AWS::CloudTrail::Trail EventSelector - AWS CloudFormation

AWS::CloudTrail::Trail EventSelector

Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.

You can configure up to five event selectors for a trail.

You cannot apply both event selectors and advanced event selectors to a trail.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "DataResources" : [ DataResource, ... ], "ExcludeManagementEventSources" : [ String, ... ], "IncludeManagementEvents" : Boolean, "ReadWriteType" : String }



CloudTrail supports data event logging for Amazon S3 objects in standard S3 buckets, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.

For more information, see Data Events and Limits in AWS CloudTrail in the AWS CloudTrail User Guide.


To log data events for all other resource types including objects stored in directory buckets, you must use AdvancedEventSelectors. You must also use AdvancedEventSelectors if you want to filter on the eventName field.

Required: Conditional

Type: Array of DataResource

Update requires: No interruption


An optional list of service event sources from which you do not want management events to be logged on your trail. In this release, the list can be empty (disables the filter), or it can filter out AWS Key Management Service or Amazon RDS Data API events by containing or By default, ExcludeManagementEventSources is empty, and AWS KMS and Amazon RDS Data API events are logged to your trail. You can exclude management event sources only in Regions that support the event source.

Required: No

Type: Array of String

Update requires: No interruption


Specify if you want your event selector to include management events for your trail.

For more information, see Management Events in the AWS CloudTrail User Guide.

By default, the value is true.

The first copy of management events is free. You are charged for additional copies of management events that you are logging on any subsequent trail in the same Region. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.

Required: No

Type: Boolean

Update requires: No interruption


Specify if you want your trail to log read-only events, write-only events, or all. For example, the EC2 GetConsoleOutput is a read-only API operation and RunInstances is a write-only API operation.

By default, the value is All.

Required: No

Type: String

Allowed values: All | ReadOnly | WriteOnly

Update requires: No interruption