Module cloudtrail

@pulumi/aws > cloudtrail

class Trail

extends CustomResource

Provides a CloudTrail resource.

NOTE: For a multi-region trail, this resource must be in the home region of the trail.

NOTE: For an organization trail, this resource must be in the master account of the organization.

Example Usage

Basic

Enable CloudTrail to capture all compatible management events in region. For capturing events from services like IAM, include_global_service_events must be enabled.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const foo = new aws.s3.Bucket("foo", {
    forceDestroy: true,
    policy: `{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::tf-test-trail"
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::tf-test-trail/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
`,
});
const foobar = new aws.cloudtrail.Trail("foobar", {
    includeGlobalServiceEvents: false,
    s3BucketName: foo.id,
    s3KeyPrefix: "prefix",
});

Data Event Logging

CloudTrail can log Data Events for certain services such as S3 bucket objects and Lambda function invocations. Additional information about data event configuration can be found in the CloudTrail API DataResource documentation.

Logging All Lambda Function Invocations

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.cloudtrail.Trail("example", {
    eventSelectors: [{
        dataResources: [{
            type: "AWS::Lambda::Function",
            values: ["arn:aws:lambda"],
        }],
        includeManagementEvents: true,
        readWriteType: "All",
    }],
});

Logging All S3 Bucket Object Events

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.cloudtrail.Trail("example", {
    eventSelectors: [{
        dataResources: [{
            type: "AWS::S3::Object",
            values: ["arn:aws:s3:::"],
        }],
        includeManagementEvents: true,
        readWriteType: "All",
    }],
});

Logging Individual S3 Bucket Events

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const important_bucket = pulumi.output(aws.s3.getBucket({
    bucket: "important-bucket",
}));
const example = new aws.cloudtrail.Trail("example", {
    eventSelectors: [{
        dataResources: [{
            type: "AWS::S3::Object",
            // Make sure to append a trailing '/' to your ARN if you want
            // to monitor all objects in a bucket.
            values: [pulumi.interpolate`${important_bucket.arn}/`],
        }],
        includeManagementEvents: true,
        readWriteType: "All",
    }],
});

constructor

new Trail(name: string, args: TrailArgs, opts?: pulumi.CustomResourceOptions)

Create a Trail resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: TrailState, opts?: pulumi.CustomResourceOptions): Trail

Get an existing Trail resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The Amazon Resource Name of the trail.

property cloudWatchLogsGroupArn

public cloudWatchLogsGroupArn: pulumi.Output<string | undefined>;

Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.

property cloudWatchLogsRoleArn

public cloudWatchLogsRoleArn: pulumi.Output<string | undefined>;

Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

property enableLogFileValidation

public enableLogFileValidation: pulumi.Output<boolean | undefined>;

Specifies whether log file integrity validation is enabled. Defaults to false.

property enableLogging

public enableLogging: pulumi.Output<boolean | undefined>;

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

property eventSelectors

public eventSelectors: pulumi.Output<{
    dataResources: {
        type: string;
        values: string[];
    }[];
    includeManagementEvents: undefined | false | true;
    readWriteType: undefined | string;
}[] | undefined>;

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.

property homeRegion

public homeRegion: pulumi.Output<string>;

The region in which the trail was created.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property includeGlobalServiceEvents

public includeGlobalServiceEvents: pulumi.Output<boolean | undefined>;

Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

property isMultiRegionTrail

public isMultiRegionTrail: pulumi.Output<boolean | undefined>;

Specifies whether the trail is created in the current region or in all regions. Defaults to false.

property isOrganizationTrail

public isOrganizationTrail: pulumi.Output<boolean | undefined>;

Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

property kmsKeyId

public kmsKeyId: pulumi.Output<string | undefined>;

Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.

property name

public name: pulumi.Output<string>;

Specifies the name of the trail.

property s3BucketName

public s3BucketName: pulumi.Output<string>;

Specifies the name of the S3 bucket designated for publishing log files.

property s3KeyPrefix

public s3KeyPrefix: pulumi.Output<string | undefined>;

Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.

property snsTopicName

public snsTopicName: pulumi.Output<string | undefined>;

Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

A mapping of tags to assign to the trail

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

function getServiceAccount

getServiceAccount(args?: GetServiceAccountArgs, opts?: pulumi.InvokeOptions): Promise<GetServiceAccountResult>

Use this data source to get the Account ID of the AWS CloudTrail Service Account in a given region for the purpose of allowing CloudTrail to store trail data in S3.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const main = pulumi.output(aws.cloudtrail.getServiceAccount({}));
const bucket = new aws.s3.Bucket("bucket", {
    forceDestroy: true,
    policy: pulumi.interpolate`{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "Put bucket policy needed for trails",
      "Effect": "Allow",
      "Principal": {
        "AWS": "${main.arn}"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket/*"
    },
    {
      "Sid": "Get bucket policy needed for trails",
      "Effect": "Allow",
      "Principal": {
        "AWS": "${main.arn}"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket"
    }
  ]
}
`,
});

interface GetServiceAccountArgs

A collection of arguments for invoking getServiceAccount.

property region

region?: undefined | string;

Name of the region whose AWS CloudTrail account ID is desired. Defaults to the region from the AWS provider configuration.

interface GetServiceAccountResult

A collection of values returned by getServiceAccount.

property arn

arn: string;

The ARN of the AWS CloudTrail service account in the selected region.

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property region

region?: undefined | string;

interface TrailArgs

The set of arguments for constructing a Trail resource.

property cloudWatchLogsGroupArn

cloudWatchLogsGroupArn?: pulumi.Input<string>;

Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.

property cloudWatchLogsRoleArn

cloudWatchLogsRoleArn?: pulumi.Input<string>;

Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

property enableLogFileValidation

enableLogFileValidation?: pulumi.Input<boolean>;

Specifies whether log file integrity validation is enabled. Defaults to false.

property enableLogging

enableLogging?: pulumi.Input<boolean>;

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

property eventSelectors

eventSelectors?: pulumi.Input<pulumi.Input<{
    dataResources: pulumi.Input<pulumi.Input<{
        type: pulumi.Input<string>;
        values: pulumi.Input<pulumi.Input<string>[]>;
    }>[]>;
    includeManagementEvents: pulumi.Input<boolean>;
    readWriteType: pulumi.Input<string>;
}>[]>;

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.

property includeGlobalServiceEvents

includeGlobalServiceEvents?: pulumi.Input<boolean>;

Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

property isMultiRegionTrail

isMultiRegionTrail?: pulumi.Input<boolean>;

Specifies whether the trail is created in the current region or in all regions. Defaults to false.

property isOrganizationTrail

isOrganizationTrail?: pulumi.Input<boolean>;

Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

property kmsKeyId

kmsKeyId?: pulumi.Input<string>;

Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.

property name

name?: pulumi.Input<string>;

Specifies the name of the trail.

property s3BucketName

s3BucketName: pulumi.Input<string>;

Specifies the name of the S3 bucket designated for publishing log files.

property s3KeyPrefix

s3KeyPrefix?: pulumi.Input<string>;

Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.

property snsTopicName

snsTopicName?: pulumi.Input<string>;

Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A mapping of tags to assign to the trail

interface TrailState

Input properties used for looking up and filtering Trail resources.

property arn

arn?: pulumi.Input<string>;

The Amazon Resource Name of the trail.

property cloudWatchLogsGroupArn

cloudWatchLogsGroupArn?: pulumi.Input<string>;

Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered.

property cloudWatchLogsRoleArn

cloudWatchLogsRoleArn?: pulumi.Input<string>;

Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group.

property enableLogFileValidation

enableLogFileValidation?: pulumi.Input<boolean>;

Specifies whether log file integrity validation is enabled. Defaults to false.

property enableLogging

enableLogging?: pulumi.Input<boolean>;

Enables logging for the trail. Defaults to true. Setting this to false will pause logging.

property eventSelectors

eventSelectors?: pulumi.Input<pulumi.Input<{
    dataResources: pulumi.Input<pulumi.Input<{
        type: pulumi.Input<string>;
        values: pulumi.Input<pulumi.Input<string>[]>;
    }>[]>;
    includeManagementEvents: pulumi.Input<boolean>;
    readWriteType: pulumi.Input<string>;
}>[]>;

Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these.

property homeRegion

homeRegion?: pulumi.Input<string>;

The region in which the trail was created.

property includeGlobalServiceEvents

includeGlobalServiceEvents?: pulumi.Input<boolean>;

Specifies whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.

property isMultiRegionTrail

isMultiRegionTrail?: pulumi.Input<boolean>;

Specifies whether the trail is created in the current region or in all regions. Defaults to false.

property isOrganizationTrail

isOrganizationTrail?: pulumi.Input<boolean>;

Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.

property kmsKeyId

kmsKeyId?: pulumi.Input<string>;

Specifies the KMS key ARN to use to encrypt the logs delivered by CloudTrail.

property name

name?: pulumi.Input<string>;

Specifies the name of the trail.

property s3BucketName

s3BucketName?: pulumi.Input<string>;

Specifies the name of the S3 bucket designated for publishing log files.

property s3KeyPrefix

s3KeyPrefix?: pulumi.Input<string>;

Specifies the S3 key prefix that follows the name of the bucket you have designated for log file delivery.

property snsTopicName

snsTopicName?: pulumi.Input<string>;

Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A mapping of tags to assign to the trail