class CfnTrail (construct)

Language	Type name
.NET	`Amazon.CDK.AWS.CloudTrail.CfnTrail`
Go	`github.com/aws/aws-cdk-go/awscdk/v2/awscloudtrail#CfnTrail`
Java	`software.amazon.awscdk.services.cloudtrail.CfnTrail`
Python	`aws_cdk.aws_cloudtrail.CfnTrail`
TypeScript	`aws-cdk-lib` » `aws_cloudtrail` » `CfnTrail`

Implements IConstruct, IDependable, IInspectable, ITaggable

Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket.

Example

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_cloudtrail as cloudtrail } from 'aws-cdk-lib';
const cfnTrail = new cloudtrail.CfnTrail(this, 'MyCfnTrail', {
  isLogging: false,
  s3BucketName: 's3BucketName',

  // the properties below are optional
  advancedEventSelectors: [{
    fieldSelectors: [{
      field: 'field',

      // the properties below are optional
      endsWith: ['endsWith'],
      equalTo: ['equalTo'],
      notEndsWith: ['notEndsWith'],
      notEquals: ['notEquals'],
      notStartsWith: ['notStartsWith'],
      startsWith: ['startsWith'],
    }],

    // the properties below are optional
    name: 'name',
  }],
  cloudWatchLogsLogGroupArn: 'cloudWatchLogsLogGroupArn',
  cloudWatchLogsRoleArn: 'cloudWatchLogsRoleArn',
  enableLogFileValidation: false,
  eventSelectors: [{
    dataResources: [{
      type: 'type',

      // the properties below are optional
      values: ['values'],
    }],
    excludeManagementEventSources: ['excludeManagementEventSources'],
    includeManagementEvents: false,
    readWriteType: 'readWriteType',
  }],
  includeGlobalServiceEvents: false,
  insightSelectors: [{
    insightType: 'insightType',
  }],
  isMultiRegionTrail: false,
  isOrganizationTrail: false,
  kmsKeyId: 'kmsKeyId',
  s3KeyPrefix: 's3KeyPrefix',
  snsTopicName: 'snsTopicName',
  tags: [{
    key: 'key',
    value: 'value',
  }],
  trailName: 'trailName',
});

Initializer

new CfnTrail(scope: Construct, id: string, props: CfnTrailProps)

Parameters

scope Construct — Scope in which this resource is defined.
id string — Construct identifier for this resource (unique in its scope).
props CfnTrailProps — Resource properties.

Construct Props

Name	Type	Description
isLogging	`boolean \|` `IResolvable`	Whether the CloudTrail trail is currently logging AWS API calls.
s3BucketName	`string`	Specifies the name of the Amazon S3 bucket designated for publishing log files.
advancedEventSelectors?	`IResolvable` `\|` `IResolvable` `\|` `AdvancedEventSelectorProperty[]`	Specifies the settings for advanced event selectors.
cloudWatchLogsLogGroupArn?	`string`	Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered.
cloudWatchLogsRoleArn?	`string`	Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
enableLogFileValidation?	`boolean \|` `IResolvable`	Specifies whether log file validation is enabled. The default is false.
eventSelectors?	`IResolvable` `\|` `IResolvable` `\|` `EventSelectorProperty[]`	Use event selectors to further specify the management and data event settings for your trail.
includeGlobalServiceEvents?	`boolean \|` `IResolvable`	Specifies whether the trail is publishing events from global services such as IAM to the log files.
insightSelectors?	`IResolvable` `\|` `IResolvable` `\|` `InsightSelectorProperty[]`	A JSON string that contains the Insights types you want to log on a trail.
isMultiRegionTrail?	`boolean \|` `IResolvable`	Specifies whether the trail applies only to the current Region or to all Regions.
isOrganizationTrail?	`boolean \|` `IResolvable`	Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account .
kmsKeyId?	`string`	Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail.
s3KeyPrefix?	`string`	Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.
snsTopicName?	`string`	Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
tags?	`CfnTag[]`	A custom set of tags (key-value pairs) for this trail.
trailName?	`string`	Specifies the name of the trail. The name must meet the following requirements:.

isLogging

Type: boolean | IResolvable

Whether the CloudTrail trail is currently logging AWS API calls.

s3BucketName

Type: string

Specifies the name of the Amazon S3 bucket designated for publishing log files.

See Amazon S3 Bucket naming rules .

advancedEventSelectors?

Type: IResolvable | IResolvable | AdvancedEventSelectorProperty[] (optional)

Specifies the settings for advanced event selectors.

You can use advanced event selectors to log management events, data events for all resource types, and network activity events.

You can add advanced event selectors, and conditions for your advanced event selectors, up to a maximum of 500 values for all conditions and selectors on a trail. You can use either AdvancedEventSelectors or EventSelectors , but not both. If you apply AdvancedEventSelectors to a trail, any existing EventSelectors are overwritten. For more information about advanced event selectors, see Logging data events and Logging network activity events in the AWS CloudTrail User Guide .

cloudWatchLogsLogGroupArn?

Type: string (optional)

Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered.

You must use a log group that exists in your account.

To enable CloudWatch Logs delivery, you must provide values for CloudWatchLogsLogGroupArn and CloudWatchLogsRoleArn .

If you previously enabled CloudWatch Logs delivery and want to disable CloudWatch Logs delivery, you must set the values of the CloudWatchLogsRoleArn and CloudWatchLogsLogGroupArn fields to "" .

cloudWatchLogsRoleArn?

Type: string (optional)

Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.

You must use a role that exists in your account.

To enable CloudWatch Logs delivery, you must provide values for CloudWatchLogsLogGroupArn and CloudWatchLogsRoleArn .

If you previously enabled CloudWatch Logs delivery and want to disable CloudWatch Logs delivery, you must set the values of the CloudWatchLogsRoleArn and CloudWatchLogsLogGroupArn fields to "" .

enableLogFileValidation?

Type: boolean | IResolvable (optional)

Specifies whether log file validation is enabled. The default is false.

When you disable log file integrity validation, the chain of digest files is broken after one hour. CloudTrail does not create digest files for log files that were delivered during a period in which log file integrity validation was disabled. For example, if you enable log file integrity validation at noon on January 1, disable it at noon on January 2, and re-enable it at noon on January 10, digest files will not be created for the log files delivered from noon on January 2 to noon on January 10. The same applies whenever you stop CloudTrail logging or delete a trail.

eventSelectors?

Type: IResolvable | IResolvable | EventSelectorProperty[] (optional)

Use event selectors to further specify the management and data event settings for your trail.

By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.

You can configure up to five event selectors for a trail.

You cannot apply both event selectors and advanced event selectors to a trail.

includeGlobalServiceEvents?

Type: boolean | IResolvable (optional)

Specifies whether the trail is publishing events from global services such as IAM to the log files.

insightSelectors?

Type: IResolvable | IResolvable | InsightSelectorProperty[] (optional)

A JSON string that contains the Insights types you want to log on a trail.

ApiCallRateInsight and ApiErrorRateInsight are valid Insight types.

The ApiCallRateInsight Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.

The ApiErrorRateInsight Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.

isMultiRegionTrail?

Type: boolean | IResolvable (optional)

Specifies whether the trail applies only to the current Region or to all Regions.

The default is false. If the trail exists only in the current Region and this value is set to true, shadow trails (replications of the trail) will be created in the other Regions. If the trail exists in all Regions and this value is set to false, the trail will remain in the Region where it was created, and its shadow trails in other Regions will be deleted. As a best practice, consider using trails that log events in all Regions.

isOrganizationTrail?

Type: boolean | IResolvable (optional)

Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account .

The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to true , the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to false , the trail will remain in the current AWS account but be deleted from all member accounts in the organization.

Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.

kmsKeyId?

Type: string (optional)

Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail.

The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.

CloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see Using multi-Region keys in the AWS Key Management Service Developer Guide .

Examples:

alias/MyAliasName
arn:aws:kms:us-east-2:123456789012:alias/MyAliasName
arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012
12345678-1234-1234-1234-123456789012

s3KeyPrefix?

Type: string (optional)

Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.

For more information, see Finding Your CloudTrail Log Files . The maximum length is 200 characters.

snsTopicName?

Type: string (optional)

Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

The maximum length is 256 characters.

tags?

Type: CfnTag[] (optional)

A custom set of tags (key-value pairs) for this trail.

trailName?

Type: string (optional)

Specifies the name of the trail. The name must meet the following requirements:.

Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
Start with a letter or number, and end with a letter or number
Be between 3 and 128 characters
Have no adjacent periods, underscores or dashes. Names like my-_namespace and my--namespace are not valid.
Not be in IP address format (for example, 192.168.5.4)

Properties

Name	Type	Description
attrArn	`string`	`Ref` returns the ARN of the CloudTrail trail, such as `arn:aws:cloudtrail:us-east-2:123456789012:trail/myCloudTrail` .
attrSnsTopicArn	`string`	`Ref` returns the ARN of the Amazon SNS topic that's associated with the CloudTrail trail, such as `arn:aws:sns:us-east-2:123456789012:mySNSTopic` .
cfnOptions	`ICfnResourceOptions`	Options for this resource, such as condition, update policy etc.
cfnProperties	`{ [string]: any }`
cfnResourceType	`string`	AWS resource type.
creationStack	`string[]`
isLogging	`boolean \|` `IResolvable`	Whether the CloudTrail trail is currently logging AWS API calls.
logicalId	`string`	The logical ID for this CloudFormation stack element.
node	`Node`	The tree node.
ref	`string`	Return a string that will be resolved to a CloudFormation `{ Ref }` for this element.
s3BucketName	`string`	Specifies the name of the Amazon S3 bucket designated for publishing log files.
stack	`Stack`	The stack in which this element is defined.
tags	`TagManager`	Tag Manager which manages the tags for this resource.
advancedEventSelectors?	`IResolvable` `\|` `IResolvable` `\|` `AdvancedEventSelectorProperty[]`	Specifies the settings for advanced event selectors.
cloudWatchLogsLogGroupArn?	`string`	Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered.
cloudWatchLogsRoleArn?	`string`	Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
enableLogFileValidation?	`boolean \|` `IResolvable`	Specifies whether log file validation is enabled.
eventSelectors?	`IResolvable` `\|` `IResolvable` `\|` `EventSelectorProperty[]`	Use event selectors to further specify the management and data event settings for your trail.
includeGlobalServiceEvents?	`boolean \|` `IResolvable`	Specifies whether the trail is publishing events from global services such as IAM to the log files.
insightSelectors?	`IResolvable` `\|` `IResolvable` `\|` `InsightSelectorProperty[]`	A JSON string that contains the Insights types you want to log on a trail.
isMultiRegionTrail?	`boolean \|` `IResolvable`	Specifies whether the trail applies only to the current Region or to all Regions.
isOrganizationTrail?	`boolean \|` `IResolvable`	Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account .
kmsKeyId?	`string`	Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail.
s3KeyPrefix?	`string`	Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.
snsTopicName?	`string`	Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
tagsRaw?	`CfnTag[]`	A custom set of tags (key-value pairs) for this trail.
trailName?	`string`	Specifies the name of the trail.
static CFN_RESOURCE_TYPE_NAME	`string`	The CloudFormation resource type name for this resource class.

attrArn

Type: string

Ref returns the ARN of the CloudTrail trail, such as arn:aws:cloudtrail:us-east-2:123456789012:trail/myCloudTrail .

attrSnsTopicArn

Type: string

Ref returns the ARN of the Amazon SNS topic that's associated with the CloudTrail trail, such as arn:aws:sns:us-east-2:123456789012:mySNSTopic .

cfnOptions

Type: ICfnResourceOptions

Options for this resource, such as condition, update policy etc.

cfnProperties

Type: { [string]: any }

cfnResourceType

Type: string

AWS resource type.

creationStack

Type: string[]

isLogging

Type: boolean | IResolvable

Whether the CloudTrail trail is currently logging AWS API calls.

logicalId

Type: string

The logical ID for this CloudFormation stack element.

The logical ID of the element is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

node

Type: Node

The tree node.

ref

Type: string

Return a string that will be resolved to a CloudFormation { Ref } for this element.

If, by any chance, the intrinsic reference of a resource is not a string, you could coerce it to an IResolvable through Lazy.any({ produce: resource.ref }).

s3BucketName

Type: string

Specifies the name of the Amazon S3 bucket designated for publishing log files.

stack

Type: Stack

The stack in which this element is defined.

CfnElements must be defined within a stack scope (directly or indirectly).

advancedEventSelectors?

Type: IResolvable | IResolvable | AdvancedEventSelectorProperty[] (optional)

Specifies the settings for advanced event selectors.

cloudWatchLogsLogGroupArn?

Type: string (optional)

Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered.

cloudWatchLogsRoleArn?

Type: string (optional)

Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.

enableLogFileValidation?

Type: boolean | IResolvable (optional)

Specifies whether log file validation is enabled.

The default is false.

eventSelectors?

Type: IResolvable | IResolvable | EventSelectorProperty[] (optional)

Use event selectors to further specify the management and data event settings for your trail.

includeGlobalServiceEvents?

Type: boolean | IResolvable (optional)

Specifies whether the trail is publishing events from global services such as IAM to the log files.

insightSelectors?

Type: IResolvable | IResolvable | InsightSelectorProperty[] (optional)

A JSON string that contains the Insights types you want to log on a trail.

isMultiRegionTrail?

Type: boolean | IResolvable (optional)

Specifies whether the trail applies only to the current Region or to all Regions.

isOrganizationTrail?

Type: boolean | IResolvable (optional)

Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account .

kmsKeyId?

Type: string (optional)

Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail.

s3KeyPrefix?

Type: string (optional)

Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.

snsTopicName?

Type: string (optional)

Specifies the name of the Amazon SNS topic defined for notification of log file delivery.

tagsRaw?

Type: CfnTag[] (optional)

A custom set of tags (key-value pairs) for this trail.

trailName?

Type: string (optional)

Specifies the name of the trail.

The name must meet the following requirements:.

static CFN_RESOURCE_TYPE_NAME

Type: string

The CloudFormation resource type name for this resource class.

Methods

Name	Description
addDeletionOverride(path)	Syntactic sugar for `addOverride(path, undefined)`.
addDependency(target)	Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
addDependsOn(target)⚠️	Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
addMetadata(key, value)	Add a value to the CloudFormation Resource Metadata.
addOverride(path, value)	Adds an override to the synthesized CloudFormation resource.
addPropertyDeletionOverride(propertyPath)	Adds an override that deletes the value of a property from the resource definition.
addPropertyOverride(propertyPath, value)	Adds an override to a resource property.
applyRemovalPolicy(policy?, options?)	Sets the deletion policy of the resource based on the removal policy specified.
getAtt(attributeName, typeHint?)	Returns a token for an runtime attribute of this resource.
getMetadata(key)	Retrieve a value value from the CloudFormation Resource Metadata.
inspect(inspector)	Examines the CloudFormation resource and discloses attributes.
obtainDependencies()	Retrieves an array of resources this resource depends on.
obtainResourceDependencies()	Get a shallow copy of dependencies between this resource and other resources in the same stack.
overrideLogicalId(newLogicalId)	Overrides the auto-generated logical ID with a specific ID.
removeDependency(target)	Indicates that this resource no longer depends on another resource.
replaceDependency(target, newTarget)	Replaces one dependency with another.
toString()	Returns a string representation of this construct.
protected renderProperties(props)

addDeletionOverride(path)

public addDeletionOverride(path: string): void

Parameters

path string — The path of the value to delete.

Syntactic sugar for addOverride(path, undefined).

addDependency(target)

public addDependency(target: CfnResource): void

Parameters

target CfnResource

Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.

This can be used for resources across stacks (or nested stack) boundaries and the dependency will automatically be transferred to the relevant scope.

addDependsOn(target)⚠️

public addDependsOn(target: CfnResource): void

⚠️ Deprecated: use addDependency

Parameters

target CfnResource

Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.

addMetadata(key, value)

public addMetadata(key: string, value: any): void

Parameters

key string
value any

Add a value to the CloudFormation Resource Metadata.

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)

addOverride(path, value)

public addOverride(path: string, value: any): void

Parameters

path string — - The path of the property, you can use dot notation to override values in complex types.
value any — - The value.

Adds an override to the synthesized CloudFormation resource.

To add a property override, either use addPropertyOverride or prefix path with "Properties." (i.e. Properties.TopicName).

If the override is nested, separate each nested level using a dot (.) in the path parameter. If there is an array as part of the nesting, specify the index in the path.

To include a literal . in the property name, prefix with a \. In most programming languages you will need to write this as "\\." because the \ itself will need to be escaped.

For example,

cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');

would add the overrides

"Properties": {
  "GlobalSecondaryIndexes": [
    {
      "Projection": {
        "NonKeyAttributes": [ "myattribute" ]
        ...
      }
      ...
    },
    {
      "ProjectionType": "INCLUDE"
      ...
    },
  ]
  ...
}

The value argument to addOverride will not be processed or translated in any way. Pass raw JSON values in here with the correct capitalization for CloudFormation. If you pass CDK classes or structs, they will be rendered with lowercased key names, and CloudFormation will reject the template.

addPropertyDeletionOverride(propertyPath)

public addPropertyDeletionOverride(propertyPath: string): void

Parameters

propertyPath string — The path to the property.

Adds an override that deletes the value of a property from the resource definition.

addPropertyOverride(propertyPath, value)

public addPropertyOverride(propertyPath: string, value: any): void

Parameters

propertyPath string — The path of the property.
value any — The value.

Adds an override to a resource property.

Syntactic sugar for addOverride("Properties.<...>", value).

applyRemovalPolicy(policy?, options?)

public applyRemovalPolicy(policy?: RemovalPolicy, options?: RemovalPolicyOptions): void

Parameters

policy RemovalPolicy
options RemovalPolicyOptions

Sets the deletion policy of the resource based on the removal policy specified.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN). In some cases, a snapshot can be taken of the resource prior to deletion (RemovalPolicy.SNAPSHOT). A list of resources that support this policy can be found in the following link:

getAtt(attributeName, typeHint?)

public getAtt(attributeName: string, typeHint?: ResolutionTypeHint): Reference

Parameters

attributeName string — The name of the attribute.
typeHint ResolutionTypeHint

Returns

Reference

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility in case there is no generated attribute.

getMetadata(key)

public getMetadata(key: string): any

Parameters

key string

Returns

any

Retrieve a value value from the CloudFormation Resource Metadata.

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)

inspect(inspector)

public inspect(inspector: TreeInspector): void

Parameters

inspector TreeInspector — tree inspector to collect and process attributes.

Examines the CloudFormation resource and discloses attributes.

obtainDependencies()

public obtainDependencies(): Stack &#124; CfnResource[]

Returns

Stack | CfnResource[]

Retrieves an array of resources this resource depends on.

This assembles dependencies on resources across stacks (including nested stacks) automatically.

obtainResourceDependencies()

public obtainResourceDependencies(): CfnResource[]

Returns

CfnResource[]

Get a shallow copy of dependencies between this resource and other resources in the same stack.

overrideLogicalId(newLogicalId)

public overrideLogicalId(newLogicalId: string): void

Parameters

newLogicalId string — The new logical ID to use for this stack element.

Overrides the auto-generated logical ID with a specific ID.

removeDependency(target)

public removeDependency(target: CfnResource): void

Parameters

target CfnResource

Indicates that this resource no longer depends on another resource.

This can be used for resources across stacks (including nested stacks) and the dependency will automatically be removed from the relevant scope.

replaceDependency(target, newTarget)

public replaceDependency(target: CfnResource, newTarget: CfnResource): void

Parameters

target CfnResource — The dependency to replace.
newTarget CfnResource — The new dependency to add.

Replaces one dependency with another.

toString()

public toString(): string

Returns

string

Returns a string representation of this construct.

protected renderProperties(props)

protected renderProperties(props: { [string]: any }): { [string]: any }

Parameters

props { [string]: any }

Returns

{ [string]: any }