aws-cdk.aws-cloudtrail 1.97.0

The CDK Construct Library for AWS::CloudTrail

AWS CloudTrail Construct Library

---

---

Trail

AWS CloudTrail enables governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Learn more at the CloudTrail documentation.

The Trail construct enables ongoing delivery of events as log files to an Amazon S3 bucket. Learn more about Creating a Trail for Your AWS Account. The following code creates a simple CloudTrail for your account -

# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
trail = cloudtrail.Trail(self, "CloudTrail")

By default, this will create a new S3 Bucket that CloudTrail will write to, and choose a few other reasonable defaults such as turning on multi-region and global service events. The defaults for each property and how to override them are all documented on the TrailProps interface.

Log File Validation

In order to validate that the CloudTrail log file was not modified after CloudTrail delivered it, CloudTrail provides a digital signature for each file. Learn more at Validating CloudTrail Log File Integrity.

This is enabled on the Trail construct by default, but can be turned off by setting enableFileValidation to false.

# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
trail = cloudtrail.Trail(self, "CloudTrail",
    enable_file_validation=False
)

Notifications

Amazon SNS notifications can be configured upon new log files containing Trail events are delivered to S3. Learn more at Configuring Amazon SNS Notifications for CloudTrail. The following code configures an SNS topic to be notified -

# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
topic = sns.Topic(self, "TrailTopic")
trail = cloudtrail.Trail(self, "CloudTrail",
    sns_topic=topic
)

Service Integrations

Besides sending trail events to S3, they can also be configured to notify other AWS services -

Amazon CloudWatch Logs

CloudTrail events can be delivered to a CloudWatch Logs LogGroup. By default, a new LogGroup is created with a default retention setting. The following code enables sending CloudWatch logs but specifies a particular retention period for the created Log Group.

# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
trail = cloudtrail.Trail(self, "CloudTrail",
    send_to_cloud_watch_logs=True,
    cloud_watch_logs_retention=logs.RetentionDays.FOUR_MONTHS
)

If you would like to use a specific log group instead, this can be configured via cloudwatchLogGroup.

Amazon EventBridge

Amazon EventBridge rules can be configured to be triggered when CloudTrail events occur using the Trail.onEvent() API. Using APIs available in aws-events, these events can be filtered to match to those that are of interest, either from a specific service, account or time range. See Events delivered via CloudTrail to learn more about the event structure for events from CloudTrail.

The following code filters events for S3 from a specific AWS account and triggers a lambda function.

# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
my_function_handler = lambda_.Function(self, "MyFunction",
    code=lambda_.Code.from_asset("resource/myfunction"),
    runtime=lambda_.Runtime.NODEJS_12_X,
    handler="index.handler"
)

event_rule = Trail.on_event(self, "MyCloudWatchEvent",
    target=event_targets.LambdaFunction(my_function_handler)
)

event_rule.add_event_pattern(
    account="123456789012",
    source="aws.s3"
)

Multi-Region & Global Service Events

By default, a Trail is configured to deliver log files from multiple regions to a single S3 bucket for a given account. This creates shadow trails (replication of the trails) in all of the other regions. Learn more about How CloudTrail Behaves Regionally and about the IsMultiRegion property.

For most services, events are recorded in the region where the action occurred. For global services such as AWS IAM, AWS STS, Amazon CloudFront, Route 53, etc., events are delivered to any trail that includes global services. Learn more About Global Service Events.

Events for global services are turned on by default for Trail constructs in the CDK.

The following code disables multi-region trail delivery and trail delivery for global services for a specific Trail -

# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
trail = cloudtrail.Trail(self, "CloudTrail",
    # ...
    is_multi_region_trail=False,
    include_global_service_events=False
)

Events Types

Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations. Learn more about Management Events.

By default, a Trail logs all management events. However, they can be configured to either be turned off, or to only log 'Read' or 'Write' events.

The following code configures the Trail to only track management events that are of type 'Read'.

# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
trail = cloudtrail.Trail(self, "CloudTrail",
    # ...
    management_events=ReadWriteType.READ_ONLY
)

Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Learn more about Data Events. By default, no data events are logged for a Trail.

AWS CloudTrail supports data event logging for Amazon S3 objects and AWS Lambda functions.

The logAllS3DataEvents() API configures the trail to log all S3 data events while the addS3EventSelector() API can be used to configure logging of S3 data events for specific buckets and specific object prefix. The following code configures logging of S3 data events for fooBucket and with object prefix bar/.

# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
import aws_cdk.aws_cloudtrail as cloudtrail


trail = cloudtrail.Trail(self, "MyAmazingCloudTrail")

# Adds an event selector to the bucket foo
trail.add_s3_event_selector([
    bucket=foo_bucket, # 'fooBucket' is of type s3.IBucket
    object_prefix="bar/"
])

Similarly, the logAllLambdaDataEvents() configures the trail to log all Lambda data events while the addLambdaEventSelector() API can be used to configure logging for specific Lambda functions. The following code configures logging of Lambda data events for a specific Function.

# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
trail = cloudtrail.Trail(self, "MyAmazingCloudTrail")
amazing_function = lambda_.Function(stack, "AnAmazingFunction",
    runtime=lambda_.Runtime.NODEJS_12_X,
    handler="hello.handler",
    code=lambda_.Code.from_asset("lambda")
)

# Add an event selector to log data events for the provided Lambda functions.
trail.add_lambda_event_selector([lambda_function])