View Source aws_cloudtrail (aws v0.7.14)
CloudTrail
This is the CloudTrail API Reference.
It provides descriptions of actions, data types, common parameters, and common errors for CloudTrail.
CloudTrail is a web service that records Amazon Web Services API calls for your Amazon Web Services account and delivers log files to an Amazon S3 bucket. The recorded information includes the identity of the user, the start time of the Amazon Web Services API call, the source IP address, the request parameters, and the response elements returned by the service.
As an alternative to the API, you can use one of the Amazon Web Services SDKs, which consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide programmatic access to CloudTrail. For example, the SDKs handle cryptographically signing requests, managing errors, and retrying requests automatically. For more information about the Amazon Web Services SDKs, including how to download and install them, see Tools to Build on Amazon Web Services.
See the CloudTrail User Guide for information about the data that is included with each Amazon Web Services API call listed in the log files.Link to this section Summary
Functions
Adds one or more tags to a trail, event data store, or channel, up to a limit of 50.
Cancels a query if the query is not in a terminated state, such as CANCELLED
, FAILED
, TIMED_OUT
, or FINISHED
.
Creates a channel for CloudTrail to ingest events from a partner or external source.
Disables the event data store specified by EventDataStore
, which accepts an event data store ARN.
Deletes a trail.
Returns metadata about a query, including query run time in milliseconds, number of events scanned and matched, and query status.
Describes the settings for the event selectors that you configured for your trail.
Describes the settings for the Insights event selectors that you configured for your trail.
Gets event data results of a query.
Returns a JSON-formatted list of information about the specified trail.
ImportStatus
or Destination
.Returns all public keys whose private keys were used to sign the digest files within the specified time range.
Returns a list of queries and query statuses for the past seven days.
Looks up management events or CloudTrail Insights events that are captured by CloudTrail.
Configures an event selector or advanced event selectors for your trail.
Lets you enable Insights event logging by specifying the Insights selectors that you want to enable on an existing trail.
Attaches a resource-based permission policy to a CloudTrail channel that is used for an integration with an event source outside of Amazon Web Services.
Restores a deleted event data store specified by EventDataStore
, which accepts an event data store ARN.
Starts an import of logged trail events from a source S3 bucket to a destination event data store.
Starts the recording of Amazon Web Services API calls and log file delivery for a trail.
Starts a CloudTrail Lake query.
Suspends the recording of Amazon Web Services API calls and log file delivery for the specified trail.
Updates an event data store.
Updates trail settings that control what events you are logging, and how to handle log files.
Link to this section Functions
Adds one or more tags to a trail, event data store, or channel, up to a limit of 50.
Overwrites an existing tag's value when a new value is specified for an existing tag key. Tag key names must be unique; you cannot have two keys with the same name but different values. If you specify a key without a value, the tag will be created with the specified key and a value of null. You can tag a trail or event data store that applies to all Amazon Web Services Regions only from the Region in which the trail or event data store was created (also known as its home region).Cancels a query if the query is not in a terminated state, such as CANCELLED
, FAILED
, TIMED_OUT
, or FINISHED
.
EventDataStore
. The ID of the query that you want to cancel is also required. When you run CancelQuery
, the query status might show as CANCELLED
even if the operation is not yet finished.
Creates a channel for CloudTrail to ingest events from a partner or external source.
After you create a channel, a CloudTrail Lake event data store can log events from the partner or source that you specify.Disables the event data store specified by EventDataStore
, which accepts an event data store ARN.
After you run DeleteEventDataStore
, the event data store enters a PENDING_DELETION
state, and is automatically deleted after a wait period of seven days. TerminationProtectionEnabled
must be set to False
on the event data store; this operation cannot work if TerminationProtectionEnabled
is True
.
DeleteEventDataStore
on an event data store, you cannot run ListQueries
, DescribeQuery
, or GetQueryResults
on queries that are using an event data store in a PENDING_DELETION
state. An event data store in the PENDING_DELETION
state does not incur costs.
Deletes a trail.
This operation must be called from the region in which the trail was created.DeleteTrail
cannot be called on the shadow trails (replicated trails in other regions) of a trail that is enabled in all regions.
Returns metadata about a query, including query run time in milliseconds, number of events scanned and matched, and query status.
You must specify an ARN forEventDataStore
, and a value for QueryID
.
Describes the settings for the event selectors that you configured for your trail.
The information returned for your event selectors includes the following:
If your event selector includes read-only events, write-only events, or all events. This applies to both management events and data events.
If your event selector includes management events.
If your event selector includes data events, the resources on which you are logging data events.
For more information about logging management and data events, see the following topics in the CloudTrail User Guide:
Logging management events for trails
Logging data events for trails
Describes the settings for the Insights event selectors that you configured for your trail.
GetInsightSelectors
shows if CloudTrail Insights event logging is enabled on the trail, and if it is, which insight types are enabled. If you run GetInsightSelectors
on a trail that does not have Insights events enabled, the operation throws the exception InsightNotEnabledException
Gets event data results of a query.
You must specify theQueryID
value returned by the StartQuery
operation, and an ARN for EventDataStore
.
Returns a JSON-formatted list of information about the specified trail.
Fields include information on delivery errors, Amazon SNS and Amazon S3 errors, and start and stop logging times for each trail. This operation returns trail status from a single region. To return trail status from all regions, you must call the operation on each region.ImportStatus
or Destination
.
Returns all public keys whose private keys were used to sign the digest files within the specified time range.
The public key is needed to validate digest files that were signed with its corresponding private key.
CloudTrail uses different private and public key pairs per region. Each digest file is signed with a private key unique to its region. When you validate a digest file from a specific region, you must look in the same region for its corresponding public key.Returns a list of queries and query statuses for the past seven days.
You must specify an ARN value forEventDataStore
. Optionally, to shorten the list of results, you can specify a time range, formatted as timestamps, by adding StartTime
and EndTime
parameters, and a QueryStatus
value. Valid values for QueryStatus
include QUEUED
, RUNNING
, FINISHED
, FAILED
, TIMED_OUT
, or CANCELLED
.
Looks up management events or CloudTrail Insights events that are captured by CloudTrail.
You can look up events that occurred in a region within the last 90 days. Lookup supports the following attributes for management events:
Amazon Web Services access key
Event ID
Event name
Event source
Read only
Resource name
Resource type
User name
Lookup supports the following attributes for Insights events:
Event ID
Event name
Event source
All attributes are optional. The default number of results returned is 50, with a maximum of 50 possible. The response includes a token that you can use to get the next page of results.
The rate of lookup requests is limited to two per second, per account, per region. If this limit is exceeded, a throttling error occurs.Configures an event selector or advanced event selectors for your trail.
Use event selectors or advanced event selectors to specify management and data event settings for your trail. By default, trails created without specific event selectors are configured to log all read and write management events, and no data events.
When an event occurs in your account, CloudTrail evaluates the event selectors or advanced event selectors in all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.
Example
You create an event selector for a trail and specify that you want write-only events.
The EC2
GetConsoleOutput
andRunInstances
API operations occur in your account.CloudTrail evaluates whether the events match your event selectors.
The
RunInstances
is a write-only event and it matches your event selector. The trail logs the event.The
GetConsoleOutput
is a read-only event that doesn't match your event selector. The trail doesn't log the event.
The PutEventSelectors
operation must be called from the region in which the trail was created; otherwise, an InvalidHomeRegionException
exception is thrown.
You can configure up to five event selectors for each trail. For more information, see Logging management events for trails , Logging data events for trails , and Quotas in CloudTrail in the CloudTrail User Guide.
You can add advanced event selectors, and conditions for your advanced event selectors, up to a maximum of 500 values for all conditions and selectors on a trail. You can use eitherAdvancedEventSelectors
or EventSelectors
, but not both. If you apply AdvancedEventSelectors
to a trail, any existing EventSelectors
are overwritten. For more information about advanced event selectors, see Logging data events for trails in the CloudTrail User Guide.
Lets you enable Insights event logging by specifying the Insights selectors that you want to enable on an existing trail.
You also usePutInsightSelectors
to turn off Insights event logging, by passing an empty list of insight types. The valid Insights event types in this release are ApiErrorRateInsight
and ApiCallRateInsight
.
Attaches a resource-based permission policy to a CloudTrail channel that is used for an integration with an event source outside of Amazon Web Services.
For more information about resource-based policies, see CloudTrail resource-based policy examples in the CloudTrail User Guide.Restores a deleted event data store specified by EventDataStore
, which accepts an event data store ARN.
Starts an import of logged trail events from a source S3 bucket to a destination event data store.
By default, CloudTrail only imports events contained in the S3 bucket's CloudTrail
prefix and the prefixes inside the CloudTrail
prefix, and does not check prefixes for other Amazon Web Services services. If you want to import CloudTrail events contained in another prefix, you must include the prefix in the S3LocationUri
. For more considerations about importing trail events, see Considerations.
When you start a new import, the Destinations
and ImportSource
parameters are required. Before starting a new import, disable any access control lists (ACLs) attached to the source S3 bucket. For more information about disabling ACLs, see Controlling ownership of objects and disabling ACLs for your bucket.
When you retry an import, the ImportID
parameter is required.
Starts the recording of Amazon Web Services API calls and log file delivery for a trail.
For a trail that is enabled in all regions, this operation must be called from the region in which the trail was created. This operation cannot be called on the shadow trails (replicated trails in other regions) of a trail that is enabled in all regions.Starts a CloudTrail Lake query.
The requiredQueryStatement
parameter provides your SQL query, enclosed in single quotation marks. Use the optional DeliveryS3Uri
parameter to deliver the query results to an S3 bucket.
Suspends the recording of Amazon Web Services API calls and log file delivery for the specified trail.
Under most circumstances, there is no need to use this action. You can update a trail without stopping it first. This action is the only way to stop recording. For a trail enabled in all regions, this operation must be called from the region in which the trail was created, or anInvalidHomeRegionException
will occur. This operation cannot be called on the shadow trails (replicated trails in other regions) of a trail enabled in all regions.
Updates an event data store.
The required EventDataStore
value is an ARN or the ID portion of the ARN. Other parameters are optional, but at least one optional parameter must be specified, or CloudTrail throws an error. RetentionPeriod
is in days, and valid values are integers between 90 and 2557. By default, TerminationProtection
is enabled.
For event data stores for CloudTrail events, AdvancedEventSelectors
includes or excludes management and data events in your event data store. For more information about AdvancedEventSelectors
, see PutEventSelectorsRequest$AdvancedEventSelectors
.
AdvancedEventSelectors
includes events of that type in your event data store.
Updates trail settings that control what events you are logging, and how to handle log files.
Changes to a trail do not require stopping the CloudTrail service. Use this action to designate an existing bucket for log delivery. If the existing bucket has previously been a target for CloudTrail log files, an IAM policy exists for the bucket.UpdateTrail
must be called from the region in which the trail was created; otherwise, an InvalidHomeRegionException
is thrown.