Trail
Provides a CloudTrail resource.
Tip: For a multi-region trail, this resource must be in the home region of the trail. Tip: For an organization trail, this resource must be in the master account of the organization.
Example Usage
Basic
Enable CloudTrail to capture all compatible management events in region. For capturing events from services like IAM, include_global_service_events must be enabled.
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
var fooBucketV2 = new BucketV2("fooBucketV2", BucketV2Args.builder()
.forceDestroy(true)
.build());
var foobar = new Trail("foobar", TrailArgs.builder()
.s3BucketName(fooBucketV2.id())
.s3KeyPrefix("prefix")
.includeGlobalServiceEvents(false)
.build());
final var fooPolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("AWSCloudTrailAclCheck")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("cloudtrail.amazonaws.com")
.build())
.actions("s3:GetBucketAcl")
.resources(fooBucketV2.arn())
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("AWSCloudTrailWrite")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("cloudtrail.amazonaws.com")
.build())
.actions("s3:PutObject")
.resources(fooBucketV2.arn().applyValue(arn -> String.format("%s/prefix/AWSLogs/%s/*", arn,current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))))
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("s3:x-amz-acl")
.values("bucket-owner-full-control")
.build())
.build())
.build());
var fooBucketPolicy = new BucketPolicy("fooBucketPolicy", BucketPolicyArgs.builder()
.bucket(fooBucketV2.id())
.policy(fooPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(fooPolicyDocument -> fooPolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
}
}Content copied to clipboard
Logging All Lambda Function Invocations By Using Basic Event Selectors
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Trail("example", TrailArgs.builder()
.eventSelectors(TrailEventSelectorArgs.builder()
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("AWS::Lambda::Function")
.values("arn:aws:lambda")
.build())
.includeManagementEvents(true)
.readWriteType("All")
.build())
.build());
}
}Content copied to clipboard
Logging All S3 Object Events By Using Basic Event Selectors
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Trail("example", TrailArgs.builder()
.eventSelectors(TrailEventSelectorArgs.builder()
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("AWS::S3::Object")
.values("arn:aws:s3")
.build())
.includeManagementEvents(true)
.readWriteType("All")
.build())
.build());
}
}Content copied to clipboard
Logging Individual S3 Bucket Events By Using Basic Event Selectors
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var important-bucket = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket")
.build());
var example = new Trail("example", TrailArgs.builder()
.eventSelectors(TrailEventSelectorArgs.builder()
.dataResources(TrailEventSelectorDataResourceArgs.builder()
.type("AWS::S3::Object")
.values(String.format("%s/", important_bucket.arn()))
.build())
.includeManagementEvents(true)
.readWriteType("All")
.build())
.build());
}
}Content copied to clipboard
Logging All S3 Object Events Except For Two S3 Buckets By Using Advanced Event Selectors
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var not-important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("not-important-bucket-1")
.build());
final var not-important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("not-important-bucket-2")
.build());
var example = new Trail("example", TrailArgs.builder()
.advancedEventSelectors(
TrailAdvancedEventSelectorArgs.builder()
.fieldSelectors(
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("Data")
.field("eventCategory")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("resources.ARN")
.notStartsWith(
String.format("%s/", not_important_bucket_1.arn()),
String.format("%s/", not_important_bucket_2.arn()))
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("AWS::S3::Object")
.field("resources.type")
.build())
.name("Log all S3 objects events except for two S3 buckets")
.build(),
TrailAdvancedEventSelectorArgs.builder()
.fieldSelectors(TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("Management")
.field("eventCategory")
.build())
.name("Log readOnly and writeOnly management events")
.build())
.build());
}
}Content copied to clipboard
Logging Individual S3 Buckets And Specific Event Names By Using Advanced Event Selectors
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetBucketArgs;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import com.pulumi.aws.cloudtrail.inputs.TrailAdvancedEventSelectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var important-bucket-1 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket-1")
.build());
final var important-bucket-2 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket-2")
.build());
final var important-bucket-3 = S3Functions.getBucket(GetBucketArgs.builder()
.bucket("important-bucket-3")
.build());
var example = new Trail("example", TrailArgs.builder()
.advancedEventSelectors(
TrailAdvancedEventSelectorArgs.builder()
.fieldSelectors(
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("Data")
.field("eventCategory")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals(
"PutObject",
"DeleteObject")
.field("eventName")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals(
String.format("%s/", important_bucket_1.arn()),
String.format("%s/", important_bucket_2.arn()))
.field("resources.ARN")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("false")
.field("readOnly")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("AWS::S3::Object")
.field("resources.type")
.build())
.name("Log PutObject and DeleteObject events for two S3 buckets")
.build(),
TrailAdvancedEventSelectorArgs.builder()
.fieldSelectors(
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("Data")
.field("eventCategory")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.field("eventName")
.startsWith("Delete")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals(String.format("%s/important-prefix", important_bucket_3.arn()))
.field("resources.ARN")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("false")
.field("readOnly")
.build(),
TrailAdvancedEventSelectorFieldSelectorArgs.builder()
.equals("AWS::S3::Object")
.field("resources.type")
.build())
.name("Log Delete* events for one S3 bucket")
.build())
.build());
}
}Content copied to clipboard
Sending Events to CloudWatch Logs
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.cloudtrail.Trail;
import com.pulumi.aws.cloudtrail.TrailArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleLogGroup = new LogGroup("exampleLogGroup");
var exampleTrail = new Trail("exampleTrail", TrailArgs.builder()
.cloudWatchLogsGroupArn(exampleLogGroup.arn().applyValue(arn -> String.format("%s:*", arn)))
.build());
}
}Content copied to clipboard
Import
Cloudtrails can be imported using the name, e.g.,
$ pulumi import aws:cloudtrail/trail:Trail sample my-sample-trailContent copied to clipboard
*/
Properties
Link copied to clipboard
Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.
Link copied to clipboard
Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
Link copied to clipboard
Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
Link copied to clipboard
Whether log file integrity validation is enabled. Defaults to false.
Link copied to clipboard
Enables logging for the trail. Defaults to true. Setting this to false will pause logging.
Link copied to clipboard
Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.
Link copied to clipboard
Region in which the trail was created.
Link copied to clipboard
Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.
Link copied to clipboard
Configuration block for identifying unusual operational activity. See details below.
Link copied to clipboard
Whether the trail is created in the current region or in all regions. Defaults to false.
Link copied to clipboard
Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Name of the S3 bucket designated for publishing log files. The following arguments are optional:
Link copied to clipboard
S3 key prefix that follows the name of the bucket you have designated for log file delivery.
Link copied to clipboard
Name of the Amazon SNS topic defined for notification of log file delivery.