class CfnTrail (construct)
Language | Type name |
---|---|
.NET | Amazon.CDK.AWS.CloudTrail.CfnTrail |
Go | github.com/aws/aws-cdk-go/awscdk/v2/awscloudtrail#CfnTrail |
Java | software.amazon.awscdk.services.cloudtrail.CfnTrail |
Python | aws_cdk.aws_cloudtrail.CfnTrail |
TypeScript | aws-cdk-lib » aws_cloudtrail » CfnTrail |
Implements
IConstruct
, IDependable
, IInspectable
, ITaggable
Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket.
See also: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html
Example
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_cloudtrail as cloudtrail } from 'aws-cdk-lib';
const cfnTrail = new cloudtrail.CfnTrail(this, 'MyCfnTrail', {
isLogging: false,
s3BucketName: 's3BucketName',
// the properties below are optional
advancedEventSelectors: [{
fieldSelectors: [{
field: 'field',
// the properties below are optional
endsWith: ['endsWith'],
equalTo: ['equalTo'],
notEndsWith: ['notEndsWith'],
notEquals: ['notEquals'],
notStartsWith: ['notStartsWith'],
startsWith: ['startsWith'],
}],
// the properties below are optional
name: 'name',
}],
cloudWatchLogsLogGroupArn: 'cloudWatchLogsLogGroupArn',
cloudWatchLogsRoleArn: 'cloudWatchLogsRoleArn',
enableLogFileValidation: false,
eventSelectors: [{
dataResources: [{
type: 'type',
// the properties below are optional
values: ['values'],
}],
excludeManagementEventSources: ['excludeManagementEventSources'],
includeManagementEvents: false,
readWriteType: 'readWriteType',
}],
includeGlobalServiceEvents: false,
insightSelectors: [{
insightType: 'insightType',
}],
isMultiRegionTrail: false,
isOrganizationTrail: false,
kmsKeyId: 'kmsKeyId',
s3KeyPrefix: 's3KeyPrefix',
snsTopicName: 'snsTopicName',
tags: [{
key: 'key',
value: 'value',
}],
trailName: 'trailName',
});
Initializer
new CfnTrail(scope: Construct, id: string, props: CfnTrailProps)
Parameters
- scope
Construct
— Scope in which this resource is defined. - id
string
— Construct identifier for this resource (unique in its scope). - props
Cfn
— Resource properties.Trail Props
Construct Props
Name | Type | Description |
---|---|---|
is | boolean | IResolvable | Whether the CloudTrail trail is currently logging AWS API calls. |
s3 | string | Specifies the name of the Amazon S3 bucket designated for publishing log files. |
advanced | IResolvable | IResolvable | Advanced [] | Specifies the settings for advanced event selectors. |
cloud | string | Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. |
cloud | string | Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group. |
enable | boolean | IResolvable | Specifies whether log file validation is enabled. The default is false. |
event | IResolvable | IResolvable | Event [] | Use event selectors to further specify the management and data event settings for your trail. |
include | boolean | IResolvable | Specifies whether the trail is publishing events from global services such as IAM to the log files. |
insight | IResolvable | IResolvable | Insight [] | A JSON string that contains the Insights types you want to log on a trail. |
is | boolean | IResolvable | Specifies whether the trail applies only to the current Region or to all Regions. |
is | boolean | IResolvable | Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . |
kms | string | Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail. |
s3 | string | Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. |
sns | string | Specifies the name of the Amazon SNS topic defined for notification of log file delivery. |
tags? | Cfn [] | A custom set of tags (key-value pairs) for this trail. |
trail | string | Specifies the name of the trail. The name must meet the following requirements:. |
isLogging
Type:
boolean |
IResolvable
Whether the CloudTrail trail is currently logging AWS API calls.
s3BucketName
Type:
string
Specifies the name of the Amazon S3 bucket designated for publishing log files.
See Amazon S3 Bucket naming rules .
advancedEventSelectors?
Type:
IResolvable
|
IResolvable
|
Advanced
[]
(optional)
Specifies the settings for advanced event selectors.
You can use advanced event selectors to log management events, data events for all resource types, and network activity events.
You can add advanced event selectors, and conditions for your advanced event selectors, up to a maximum of 500 values for all conditions and selectors on a trail. You can use either AdvancedEventSelectors
or EventSelectors
, but not both. If you apply AdvancedEventSelectors
to a trail, any existing EventSelectors
are overwritten. For more information about advanced event selectors, see Logging data events and Logging network activity events in the AWS CloudTrail User Guide .
cloudWatchLogsLogGroupArn?
Type:
string
(optional)
Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered.
You must use a log group that exists in your account.
To enable CloudWatch Logs delivery, you must provide values for CloudWatchLogsLogGroupArn
and CloudWatchLogsRoleArn
.
If you previously enabled CloudWatch Logs delivery and want to disable CloudWatch Logs delivery, you must set the values of the
CloudWatchLogsRoleArn
andCloudWatchLogsLogGroupArn
fields to""
.
cloudWatchLogsRoleArn?
Type:
string
(optional)
Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
You must use a role that exists in your account.
To enable CloudWatch Logs delivery, you must provide values for CloudWatchLogsLogGroupArn
and CloudWatchLogsRoleArn
.
If you previously enabled CloudWatch Logs delivery and want to disable CloudWatch Logs delivery, you must set the values of the
CloudWatchLogsRoleArn
andCloudWatchLogsLogGroupArn
fields to""
.
enableLogFileValidation?
Type:
boolean |
IResolvable
(optional)
Specifies whether log file validation is enabled. The default is false.
When you disable log file integrity validation, the chain of digest files is broken after one hour. CloudTrail does not create digest files for log files that were delivered during a period in which log file integrity validation was disabled. For example, if you enable log file integrity validation at noon on January 1, disable it at noon on January 2, and re-enable it at noon on January 10, digest files will not be created for the log files delivered from noon on January 2 to noon on January 10. The same applies whenever you stop CloudTrail logging or delete a trail.
eventSelectors?
Type:
IResolvable
|
IResolvable
|
Event
[]
(optional)
Use event selectors to further specify the management and data event settings for your trail.
By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.
You can configure up to five event selectors for a trail.
You cannot apply both event selectors and advanced event selectors to a trail.
includeGlobalServiceEvents?
Type:
boolean |
IResolvable
(optional)
Specifies whether the trail is publishing events from global services such as IAM to the log files.
insightSelectors?
Type:
IResolvable
|
IResolvable
|
Insight
[]
(optional)
A JSON string that contains the Insights types you want to log on a trail.
ApiCallRateInsight
and ApiErrorRateInsight
are valid Insight types.
The ApiCallRateInsight
Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.
The ApiErrorRateInsight
Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.
isMultiRegionTrail?
Type:
boolean |
IResolvable
(optional)
Specifies whether the trail applies only to the current Region or to all Regions.
The default is false. If the trail exists only in the current Region and this value is set to true, shadow trails (replications of the trail) will be created in the other Regions. If the trail exists in all Regions and this value is set to false, the trail will remain in the Region where it was created, and its shadow trails in other Regions will be deleted. As a best practice, consider using trails that log events in all Regions.
isOrganizationTrail?
Type:
boolean |
IResolvable
(optional)
Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account .
The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations . If the trail is not an organization trail and this is set to true
, the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to false
, the trail will remain in the current AWS account but be deleted from all member accounts in the organization.
Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.
kmsKeyId?
Type:
string
(optional)
Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail.
The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
CloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see Using multi-Region keys in the AWS Key Management Service Developer Guide .
Examples:
- alias/MyAliasName
- arn:aws:kms:us-east-2:123456789012:alias/MyAliasName
- arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012
- 12345678-1234-1234-1234-123456789012
s3KeyPrefix?
Type:
string
(optional)
Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.
For more information, see Finding Your CloudTrail Log Files . The maximum length is 200 characters.
snsTopicName?
Type:
string
(optional)
Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
The maximum length is 256 characters.
tags?
Type:
Cfn
[]
(optional)
A custom set of tags (key-value pairs) for this trail.
trailName?
Type:
string
(optional)
Specifies the name of the trail. The name must meet the following requirements:.
- Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
- Start with a letter or number, and end with a letter or number
- Be between 3 and 128 characters
- Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are not valid. - Not be in IP address format (for example, 192.168.5.4)
Properties
Name | Type | Description |
---|---|---|
attr | string | Ref returns the ARN of the CloudTrail trail, such as arn:aws:cloudtrail:us-east-2:123456789012:trail/myCloudTrail . |
attr | string | Ref returns the ARN of the Amazon SNS topic that's associated with the CloudTrail trail, such as arn:aws:sns:us-east-2:123456789012:mySNSTopic . |
cfn | ICfn | Options for this resource, such as condition, update policy etc. |
cfn | { [string]: any } | |
cfn | string | AWS resource type. |
creation | string[] | |
is | boolean | IResolvable | Whether the CloudTrail trail is currently logging AWS API calls. |
logical | string | The logical ID for this CloudFormation stack element. |
node | Node | The tree node. |
ref | string | Return a string that will be resolved to a CloudFormation { Ref } for this element. |
s3 | string | Specifies the name of the Amazon S3 bucket designated for publishing log files. |
stack | Stack | The stack in which this element is defined. |
tags | Tag | Tag Manager which manages the tags for this resource. |
advanced | IResolvable | IResolvable | Advanced [] | Specifies the settings for advanced event selectors. |
cloud | string | Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. |
cloud | string | Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group. |
enable | boolean | IResolvable | Specifies whether log file validation is enabled. |
event | IResolvable | IResolvable | Event [] | Use event selectors to further specify the management and data event settings for your trail. |
include | boolean | IResolvable | Specifies whether the trail is publishing events from global services such as IAM to the log files. |
insight | IResolvable | IResolvable | Insight [] | A JSON string that contains the Insights types you want to log on a trail. |
is | boolean | IResolvable | Specifies whether the trail applies only to the current Region or to all Regions. |
is | boolean | IResolvable | Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account . |
kms | string | Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail. |
s3 | string | Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. |
sns | string | Specifies the name of the Amazon SNS topic defined for notification of log file delivery. |
tags | Cfn [] | A custom set of tags (key-value pairs) for this trail. |
trail | string | Specifies the name of the trail. |
static CFN_RESOURCE_TYPE_NAME | string | The CloudFormation resource type name for this resource class. |
attrArn
Type:
string
Ref
returns the ARN of the CloudTrail trail, such as arn:aws:cloudtrail:us-east-2:123456789012:trail/myCloudTrail
.
attrSnsTopicArn
Type:
string
Ref
returns the ARN of the Amazon SNS topic that's associated with the CloudTrail trail, such as arn:aws:sns:us-east-2:123456789012:mySNSTopic
.
cfnOptions
Type:
ICfn
Options for this resource, such as condition, update policy etc.
cfnProperties
Type:
{ [string]: any }
cfnResourceType
Type:
string
AWS resource type.
creationStack
Type:
string[]
isLogging
Type:
boolean |
IResolvable
Whether the CloudTrail trail is currently logging AWS API calls.
logicalId
Type:
string
The logical ID for this CloudFormation stack element.
The logical ID of the element is calculated from the path of the resource node in the construct tree.
To override this value, use overrideLogicalId(newLogicalId)
.
node
Type:
Node
The tree node.
ref
Type:
string
Return a string that will be resolved to a CloudFormation { Ref }
for this element.
If, by any chance, the intrinsic reference of a resource is not a string, you could
coerce it to an IResolvable through Lazy.any({ produce: resource.ref })
.
s3BucketName
Type:
string
Specifies the name of the Amazon S3 bucket designated for publishing log files.
stack
Type:
Stack
The stack in which this element is defined.
CfnElements must be defined within a stack scope (directly or indirectly).
tags
Type:
Tag
Tag Manager which manages the tags for this resource.
advancedEventSelectors?
Type:
IResolvable
|
IResolvable
|
Advanced
[]
(optional)
Specifies the settings for advanced event selectors.
cloudWatchLogsLogGroupArn?
Type:
string
(optional)
Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered.
cloudWatchLogsRoleArn?
Type:
string
(optional)
Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
enableLogFileValidation?
Type:
boolean |
IResolvable
(optional)
Specifies whether log file validation is enabled.
The default is false.
eventSelectors?
Type:
IResolvable
|
IResolvable
|
Event
[]
(optional)
Use event selectors to further specify the management and data event settings for your trail.
includeGlobalServiceEvents?
Type:
boolean |
IResolvable
(optional)
Specifies whether the trail is publishing events from global services such as IAM to the log files.
insightSelectors?
Type:
IResolvable
|
IResolvable
|
Insight
[]
(optional)
A JSON string that contains the Insights types you want to log on a trail.
isMultiRegionTrail?
Type:
boolean |
IResolvable
(optional)
Specifies whether the trail applies only to the current Region or to all Regions.
isOrganizationTrail?
Type:
boolean |
IResolvable
(optional)
Specifies whether the trail is applied to all accounts in an organization in AWS Organizations , or only for the current AWS account .
kmsKeyId?
Type:
string
(optional)
Specifies the AWS KMS key ID to use to encrypt the logs delivered by CloudTrail.
s3KeyPrefix?
Type:
string
(optional)
Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery.
snsTopicName?
Type:
string
(optional)
Specifies the name of the Amazon SNS topic defined for notification of log file delivery.
tagsRaw?
Type:
Cfn
[]
(optional)
A custom set of tags (key-value pairs) for this trail.
trailName?
Type:
string
(optional)
Specifies the name of the trail.
The name must meet the following requirements:.
static CFN_RESOURCE_TYPE_NAME
Type:
string
The CloudFormation resource type name for this resource class.
Methods
Name | Description |
---|---|
add | Syntactic sugar for addOverride(path, undefined) . |
add | Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. |
add | Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned. |
add | Add a value to the CloudFormation Resource Metadata. |
add | Adds an override to the synthesized CloudFormation resource. |
add | Adds an override that deletes the value of a property from the resource definition. |
add | Adds an override to a resource property. |
apply | Sets the deletion policy of the resource based on the removal policy specified. |
get | Returns a token for an runtime attribute of this resource. |
get | Retrieve a value value from the CloudFormation Resource Metadata. |
inspect(inspector) | Examines the CloudFormation resource and discloses attributes. |
obtain | Retrieves an array of resources this resource depends on. |
obtain | Get a shallow copy of dependencies between this resource and other resources in the same stack. |
override | Overrides the auto-generated logical ID with a specific ID. |
remove | Indicates that this resource no longer depends on another resource. |
replace | Replaces one dependency with another. |
to | Returns a string representation of this construct. |
protected render |
addDeletionOverride(path)
public addDeletionOverride(path: string): void
Parameters
- path
string
— The path of the value to delete.
Syntactic sugar for addOverride(path, undefined)
.
addDependency(target)
public addDependency(target: CfnResource): void
Parameters
- target
Cfn
Resource
Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
This can be used for resources across stacks (or nested stack) boundaries and the dependency will automatically be transferred to the relevant scope.
addDependsOn(target)
public addDependsOn(target: CfnResource): void
⚠️ Deprecated: use addDependency
Parameters
- target
Cfn
Resource
Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
addMetadata(key, value)
public addMetadata(key: string, value: any): void
Parameters
- key
string
- value
any
Add a value to the CloudFormation Resource Metadata.
Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)
addOverride(path, value)
public addOverride(path: string, value: any): void
Parameters
- path
string
— - The path of the property, you can use dot notation to override values in complex types. - value
any
— - The value.
Adds an override to the synthesized CloudFormation resource.
To add a
property override, either use addPropertyOverride
or prefix path
with
"Properties." (i.e. Properties.TopicName
).
If the override is nested, separate each nested level using a dot (.) in the path parameter. If there is an array as part of the nesting, specify the index in the path.
To include a literal .
in the property name, prefix with a \
. In most
programming languages you will need to write this as "\\."
because the
\
itself will need to be escaped.
For example,
cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');
would add the overrides
"Properties": {
"GlobalSecondaryIndexes": [
{
"Projection": {
"NonKeyAttributes": [ "myattribute" ]
...
}
...
},
{
"ProjectionType": "INCLUDE"
...
},
]
...
}
The value
argument to addOverride
will not be processed or translated
in any way. Pass raw JSON values in here with the correct capitalization
for CloudFormation. If you pass CDK classes or structs, they will be
rendered with lowercased key names, and CloudFormation will reject the
template.
addPropertyDeletionOverride(propertyPath)
public addPropertyDeletionOverride(propertyPath: string): void
Parameters
- propertyPath
string
— The path to the property.
Adds an override that deletes the value of a property from the resource definition.
addPropertyOverride(propertyPath, value)
public addPropertyOverride(propertyPath: string, value: any): void
Parameters
- propertyPath
string
— The path of the property. - value
any
— The value.
Adds an override to a resource property.
Syntactic sugar for addOverride("Properties.<...>", value)
.
applyRemovalPolicy(policy?, options?)
public applyRemovalPolicy(policy?: RemovalPolicy, options?: RemovalPolicyOptions): void
Parameters
- policy
Removal
Policy - options
Removal
Policy Options
Sets the deletion policy of the resource based on the removal policy specified.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY
), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN
). In some
cases, a snapshot can be taken of the resource prior to deletion
(RemovalPolicy.SNAPSHOT
). A list of resources that support this policy
can be found in the following link:
getAtt(attributeName, typeHint?)
public getAtt(attributeName: string, typeHint?: ResolutionTypeHint): Reference
Parameters
- attributeName
string
— The name of the attribute. - typeHint
Resolution
Type Hint
Returns
Returns a token for an runtime attribute of this resource.
Ideally, use generated attribute accessors (e.g. resource.arn
), but this can be used for future compatibility
in case there is no generated attribute.
getMetadata(key)
public getMetadata(key: string): any
Parameters
- key
string
Returns
any
Retrieve a value value from the CloudFormation Resource Metadata.
Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html
Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)
inspect(inspector)
public inspect(inspector: TreeInspector): void
Parameters
- inspector
Tree
— tree inspector to collect and process attributes.Inspector
Examines the CloudFormation resource and discloses attributes.
obtainDependencies()
public obtainDependencies(): Stack | CfnResource[]
Returns
Stack
|
Cfn
Resource []
Retrieves an array of resources this resource depends on.
This assembles dependencies on resources across stacks (including nested stacks) automatically.
obtainResourceDependencies()
public obtainResourceDependencies(): CfnResource[]
Returns
Get a shallow copy of dependencies between this resource and other resources in the same stack.
overrideLogicalId(newLogicalId)
public overrideLogicalId(newLogicalId: string): void
Parameters
- newLogicalId
string
— The new logical ID to use for this stack element.
Overrides the auto-generated logical ID with a specific ID.
removeDependency(target)
public removeDependency(target: CfnResource): void
Parameters
- target
Cfn
Resource
Indicates that this resource no longer depends on another resource.
This can be used for resources across stacks (including nested stacks) and the dependency will automatically be removed from the relevant scope.
replaceDependency(target, newTarget)
public replaceDependency(target: CfnResource, newTarget: CfnResource): void
Parameters
- target
Cfn
— The dependency to replace.Resource - newTarget
Cfn
— The new dependency to add.Resource
Replaces one dependency with another.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
protected renderProperties(props)
protected renderProperties(props: { [string]: any }): { [string]: any }
Parameters
- props
{ [string]: any }
Returns
{ [string]: any }