Syntax Properties Return values Examples

AWS::CloudTrail::ResourcePolicy

Attaches a resource-based permission policy to a CloudTrail channel that is used for an integration with an event source outside of AWS. For more information about resource-based policies, see CloudTrail resource-based policy examples in the CloudTrail User Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::CloudTrail::ResourcePolicy",
  "Properties" : {
      "ResourceArn" : String,
      "ResourcePolicy" : Json
    }
}

YAML


Type: AWS::CloudTrail::ResourcePolicy
Properties:
  ResourceArn: String
  ResourcePolicy: Json

Properties

ResourceArn

The Amazon Resource Name (ARN) of the CloudTrail channel attached to the resource-based policy. The following is the format of a resource ARN: arn:aws:cloudtrail:us-east-2:123456789012:channel/MyChannel.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9._/\-:]+$

Minimum: 3

Maximum: 256

Update requires: Replacement

ResourcePolicy

A JSON-formatted string for an AWS resource-based policy.

The following are requirements for the resource policy:

Contains only one action: cloudtrail-data:PutAuditEvents
Contains at least one statement. The policy can have a maximum of 20 statements.
Each statement contains at least one principal. A statement can have a maximum of 50 principals.

Required: Yes

Type: Json

Minimum: 1

Maximum: 8192

Update requires: No interruption

Return values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource. The resource is a combination of the resource-based policy document and the channel ARN.

Examples

Example

The following example creates a resource policy that allows AWS account ID 111122223333 to call PutAuditEvents on the channel defined as the resource ARN in the policy. For information about creating a resource policy, see AWS CloudTrail resource-based policy examples in the AWS CloudTrail User Guide.

JSON


{
  "Type": "AWS:CloudTrail:ResourcePolicy",
  "Properties": {
    "ResourceArn": "arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE",
    "ResourcePolicy": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"DeliverEventsThroughChannel\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": [ \"arn:aws:iam::111122223333:root\" ] }, \"Action\":\"cloudtrail-data:PutAuditEvents\", \"Resource\": \"arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE\" } ] }"
  }
}

YAML


  Type: AWS:CloudTrail:ResourcePolicy
  Properties:
    ResourceArn: "arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE"
    ResourcePolicy: "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"DeliverEventsThroughChannel\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": [ \"arn:aws:iam::111122223333:root\" ] }, \"Action\":\"cloudtrail-data:PutAuditEvents\", \"Resource\": \"arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE\" } ] }"

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Tag

AWS::CloudTrail::Trail