pulumi-aws-kotlin/com.pulumi.aws.cloudtrail.kotlin/TrailArgs

TrailArgs

data class TrailArgs(val advancedEventSelectors: Output<List<TrailAdvancedEventSelectorArgs>>? = null, val cloudWatchLogsGroupArn: Output<String>? = null, val cloudWatchLogsRoleArn: Output<String>? = null, val enableLogFileValidation: Output<Boolean>? = null, val enableLogging: Output<Boolean>? = null, val eventSelectors: Output<List<TrailEventSelectorArgs>>? = null, val includeGlobalServiceEvents: Output<Boolean>? = null, val insightSelectors: Output<List<TrailInsightSelectorArgs>>? = null, val isMultiRegionTrail: Output<Boolean>? = null, val isOrganizationTrail: Output<Boolean>? = null, val kmsKeyId: Output<String>? = null, val name: Output<String>? = null, val s3BucketName: Output<String>? = null, val s3KeyPrefix: Output<String>? = null, val snsTopicName: Output<String>? = null, val tags: Output<Map<String, String>>? = null) : ConvertibleToJava<TrailArgs>

Provides a CloudTrail resource.

Tip: For a multi-region trail, this resource must be in the home region of the trail. Tip: For an organization trail, this resource must be in the master account of the organization.

Example Usage

Basic

Enable CloudTrail to capture all compatible management events in region. For capturing events from services like IAM, include_global_service_events must be enabled.

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var current = AwsFunctions.getCallerIdentity();
        var fooBucketV2 = new BucketV2("fooBucketV2", BucketV2Args.builder()
            .forceDestroy(true)
            .build());
        var foobar = new Trail("foobar", TrailArgs.builder()
            .s3BucketName(fooBucketV2.id())
            .s3KeyPrefix("prefix")
            .includeGlobalServiceEvents(false)
            .build());
        final var fooPolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(
                GetPolicyDocumentStatementArgs.builder()
                    .sid("AWSCloudTrailAclCheck")
                    .effect("Allow")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("cloudtrail.amazonaws.com")
                        .build())
                    .actions("s3:GetBucketAcl")
                    .resources(fooBucketV2.arn())
                    .build(),
                GetPolicyDocumentStatementArgs.builder()
                    .sid("AWSCloudTrailWrite")
                    .effect("Allow")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("cloudtrail.amazonaws.com")
                        .build())
                    .actions("s3:PutObject")
                    .resources(fooBucketV2.arn().applyValue(arn -> String.format("%s/prefix/AWSLogs/%s/*", arn,current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))))
                    .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                        .test("StringEquals")
                        .variable("s3:x-amz-acl")
                        .values("bucket-owner-full-control")
                        .build())
                    .build())
            .build());
        var fooBucketPolicy = new BucketPolicy("fooBucketPolicy", BucketPolicyArgs.builder()
            .bucket(fooBucketV2.id())
            .policy(fooPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(fooPolicyDocument -> fooPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
            .build());
    }
}
Content copied to clipboard

Logging All Lambda Function Invocations By Using Basic Event Selectors

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new Trail("example", TrailArgs.builder()
            .eventSelectors(TrailEventSelectorArgs.builder()
                .dataResources(TrailEventSelectorDataResourceArgs.builder()
                    .type("AWS::Lambda::Function")
                    .values("arn:aws:lambda")
                    .build())
                .includeManagementEvents(true)
                .readWriteType("All")
                .build())
            .build());
    }
}
Content copied to clipboard

Logging All S3 Object Events By Using Basic Event Selectors

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new Trail("example", TrailArgs.builder()
            .eventSelectors(TrailEventSelectorArgs.builder()
                .dataResources(TrailEventSelectorDataResourceArgs.builder()
                    .type("AWS::S3::Object")
                    .values("arn:aws:s3")
                    .build())
                .includeManagementEvents(true)
                .readWriteType("All")
                .build())
            .build());
    }
}
Content copied to clipboard

Logging Individual S3 Bucket Events By Using Basic Event Selectors

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var important-bucket = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("important-bucket")
            .build());
        var example = new Trail("example", TrailArgs.builder()
            .eventSelectors(TrailEventSelectorArgs.builder()
                .dataResources(TrailEventSelectorDataResourceArgs.builder()
                    .type("AWS::S3::Object")
                    .values(String.format("%s/", important_bucket.arn()))
                    .build())
                .includeManagementEvents(true)
                .readWriteType("All")
                .build())
            .build());
    }
}
Content copied to clipboard

Logging All S3 Object Events Except For Two S3 Buckets By Using Advanced Event Selectors

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var not-important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("not-important-bucket-1")
            .build());
        final var not-important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("not-important-bucket-2")
            .build());
        var example = new Trail("example", TrailArgs.builder()
            .advancedEventSelectors(
                TrailAdvancedEventSelectorArgs.builder()
                    .fieldSelectors(
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("Data")
                            .field("eventCategory")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .field("resources.ARN")
                            .notStartsWith(
                                String.format("%s/", not_important_bucket_1.arn()),
                                String.format("%s/", not_important_bucket_2.arn()))
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("AWS::S3::Object")
                            .field("resources.type")
                            .build())
                    .name("Log all S3 objects events except for two S3 buckets")
                    .build(),
                TrailAdvancedEventSelectorArgs.builder()
                    .fieldSelectors(TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                        .equals("Management")
                        .field("eventCategory")
                        .build())
                    .name("Log readOnly and writeOnly management events")
                    .build())
            .build());
    }
}
Content copied to clipboard

Logging Individual S3 Buckets And Specific Event Names By Using Advanced Event Selectors

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("important-bucket-1")
            .build());
        final var important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("important-bucket-2")
            .build());
        final var important-bucket-3 = S3Functions.getBucket(GetBucketArgs.builder()
            .bucket("important-bucket-3")
            .build());
        var example = new Trail("example", TrailArgs.builder()
            .advancedEventSelectors(
                TrailAdvancedEventSelectorArgs.builder()
                    .fieldSelectors(
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("Data")
                            .field("eventCategory")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals(
                                "PutObject",
                                "DeleteObject")
                            .field("eventName")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals(
                                String.format("%s/", important_bucket_1.arn()),
                                String.format("%s/", important_bucket_2.arn()))
                            .field("resources.ARN")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("false")
                            .field("readOnly")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("AWS::S3::Object")
                            .field("resources.type")
                            .build())
                    .name("Log PutObject and DeleteObject events for two S3 buckets")
                    .build(),
                TrailAdvancedEventSelectorArgs.builder()
                    .fieldSelectors(
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("Data")
                            .field("eventCategory")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .field("eventName")
                            .startsWith("Delete")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals(String.format("%s/important-prefix", important_bucket_3.arn()))
                            .field("resources.ARN")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("false")
                            .field("readOnly")
                            .build(),
                        TrailAdvancedEventSelectorFieldSelectorArgs.builder()
                            .equals("AWS::S3::Object")
                            .field("resources.type")
                            .build())
                    .name("Log Delete* events for one S3 bucket")
                    .build())
            .build());
    }
}
Content copied to clipboard

Sending Events to CloudWatch Logs

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleLogGroup = new LogGroup("exampleLogGroup");
        var exampleTrail = new Trail("exampleTrail", TrailArgs.builder()
            .cloudWatchLogsGroupArn(exampleLogGroup.arn().applyValue(arn -> String.format("%s:*", arn)))
            .build());
    }
}
Content copied to clipboard

Import

Cloudtrails can be imported using the name, e.g.,

$ pulumi import aws:cloudtrail/trail:Trail sample my-sample-trail
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(advancedEventSelectors: Output<List<TrailAdvancedEventSelectorArgs>>? = null, cloudWatchLogsGroupArn: Output<String>? = null, cloudWatchLogsRoleArn: Output<String>? = null, enableLogFileValidation: Output<Boolean>? = null, enableLogging: Output<Boolean>? = null, eventSelectors: Output<List<TrailEventSelectorArgs>>? = null, includeGlobalServiceEvents: Output<Boolean>? = null, insightSelectors: Output<List<TrailInsightSelectorArgs>>? = null, isMultiRegionTrail: Output<Boolean>? = null, isOrganizationTrail: Output<Boolean>? = null, kmsKeyId: Output<String>? = null, name: Output<String>? = null, s3BucketName: Output<String>? = null, s3KeyPrefix: Output<String>? = null, snsTopicName: Output<String>? = null, tags: Output<Map<String, String>>? = null)

Properties

Link copied to clipboard
val advancedEventSelectors: Output<List<TrailAdvancedEventSelectorArgs>>? = null

Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.

Link copied to clipboard
val cloudWatchLogsGroupArn: Output<String>? = null

Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.

Link copied to clipboard
val cloudWatchLogsRoleArn: Output<String>? = null

Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

Link copied to clipboard
val enableLogFileValidation: Output<Boolean>? = null

Whether log file integrity validation is enabled. Defaults to false.

Link copied to clipboard
val enableLogging: Output<Boolean>? = null

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

Link copied to clipboard
val eventSelectors: Output<List<TrailEventSelectorArgs>>? = null

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.

Link copied to clipboard
val includeGlobalServiceEvents: Output<Boolean>? = null

Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

Link copied to clipboard
val insightSelectors: Output<List<TrailInsightSelectorArgs>>? = null

Configuration block for identifying unusual operational activity. See details below.

Link copied to clipboard
val isMultiRegionTrail: Output<Boolean>? = null

Whether the trail is created in the current region or in all regions. Defaults to false.

Link copied to clipboard
val isOrganizationTrail: Output<Boolean>? = null

Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

Link copied to clipboard
val kmsKeyId: Output<String>? = null

KMS key ARN to use to encrypt the logs delivered by CloudTrail.

Link copied to clipboard
val name: Output<String>? = null

Name of the trail.

Link copied to clipboard
val s3BucketName: Output<String>? = null

Name of the S3 bucket designated for publishing log files. The following arguments are optional:

Link copied to clipboard
val s3KeyPrefix: Output<String>? = null

S3 key prefix that follows the name of the bucket you have designated for log file delivery.

Link copied to clipboard
val snsTopicName: Output<String>? = null

Name of the Amazon SNS topic defined for notification of log file delivery.

Link copied to clipboard
val tags: Output<Map<String, String>>? = null

Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. */

Functions

Link copied to clipboard
open override fun toJava(): TrailArgs