TrailProps

class aws_cdk.aws_cloudtrail.TrailProps(*, bucket=None, cloud_watch_logs_retention=None, enable_file_validation=None, include_global_service_events=None, is_multi_region_trail=None, kms_key=None, management_events=None, s3_key_prefix=None, send_to_cloud_watch_logs=None, sns_topic=None, trail_name=None)

Bases: object

__init__(*, bucket=None, cloud_watch_logs_retention=None, enable_file_validation=None, include_global_service_events=None, is_multi_region_trail=None, kms_key=None, management_events=None, s3_key_prefix=None, send_to_cloud_watch_logs=None, sns_topic=None, trail_name=None)
Parameters
  • bucket (Optional[IBucket]) – The Amazon S3 bucket. Default: - if not supplied a bucket will be created with all the correct permisions

  • cloud_watch_logs_retention (Optional[RetentionDays]) – How long to retain logs in CloudWatchLogs. Ignored if sendToCloudWatchLogs is false Default: logs.RetentionDays.OneYear

  • enable_file_validation (Optional[bool]) – To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them. Default: true

  • include_global_service_events (Optional[bool]) – For most services, events are recorded in the region where the action occurred. For global services such as AWS Identity and Access Management (IAM), AWS STS, Amazon CloudFront, and Route 53, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region. Default: true

  • is_multi_region_trail (Optional[bool]) – Whether or not this trail delivers log files from multiple regions to a single S3 bucket for a single account. Default: true

  • kms_key (Optional[IKey]) – The AWS Key Management Service (AWS KMS) key ID that you want to use to encrypt CloudTrail logs. Default: - No encryption.

  • management_events (Optional[ReadWriteType]) – When an event occurs in your account, CloudTrail evaluates whether the event matches the settings for your trails. Only events that match your trail settings are delivered to your Amazon S3 bucket and Amazon CloudWatch Logs log group. This method sets the management configuration for this trail. Management events provide insight into management operations that are performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account. For example, when a user logs in to your account, CloudTrail logs the ConsoleLogin event. Default: - Management events will not be logged.

  • s3_key_prefix (Optional[str]) – An Amazon S3 object key prefix that precedes the name of all log files. Default: - No prefix.

  • send_to_cloud_watch_logs (Optional[bool]) – If CloudTrail pushes logs to CloudWatch Logs in addition to S3. Disabled for cost out of the box. Default: false

  • sns_topic (Optional[str]) – The name of an Amazon SNS topic that is notified when new log files are published. Default: - No notifications.

  • trail_name (Optional[str]) – The name of the trail. We recoomend customers do not set an explicit name. Default: - AWS CloudFormation generated name.

stability :stability: experimental

Attributes

bucket

The Amazon S3 bucket.

default :default: - if not supplied a bucket will be created with all the correct permisions

stability :stability: experimental

Return type

Optional[IBucket]

cloud_watch_logs_retention

How long to retain logs in CloudWatchLogs.

Ignored if sendToCloudWatchLogs is false

default :default: logs.RetentionDays.OneYear

stability :stability: experimental

Return type

Optional[RetentionDays]

enable_file_validation

SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them.

default :default: true

stability :stability: experimental

Type

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms

Return type

Optional[bool]

include_global_service_events

For most services, events are recorded in the region where the action occurred. For global services such as AWS Identity and Access Management (IAM), AWS STS, Amazon CloudFront, and Route 53, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region.

default :default: true

stability :stability: experimental

Return type

Optional[bool]

is_multi_region_trail

Whether or not this trail delivers log files from multiple regions to a single S3 bucket for a single account.

default :default: true

stability :stability: experimental

Return type

Optional[bool]

kms_key

The AWS Key Management Service (AWS KMS) key ID that you want to use to encrypt CloudTrail logs.

default :default: - No encryption.

stability :stability: experimental

Return type

Optional[IKey]

management_events

When an event occurs in your account, CloudTrail evaluates whether the event matches the settings for your trails. Only events that match your trail settings are delivered to your Amazon S3 bucket and Amazon CloudWatch Logs log group.

This method sets the management configuration for this trail.

Management events provide insight into management operations that are performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account. For example, when a user logs in to your account, CloudTrail logs the ConsoleLogin event.

default :default: - Management events will not be logged.

stability :stability: experimental

Return type

Optional[ReadWriteType]

s3_key_prefix

An Amazon S3 object key prefix that precedes the name of all log files.

default :default: - No prefix.

stability :stability: experimental

Return type

Optional[str]

send_to_cloud_watch_logs

If CloudTrail pushes logs to CloudWatch Logs in addition to S3. Disabled for cost out of the box.

default :default: false

stability :stability: experimental

Return type

Optional[bool]

sns_topic

The name of an Amazon SNS topic that is notified when new log files are published.

default :default: - No notifications.

stability :stability: experimental

Return type

Optional[str]

trail_name

The name of the trail.

We recoomend customers do not set an explicit name.

default :default: - AWS CloudFormation generated name.

stability :stability: experimental

Return type

Optional[str]