: "All"
        include-management-events: true
        data-resource
            type: 'AWS::S3::Object'
            values: ['arn:aws:s3:::example-gyro-trail-bucket/']
        end
        data-resource
            type: 'AWS::Lambda::Function'
            values: ['arn:aws:lambda']
        end
        management-event-sources-to-exclude: ["kms.amazonaws.com"]
    end

    insight-selector
        insight-type: "ApiCallRateInsight"
    end

    tags: {
        "example-key": "example-value"
    }
end

Attributes

Attribute Description
name The name of the trail. (Required)
bucket The Amazon S3 bucket designated for publishing log files. (Required)
bucket-key-prefix The Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.
sns-topic-name The Amazon SNS topic defined for notification of log file delivery.
include-global-service-events Option to publish events from global services.
is-multi-region-trail Option to specify if the trail is created in the current region or in all regions.
enable-log-file-validation Option to enable log file validation.
log-group-arn The log group to which CloudTrail logs will be delivered. Can only be set if logs-role is set.
logs-role The role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
key The KMS key to use to encrypt the logs delivered by CloudTrail.
is-organization-trail Option to specify if the trail is is created for all accounts in an organization or the current AWS account.
tags map The list of tags.
event-selector subresource

The list of management and data event settings for the trail.

data-resource list
The Amazon S3 buckets or AWS Lambda functions that you specify in your event selectors for your trail to log data events. (Required)
management-event-sources-to-exclude list
The list of service event sources from which management events should not be logged.
include-management-events
Option to specify if the event selector should include management events.
read-write-type
The type of events to be logged by the trail. Valid values are ReadOnly, WriteOnly or All.
insight-selector list The list of insight types that are logged on the trail.
enable-logging Enable the recording of AWS API calls and log file delivery for a trail. Defaults to false.

Outputs

Attribute Description
arn The Amazon Resource Number of the trail.
latest-cloud-watch-logs-delivery-time The most recent date and time when CloudTrail delivered logs to CloudWatch Logs.
latest-s3-delivery-time The most recent date and time when CloudTrail delivered logs to the S3 bucket.
latest-digest-delivery-time The most recent date and time when CloudTrail delivered a digest file to the S3 bucket.
start-logging-time The most recent date and time when CloudTrail started recording API calls for an AWS account.
stop-logging-time The most recent date and time when CloudTrail stopped recording API calls for an AWS account.