PutInsightSelectors - AWS CloudTrail

PutInsightSelectors

Lets you enable Insights event logging by specifying the Insights selectors that you want to enable on an existing trail. You also use PutInsightSelectors to turn off Insights event logging, by passing an empty list of insight types. The valid Insights event types in this release are ApiErrorRateInsight and ApiCallRateInsight.

To log CloudTrail Insights events on API call volume, the trail must log write management events. To log CloudTrail Insights events on API error rate, the trail must log read or write management events. You can call GetEventSelectors on a trail to check whether the trail logs management events.

Request Syntax

{ "InsightSelectors": [ { "InsightType": "string" } ], "TrailName": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

InsightSelectors

A JSON string that contains the insight types you want to log on a trail. ApiCallRateInsight and ApiErrorRateInsight are valid Insight types.

The ApiCallRateInsight Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.

The ApiErrorRateInsight Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.

Type: Array of InsightSelector objects

Required: Yes

TrailName

The name of the CloudTrail trail for which you want to change or add Insights selectors.

Type: String

Required: Yes

Response Syntax

{ "InsightSelectors": [ { "InsightType": "string" } ], "TrailARN": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

InsightSelectors

A JSON string that contains the Insights event types that you want to log on a trail. The valid Insights types in this release are ApiErrorRateInsight and ApiCallRateInsight.

Type: Array of InsightSelector objects

TrailARN

The Amazon Resource Name (ARN) of a trail for which you want to change or add Insights selectors.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

CloudTrailARNInvalidException

This exception is thrown when an operation is called with a trail ARN that is not valid. The following is the format of a trail ARN.

arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail

This exception is also thrown when you call AddTags or RemoveTags on a trail, event data store, or channel with a resource ARN that is not valid.

The following is the format of an event data store ARN: arn:aws:cloudtrail:us-east-2:12345678910:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

The following is the format of a channel ARN: arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890

HTTP Status Code: 400

InsufficientEncryptionPolicyException

This exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.

HTTP Status Code: 400

InsufficientS3BucketPolicyException

This exception is thrown when the policy on the S3 bucket is not sufficient.

HTTP Status Code: 400

InvalidHomeRegionException

This exception is thrown when an operation is called on a trail from a region other than the region in which the trail was created.

HTTP Status Code: 400

InvalidInsightSelectorsException

The formatting or syntax of the InsightSelectors JSON statement in your PutInsightSelectors or GetInsightSelectors request is not valid, or the specified insight type in the InsightSelectors statement is not a valid insight type.

HTTP Status Code: 400

InvalidTrailNameException

This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:

  • Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)

  • Start with a letter or number, and end with a letter or number

  • Be between 3 and 128 characters

  • Have no adjacent periods, underscores or dashes. Names like my-_namespace and my--namespace are not valid.

  • Not be in IP address format (for example, 192.168.5.4)

HTTP Status Code: 400

KmsException

This exception is thrown when there is an issue with the specified AWS KMS key and the trail or event data store can't be updated.

HTTP Status Code: 400

NoManagementAccountSLRExistsException

This exception is thrown when the management account does not have a service-linked role.

HTTP Status Code: 400

NotOrganizationMasterAccountException

This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.

HTTP Status Code: 400

OperationNotPermittedException

This exception is thrown when the requested operation is not permitted.

HTTP Status Code: 400

S3BucketDoesNotExistException

This exception is thrown when the specified S3 bucket does not exist.

HTTP Status Code: 400

TrailNotFoundException

This exception is thrown when the trail with the given name is not found.

HTTP Status Code: 400

UnsupportedOperationException

This exception is thrown when the requested operation is not supported.

HTTP Status Code: 400

Examples

Example

The following example shows how to use Insight selectors to enable CloudTrail Insights on a trail named SampleTrail.

{ "InsightSelectors": '[{"InsightType": "ApiCallRateInsight"},{"InsightType": "ApiErrorRateInsight"}]', "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/SampleTrail" }

Example

The following example shows how to disable CloudTrail Insights on a trail named SampleTrail. Disable Insights event collection by passing an empty string of insight types ([ ]).

{ "InsightSelectors": [ ], "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/SampleTrail" }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: