aws-sdk-cloudtrail 1.34.0 → 1.38.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a99ca5d388f807163cdff34c2f6753c5c69c617f367919697bdefe6fdb56fdd
-  data.tar.gz: 9f2b3042e332e9a7bfed617eb7a6c6a12aa76575719f3e1b86743a2d36eae5f2
+  metadata.gz: 4a7bee867497989e2495c469e8c8b443d5028c4f5335fbc49f7955a93c475106
+  data.tar.gz: 77964918e38d9a5956cf335babf402f8bfc8bb70a9e41bcdd4f9bf4fd8c1aec4
 SHA512:
-  metadata.gz: 45f62d3f3b8a38a6bc90e2f462273333d82f8ac1b52881425002bd6477fff005c9be72d5661e6a856bd9a4647dcdf3d66e18485f990eea19b349ce4f7926ebe5
-  data.tar.gz: 06e9bcf501c7112c4df28baef6177e8bb9fe566679479cd8d023fce2991cb4a3a7643165b030252514bc75fa7e307066093b7d985a1090ff89f61fc88edee1da
+  metadata.gz: c84587d519bd3622971bb590b7b04b302387b64193c911ccf52753926dc38de0515f7383afe9ac4aa331ac0cb78f388cc6a8e36da93856eb105178cf6b32e0db
+  data.tar.gz: ba8a7e97a35a774d88e6e8417ca3bfe1bd00447497da8512b8a6be9b8e8db9b49992c3a42409a9c0697f4a2784e09d8757a57e7889283d7e07a339428c36ecbc

data/CHANGELOG.md

@@ -1,6 +1,26 @@
 Unreleased Changes
 ------------------
 
+1.38.0 (2021-09-01)
+------------------
+
+* Feature - Documentation updates for CloudTrail
+
+1.37.0 (2021-07-30)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
+1.36.0 (2021-07-28)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
+1.35.0 (2021-06-04)
+------------------
+
+* Feature - AWS CloudTrail supports data events on new service resources, including Amazon DynamoDB tables and S3 Object Lambda access points.
+
 1.34.0 (2021-03-10)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.34.0
+1.38.0

data/lib/aws-sdk-cloudtrail/client.rb

@@ -342,9 +342,9 @@ module Aws::CloudTrail
     # tag key. Tag key names must be unique for a trail; you cannot have two
     # keys with the same name but different values. If you specify a key
     # without a value, the tag will be created with the specified key and a
-    # value of null. You can tag a trail that applies to all AWS Regions
-    # only from the Region in which the trail was created (also known as its
-    # home region).
+    # value of null. You can tag a trail that applies to all Amazon Web
+    # Services Regions only from the Region in which the trail was created
+    # (also known as its home region).
     #
     # @option params [required, String] :resource_id
     #   Specifies the ARN of the trail to which one or more tags will be
@@ -353,7 +353,7 @@ module Aws::CloudTrail
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #
     # @option params [Array<Types::Tag>] :tags_list
-    #   Contains a list of CloudTrail tags, up to a limit of 50
+    #   Contains a list of tags, up to a limit of 50
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -393,7 +393,7 @@ module Aws::CloudTrail
     #   * Be between 3 and 128 characters
     #
     #   * Have no adjacent periods, underscores or dashes. Names like
-    #     `my-_namespace` and `my--namespace` are invalid.
+    #     `my-_namespace` and `my--namespace` are not valid.
     #
     #   * Not be in IP address format (for example, 192.168.5.4)
     #
@@ -434,7 +434,7 @@ module Aws::CloudTrail
     #   default is false.
     #
     #   <note markdown="1"> When you disable log file integrity validation, the chain of digest
-    #   files is broken after one hour. CloudTrail will not create digest
+    #   files is broken after one hour. CloudTrail does not create digest
     #   files for log files that were delivered during a period in which log
     #   file integrity validation was disabled. For example, if you enable log
     #   file integrity validation at noon on January 1, disable it at noon on
@@ -449,7 +449,7 @@ module Aws::CloudTrail
     #   Specifies a log group name using an Amazon Resource Name (ARN), a
     #   unique identifier that represents the log group to which CloudTrail
     #   logs will be delivered. Not required unless you specify
-    #   CloudWatchLogsRoleArn.
+    #   `CloudWatchLogsRoleArn`.
     #
     # @option params [String] :cloud_watch_logs_role_arn
     #   Specifies the role for the CloudWatch Logs endpoint to assume to write
@@ -461,6 +461,10 @@ module Aws::CloudTrail
     #   fully specified ARN to an alias, a fully specified ARN to a key, or a
     #   globally unique identifier.
     #
+    #   CloudTrail also supports KMS multi-Region keys. For more information
+    #   about multi-Region keys, see [Using multi-Region keys][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
     #   Examples:
     #
     #   * alias/MyAliasName
@@ -471,12 +475,16 @@ module Aws::CloudTrail
     #
     #   * 12345678-1234-1234-1234-123456789012
     #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    #
     # @option params [Boolean] :is_organization_trail
     #   Specifies whether the trail is created for all accounts in an
-    #   organization in AWS Organizations, or only for the current AWS
-    #   account. The default is false, and cannot be true unless the call is
-    #   made on behalf of an AWS account that is the master account for an
-    #   organization in AWS Organizations.
+    #   organization in Organizations, or only for the current Amazon Web
+    #   Services account. The default is false, and cannot be true unless the
+    #   call is made on behalf of an Amazon Web Services account that is the
+    #   management account for an organization in Organizations.
     #
     # @option params [Array<Types::Tag>] :tags_list
     #   A list of tags.
@@ -551,7 +559,7 @@ module Aws::CloudTrail
     #
     # @option params [required, String] :name
     #   Specifies the name or the CloudTrail ARN of the trail to be deleted.
-    #   The format of a trail ARN is:
+    #   The following is the format of a trail ARN.
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
@@ -655,11 +663,11 @@ module Aws::CloudTrail
     #
     # * If your event selector includes management events.
     #
-    # * If your event selector includes data events, the Amazon S3 objects
-    #   or AWS Lambda functions that you are logging for data events.
+    # * If your event selector includes data events, the resources on which
+    #   you are logging data events.
     #
     # For more information, see [Logging Data and Management Events for
-    # Trails ][1] in the *AWS CloudTrail User Guide*.
+    # Trails ][1] in the *CloudTrail User Guide*.
     #
     #
     #
@@ -743,7 +751,7 @@ module Aws::CloudTrail
     # exception `InsightNotEnabledException`
     #
     # For more information, see [Logging CloudTrail Insights Events for
-    # Trails ][1] in the *AWS CloudTrail User Guide*.
+    # Trails ][1] in the *CloudTrail User Guide*.
     #
     #
     #
@@ -850,7 +858,7 @@ module Aws::CloudTrail
     #   Specifies the name or the CloudTrail ARN of the trail for which you
     #   are requesting status. To get the status of a shadow trail (a
     #   replication of the trail in another region), you must specify its ARN.
-    #   The format of a trail ARN is:
+    #   The following is the format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #
@@ -914,10 +922,10 @@ module Aws::CloudTrail
     # to validate digest files that were signed with its corresponding
     # private key.
     #
-    # <note markdown="1"> CloudTrail uses different private/public key pairs per region. Each
-    # digest file is signed with a private key unique to its region.
-    # Therefore, when you validate a digest file from a particular region,
-    # you must look in the same region for its corresponding public key.
+    # <note markdown="1"> CloudTrail uses different private and public key pairs per region.
+    # Each digest file is signed with a private key unique to its region.
+    # When you validate a digest file from a specific region, you must look
+    # in the same region for its corresponding public key.
     #
     #  </note>
     #
@@ -971,7 +979,7 @@ module Aws::CloudTrail
     #
     # @option params [required, Array<String>] :resource_id_list
     #   Specifies a list of trail ARNs whose tags will be listed. The list has
-    #   a limit of 20 ARNs. The format of a trail ARN is:
+    #   a limit of 20 ARNs. The following is the format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #
@@ -1054,7 +1062,7 @@ module Aws::CloudTrail
     # in a region within the last 90 days. Lookup supports the following
     # attributes for management events:
     #
-    # * AWS access key
+    # * Amazon Web Services access key
     #
     # * Event ID
     #
@@ -1204,7 +1212,7 @@ module Aws::CloudTrail
     #
     # You can configure up to five event selectors for each trail. For more
     # information, see [Logging data and management events for trails ][1]
-    # and [Quotas in AWS CloudTrail][2] in the *AWS CloudTrail User Guide*.
+    # and [Quotas in CloudTrail][2] in the *CloudTrail User Guide*.
     #
     # You can add advanced event selectors, and conditions for your advanced
     # event selectors, up to a maximum of 500 values for all conditions and
@@ -1212,7 +1220,7 @@ module Aws::CloudTrail
     # `EventSelectors`, but not both. If you apply `AdvancedEventSelectors`
     # to a trail, any existing `EventSelectors` are overwritten. For more
     # information about advanced event selectors, see [Logging data events
-    # for trails][3] in the *AWS CloudTrail User Guide*.
+    # for trails][3] in the *CloudTrail User Guide*.
     #
     #
     #
@@ -1232,11 +1240,11 @@ module Aws::CloudTrail
     #   * Be between 3 and 128 characters
     #
     #   * Have no adjacent periods, underscores or dashes. Names like
-    #     `my-_namespace` and `my--namespace` are invalid.
+    #     `my-_namespace` and `my--namespace` are not valid.
     #
     #   * Not be in IP address format (for example, 192.168.5.4)
     #
-    #   If you specify a trail ARN, it must be in the format:
+    #   If you specify a trail ARN, it must be in the following format.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #
@@ -1255,7 +1263,7 @@ module Aws::CloudTrail
     #   `EventSelectors`, but not both. If you apply `AdvancedEventSelectors`
     #   to a trail, any existing `EventSelectors` are overwritten. For more
     #   information about advanced event selectors, see [Logging data events
-    #   for trails][1] in the *AWS CloudTrail User Guide*.
+    #   for trails][1] in the *CloudTrail User Guide*.
     #
     #
     #
@@ -1343,17 +1351,17 @@ module Aws::CloudTrail
     # Lets you enable Insights event logging by specifying the Insights
     # selectors that you want to enable on an existing trail. You also use
     # `PutInsightSelectors` to turn off Insights event logging, by passing
-    # an empty list of insight types. In this release, only
-    # `ApiCallRateInsight` is supported as an Insights selector.
+    # an empty list of insight types. The valid Insights event type in this
+    # release is `ApiCallRateInsight`.
     #
     # @option params [required, String] :trail_name
     #   The name of the CloudTrail trail for which you want to change or add
     #   Insights selectors.
     #
     # @option params [required, Array<Types::InsightSelector>] :insight_selectors
-    #   A JSON string that contains the insight types you want to log on a
-    #   trail. In this release, only `ApiCallRateInsight` is supported as an
-    #   insight type.
+    #   A JSON string that contains the Insights types that you want to log on
+    #   a trail. The valid Insights type in this release is
+    #   `ApiCallRateInsight`.
     #
     # @return [Types::PutInsightSelectorsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1420,15 +1428,17 @@ module Aws::CloudTrail
       req.send_request(options)
     end
 
-    # Starts the recording of AWS API calls and log file delivery for a
-    # trail. For a trail that is enabled in all regions, this operation must
-    # be called from the region in which the trail was created. This
-    # operation cannot be called on the shadow trails (replicated trails in
-    # other regions) of a trail that is enabled in all regions.
+    # Starts the recording of Amazon Web Services API calls and log file
+    # delivery for a trail. For a trail that is enabled in all regions, this
+    # operation must be called from the region in which the trail was
+    # created. This operation cannot be called on the shadow trails
+    # (replicated trails in other regions) of a trail that is enabled in all
+    # regions.
     #
     # @option params [required, String] :name
     #   Specifies the name or the CloudTrail ARN of the trail for which
-    #   CloudTrail logs AWS API calls. The format of a trail ARN is:
+    #   CloudTrail logs Amazon Web Services API calls. The following is the
+    #   format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #
@@ -1449,19 +1459,20 @@ module Aws::CloudTrail
       req.send_request(options)
     end
 
-    # Suspends the recording of AWS API calls and log file delivery for the
-    # specified trail. Under most circumstances, there is no need to use
-    # this action. You can update a trail without stopping it first. This
-    # action is the only way to stop recording. For a trail enabled in all
-    # regions, this operation must be called from the region in which the
-    # trail was created, or an `InvalidHomeRegionException` will occur. This
-    # operation cannot be called on the shadow trails (replicated trails in
-    # other regions) of a trail enabled in all regions.
+    # Suspends the recording of Amazon Web Services API calls and log file
+    # delivery for the specified trail. Under most circumstances, there is
+    # no need to use this action. You can update a trail without stopping it
+    # first. This action is the only way to stop recording. For a trail
+    # enabled in all regions, this operation must be called from the region
+    # in which the trail was created, or an `InvalidHomeRegionException`
+    # will occur. This operation cannot be called on the shadow trails
+    # (replicated trails in other regions) of a trail enabled in all
+    # regions.
     #
     # @option params [required, String] :name
     #   Specifies the name or the CloudTrail ARN of the trail for which
-    #   CloudTrail will stop logging AWS API calls. The format of a trail ARN
-    #   is:
+    #   CloudTrail will stop logging Amazon Web Services API calls. The
+    #   following is the format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #
@@ -1482,13 +1493,13 @@ module Aws::CloudTrail
       req.send_request(options)
     end
 
-    # Updates the settings that specify delivery of log files. Changes to a
-    # trail do not require stopping the CloudTrail service. Use this action
-    # to designate an existing bucket for log delivery. If the existing
-    # bucket has previously been a target for CloudTrail log files, an IAM
-    # policy exists for the bucket. `UpdateTrail` must be called from the
-    # region in which the trail was created; otherwise, an
-    # `InvalidHomeRegionException` is thrown.
+    # Updates trail settings that control what events you are logging, and
+    # how to handle log files. Changes to a trail do not require stopping
+    # the CloudTrail service. Use this action to designate an existing
+    # bucket for log delivery. If the existing bucket has previously been a
+    # target for CloudTrail log files, an IAM policy exists for the bucket.
+    # `UpdateTrail` must be called from the region in which the trail was
+    # created; otherwise, an `InvalidHomeRegionException` is thrown.
     #
     # @option params [required, String] :name
     #   Specifies the name of the trail or trail ARN. If `Name` is a trail
@@ -1502,11 +1513,11 @@ module Aws::CloudTrail
     #   * Be between 3 and 128 characters
     #
     #   * Have no adjacent periods, underscores or dashes. Names like
-    #     `my-_namespace` and `my--namespace` are invalid.
+    #     `my-_namespace` and `my--namespace` are not valid.
     #
     #   * Not be in IP address format (for example, 192.168.5.4)
     #
-    #   If `Name` is a trail ARN, it must be in the format:
+    #   If `Name` is a trail ARN, it must be in the following format.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #
@@ -1551,7 +1562,7 @@ module Aws::CloudTrail
     #   false.
     #
     #   <note markdown="1"> When you disable log file integrity validation, the chain of digest
-    #   files is broken after one hour. CloudTrail will not create digest
+    #   files is broken after one hour. CloudTrail does not create digest
     #   files for log files that were delivered during a period in which log
     #   file integrity validation was disabled. For example, if you enable log
     #   file integrity validation at noon on January 1, disable it at noon on
@@ -1565,8 +1576,8 @@ module Aws::CloudTrail
     # @option params [String] :cloud_watch_logs_log_group_arn
     #   Specifies a log group name using an Amazon Resource Name (ARN), a
     #   unique identifier that represents the log group to which CloudTrail
-    #   logs will be delivered. Not required unless you specify
-    #   CloudWatchLogsRoleArn.
+    #   logs are delivered. Not required unless you specify
+    #   `CloudWatchLogsRoleArn`.
     #
     # @option params [String] :cloud_watch_logs_role_arn
     #   Specifies the role for the CloudWatch Logs endpoint to assume to write
@@ -1578,6 +1589,10 @@ module Aws::CloudTrail
     #   fully specified ARN to an alias, a fully specified ARN to a key, or a
     #   globally unique identifier.
     #
+    #   CloudTrail also supports KMS multi-Region keys. For more information
+    #   about multi-Region keys, see [Using multi-Region keys][1] in the *Key
+    #   Management Service Developer Guide*.
+    #
     #   Examples:
     #
     #   * alias/MyAliasName
@@ -1588,17 +1603,21 @@ module Aws::CloudTrail
     #
     #   * 12345678-1234-1234-1234-123456789012
     #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
+    #
     # @option params [Boolean] :is_organization_trail
     #   Specifies whether the trail is applied to all accounts in an
-    #   organization in AWS Organizations, or only for the current AWS
-    #   account. The default is false, and cannot be true unless the call is
-    #   made on behalf of an AWS account that is the master account for an
-    #   organization in AWS Organizations. If the trail is not an organization
-    #   trail and this is set to true, the trail will be created in all AWS
-    #   accounts that belong to the organization. If the trail is an
-    #   organization trail and this is set to false, the trail will remain in
-    #   the current AWS account but be deleted from all member accounts in the
-    #   organization.
+    #   organization in Organizations, or only for the current Amazon Web
+    #   Services account. The default is false, and cannot be true unless the
+    #   call is made on behalf of an Amazon Web Services account that is the
+    #   management account for an organization in Organizations. If the trail
+    #   is not an organization trail and this is set to `true`, the trail will
+    #   be created in all Amazon Web Services accounts that belong to the
+    #   organization. If the trail is an organization trail and this is set to
+    #   `false`, the trail will remain in the current Amazon Web Services
+    #   account but be deleted from all member accounts in the organization.
     #
     # @return [Types::UpdateTrailResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1670,7 +1689,7 @@ module Aws::CloudTrail
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cloudtrail'
-      context[:gem_version] = '1.34.0'
+      context[:gem_version] = '1.38.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-cloudtrail/customizations.rb

@@ -2,7 +2,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing for info on making contributions:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-cloudtrail/types.rb

@@ -33,7 +33,7 @@ module Aws::CloudTrail
     #   @return [String]
     #
     # @!attribute [rw] tags_list
-    #   Contains a list of CloudTrail tags, up to a limit of 50
+    #   Contains a list of tags, up to a limit of 50
     #   @return [Array<Types::Tag>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/AddTagsRequest AWS API Documentation
@@ -45,18 +45,18 @@ module Aws::CloudTrail
       include Aws::Structure
     end
 
-    # Returns the objects or data listed below if successful. Otherwise,
-    # returns an error.
+    # Returns the objects or data if successful. Otherwise, returns an
+    # error.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/AddTagsResponse AWS API Documentation
     #
     class AddTagsResponse < Aws::EmptyStructure; end
 
     # Advanced event selectors let you create fine-grained selectors for the
-    # following AWS CloudTrail event record fields. They help you control
-    # costs by logging only those events that are important to you. For more
+    # following CloudTrail event record fields. They help you control costs
+    # by logging only those events that are important to you. For more
     # information about advanced event selectors, see [Logging data events
-    # for trails][1] in the *AWS CloudTrail User Guide*.
+    # for trails][1] in the *CloudTrail User Guide*.
     #
     # * `readOnly`
     #
@@ -144,8 +144,8 @@ module Aws::CloudTrail
     #
     #   * <b> <code>eventName</code> </b> - Can use any operator. You can
     #     use it to filter in or filter out any data event logged to
-    #     CloudTrail, such as `PutBucket`. You can have multiple values for
-    #     this field, separated by commas.
+    #     CloudTrail, such as `PutBucket` or `GetSnapshotBlock`. You can
+    #     have multiple values for this field, separated by commas.
     #
     #   * <b> <code>eventCategory</code> </b> - This is required. It must be
     #     set to `Equals`, and the value must be `Management` or `Data`.
@@ -153,8 +153,11 @@ module Aws::CloudTrail
     #   * <b> <code>resources.type</code> </b> - This field is required.
     #     `resources.type` can only use the `Equals` operator, and the value
     #     can be one of the following: `AWS::S3::Object`,
-    #     `AWS::Lambda::Function`, or `AWS::S3Outposts::Object`. You can
-    #     have only one `resources.type` field per selector. To log data
+    #     `AWS::S3::AccessPoint`, `AWS::Lambda::Function`,
+    #     `AWS::DynamoDB::Table`, `AWS::S3Outposts::Object`,
+    #     `AWS::ManagedBlockchain::Node`,
+    #     `AWS::S3ObjectLambda::AccessPoint`, or `AWS::EC2::Snapshot`. You
+    #     can have only one `resources.type` field per selector. To log data
     #     events on more than one resource type, add another selector.
     #
     #   * <b> <code>resources.ARN</code> </b> - You can use any operator
@@ -162,18 +165,42 @@ module Aws::CloudTrail
     #     value must exactly match the ARN of a valid resource of the type
     #     you've specified in the template as the value of resources.type.
     #     For example, if resources.type equals `AWS::S3::Object`, the ARN
-    #     must be in one of the following formats. The trailing slash is
-    #     intentional; do not exclude it.
+    #     must be in one of the following formats. To log all data events
+    #     for all objects in a specific S3 bucket, use the `StartsWith`
+    #     operator, and include only the bucket ARN as the matching value.
+    #
+    #     The trailing slash is intentional; do not exclude it. Replace the
+    #     text between less than and greater than symbols (&lt;&gt;) with
+    #     resource-specific information.
+    #
+    #     * `arn:<partition>:s3:::<bucket_name>/`
     #
-    #     * `arn:partition:s3:::bucket_name/`
+    #     * `arn:<partition>:s3:::<bucket_name>/<object_path>/`
     #
-    #     * `arn:partition:s3:::bucket_name/object_or_file_name/`
+    #     When `resources.type` equals `AWS::S3::AccessPoint`, and the
+    #     operator is set to `Equals` or `NotEquals`, the ARN must be in one
+    #     of the following formats. To log events on all objects in an S3
+    #     access point, we recommend that you use only the access point ARN,
+    #     don’t include the object path, and use the `StartsWith` or
+    #     `NotStartsWith` operators.
+    #
+    #     * `arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`
+    #
+    #     * `arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`
     #
     #     When resources.type equals `AWS::Lambda::Function`, and the
     #     operator is set to `Equals` or `NotEquals`, the ARN must be in the
     #     following format:
     #
-    #     * `arn:partition:lambda:region:account_ID:function:function_name`
+    #     * `arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`
+    #
+    #     ^
+    #
+    #     When resources.type equals `AWS::DynamoDB::Table`, and the
+    #     operator is set to `Equals` or `NotEquals`, the ARN must be in the
+    #     following format:
+    #
+    #     * `arn:<partition>:dynamodb:<region>:<account_ID>:table:<table_name>`
     #
     #     ^
     #
@@ -181,7 +208,31 @@ module Aws::CloudTrail
     #     operator is set to `Equals` or `NotEquals`, the ARN must be in the
     #     following format:
     #
-    #     * `arn:partition:s3-outposts:region:>account_ID:object_path`
+    #     * `arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`
+    #
+    #     ^
+    #
+    #     When `resources.type` equals `AWS::ManagedBlockchain::Node`, and
+    #     the operator is set to `Equals` or `NotEquals`, the ARN must be in
+    #     the following format:
+    #
+    #     * `arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`
+    #
+    #     ^
+    #
+    #     When `resources.type` equals `AWS::S3ObjectLambda::AccessPoint`,
+    #     and the operator is set to `Equals` or `NotEquals`, the ARN must
+    #     be in the following format:
+    #
+    #     * `arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`
+    #
+    #     ^
+    #
+    #     When `resources.type` equals `AWS::EC2::Snapshot`, and the
+    #     operator is set to `Equals` or `NotEquals`, the ARN must be in the
+    #     following format:
+    #
+    #     * `arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`
     #
     #     ^
     #   @return [String]
@@ -232,8 +283,8 @@ module Aws::CloudTrail
       include Aws::Structure
     end
 
-    # This exception is thrown when an operation is called with an invalid
-    # trail ARN. The format of a trail ARN is:
+    # This exception is thrown when an operation is called with a trail ARN
+    # that is not valid. The following is the format of a trail ARN.
     #
     # `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #
@@ -242,9 +293,9 @@ module Aws::CloudTrail
     class CloudTrailARNInvalidException < Aws::EmptyStructure; end
 
     # This exception is thrown when trusted access has not been enabled
-    # between AWS CloudTrail and AWS Organizations. For more information,
-    # see [Enabling Trusted Access with Other AWS Services][1] and [Prepare
-    # For Creating a Trail For Your Organization][2].
+    # between CloudTrail and Organizations. For more information, see
+    # [Enabling Trusted Access with Other Amazon Web Services Services][1]
+    # and [Prepare For Creating a Trail For Your Organization][2].
     #
     #
     #
@@ -258,7 +309,7 @@ module Aws::CloudTrail
     # This exception is thrown when a call results in the
     # `InvalidClientTokenId` error code. This can occur when you are
     # creating or updating a trail to send notifications to an Amazon SNS
-    # topic that is in a suspended AWS account.
+    # topic that is in a suspended Amazon Web Services account.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/CloudTrailInvalidClientTokenIdException AWS API Documentation
     #
@@ -317,7 +368,7 @@ module Aws::CloudTrail
     #   * Be between 3 and 128 characters
     #
     #   * Have no adjacent periods, underscores or dashes. Names like
-    #     `my-_namespace` and `my--namespace` are invalid.
+    #     `my-_namespace` and `my--namespace` are not valid.
     #
     #   * Not be in IP address format (for example, 192.168.5.4)
     #   @return [String]
@@ -364,7 +415,7 @@ module Aws::CloudTrail
     #   default is false.
     #
     #   <note markdown="1"> When you disable log file integrity validation, the chain of digest
-    #   files is broken after one hour. CloudTrail will not create digest
+    #   files is broken after one hour. CloudTrail does not create digest
     #   files for log files that were delivered during a period in which log
     #   file integrity validation was disabled. For example, if you enable
     #   log file integrity validation at noon on January 1, disable it at
@@ -380,7 +431,7 @@ module Aws::CloudTrail
     #   Specifies a log group name using an Amazon Resource Name (ARN), a
     #   unique identifier that represents the log group to which CloudTrail
     #   logs will be delivered. Not required unless you specify
-    #   CloudWatchLogsRoleArn.
+    #   `CloudWatchLogsRoleArn`.
     #   @return [String]
     #
     # @!attribute [rw] cloud_watch_logs_role_arn
@@ -394,6 +445,10 @@ module Aws::CloudTrail
     #   fully specified ARN to an alias, a fully specified ARN to a key, or
     #   a globally unique identifier.
     #
+    #   CloudTrail also supports KMS multi-Region keys. For more information
+    #   about multi-Region keys, see [Using multi-Region keys][1] in the
+    #   *Key Management Service Developer Guide*.
+    #
     #   Examples:
     #
     #   * alias/MyAliasName
@@ -403,14 +458,18 @@ module Aws::CloudTrail
     #   * arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012
     #
     #   * 12345678-1234-1234-1234-123456789012
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
     #   @return [String]
     #
     # @!attribute [rw] is_organization_trail
     #   Specifies whether the trail is created for all accounts in an
-    #   organization in AWS Organizations, or only for the current AWS
-    #   account. The default is false, and cannot be true unless the call is
-    #   made on behalf of an AWS account that is the master account for an
-    #   organization in AWS Organizations.
+    #   organization in Organizations, or only for the current Amazon Web
+    #   Services account. The default is false, and cannot be true unless
+    #   the call is made on behalf of an Amazon Web Services account that is
+    #   the management account for an organization in Organizations.
     #   @return [Boolean]
     #
     # @!attribute [rw] tags_list
@@ -503,7 +562,7 @@ module Aws::CloudTrail
     # @!attribute [rw] kms_key_id
     #   Specifies the KMS key ID that encrypts the logs delivered by
     #   CloudTrail. The value is a fully specified ARN to a KMS key in the
-    #   format:
+    #   following format.
     #
     #   `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
     #   @return [String]
@@ -532,11 +591,12 @@ module Aws::CloudTrail
       include Aws::Structure
     end
 
-    # The Amazon S3 buckets or AWS Lambda functions that you specify in your
-    # event selectors for your trail to log data events. Data events provide
-    # information about the resource operations performed on or within a
-    # resource itself. These are also known as data plane operations. You
-    # can specify up to 250 data resources for a trail.
+    # The Amazon S3 buckets, Lambda functions, or Amazon DynamoDB tables
+    # that you specify in your event selectors for your trail to log data
+    # events. Data events provide information about the resource operations
+    # performed on or within a resource itself. These are also known as data
+    # plane operations. You can specify up to 250 data resources for a
+    # trail.
     #
     # <note markdown="1"> The total number of allowed data resources is 250. This number can be
     # distributed between 1 and 5 event selectors, but the total cannot
@@ -569,22 +629,22 @@ module Aws::CloudTrail
     #     trail doesn’t log the event.
     #
     # The following example demonstrates how logging works when you
-    # configure logging of AWS Lambda data events for a Lambda function
-    # named *MyLambdaFunction*, but not for all AWS Lambda functions.
+    # configure logging of Lambda data events for a Lambda function named
+    # *MyLambdaFunction*, but not for all Lambda functions.
     #
     # 1.  A user runs a script that includes a call to the
     #     *MyLambdaFunction* function and the *MyOtherLambdaFunction*
     #     function.
     #
-    # 2.  The `Invoke` API operation on *MyLambdaFunction* is an AWS Lambda
-    #     API. It is recorded as a data event in CloudTrail. Because the
+    # 2.  The `Invoke` API operation on *MyLambdaFunction* is an Lambda API.
+    #     It is recorded as a data event in CloudTrail. Because the
     #     CloudTrail user specified logging data events for
     #     *MyLambdaFunction*, any invocations of that function are logged.
     #     The trail processes and logs the event.
     #
-    # 3.  The `Invoke` API operation on *MyOtherLambdaFunction* is an AWS
-    #     Lambda API. Because the CloudTrail user did not specify logging
-    #     data events for all Lambda functions, the `Invoke` operation for
+    # 3.  The `Invoke` API operation on *MyOtherLambdaFunction* is an Lambda
+    #     API. Because the CloudTrail user did not specify logging data
+    #     events for all Lambda functions, the `Invoke` operation for
     #     *MyOtherLambdaFunction* does not match the function specified for
     #     the trail. The trail doesn’t log the event.
     #
@@ -598,23 +658,27 @@ module Aws::CloudTrail
     #
     # @!attribute [rw] type
     #   The resource type in which you want to log data events. You can
-    #   specify `AWS::S3::Object` or `AWS::Lambda::Function` resources.
+    #   specify `AWS::S3::Object`, `AWS::Lambda::Function`, or
+    #   `AWS::DynamoDB::Table` resources.
     #
-    #   The `AWS::S3Outposts::Object` resource type is not valid in basic
-    #   event selectors. To log data events on this resource type, use
-    #   advanced event selectors.
+    #   The `AWS::S3Outposts::Object`, `AWS::ManagedBlockchain::Node`,
+    #   `AWS::S3ObjectLambda::AccessPoint`, and `AWS::EC2::Snapshot`
+    #   resource types are not valid in basic event selectors. To log data
+    #   events on these resource types, use advanced event selectors.
     #   @return [String]
     #
     # @!attribute [rw] values
     #   An array of Amazon Resource Name (ARN) strings or partial ARN
     #   strings for the specified objects.
     #
-    #   * To log data events for all objects in all S3 buckets in your AWS
-    #     account, specify the prefix as `arn:aws:s3:::`.
+    #   * To log data events for all objects in all S3 buckets in your
+    #     Amazon Web Services account, specify the prefix as
+    #     `arn:aws:s3:::`.
     #
-    #     <note markdown="1"> This will also enable logging of data event activity performed by
-    #     any user or role in your AWS account, even if that activity is
-    #     performed on a bucket that belongs to another AWS account.
+    #     <note markdown="1"> This also enables logging of data event activity performed by any
+    #     user or role in your Amazon Web Services account, even if that
+    #     activity is performed on a bucket that belongs to another Amazon
+    #     Web Services account.
     #
     #      </note>
     #
@@ -628,12 +692,13 @@ module Aws::CloudTrail
     #     trail logs data events for objects in this S3 bucket that match
     #     the prefix.
     #
-    #   * To log data events for all functions in your AWS account, specify
-    #     the prefix as `arn:aws:lambda`.
+    #   * To log data events for all Lambda functions in your Amazon Web
+    #     Services account, specify the prefix as `arn:aws:lambda`.
     #
-    #     <note markdown="1"> This will also enable logging of `Invoke` activity performed by
-    #     any user or role in your AWS account, even if that activity is
-    #     performed on a function that belongs to another AWS account.
+    #     <note markdown="1"> This also enables logging of `Invoke` activity performed by any
+    #     user or role in your Amazon Web Services account, even if that
+    #     activity is performed on a function that belongs to another Amazon
+    #     Web Services account.
     #
     #      </note>
     #
@@ -649,6 +714,9 @@ module Aws::CloudTrail
     #     *arn:aws:lambda:us-west-2:111111111111:function:helloworld2*.
     #
     #      </note>
+    #
+    #   * To log data events for all DynamoDB tables in your Amazon Web
+    #     Services account, specify the prefix as `arn:aws:dynamodb`.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/DataResource AWS API Documentation
@@ -671,7 +739,7 @@ module Aws::CloudTrail
     #
     # @!attribute [rw] name
     #   Specifies the name or the CloudTrail ARN of the trail to be deleted.
-    #   The format of a trail ARN is:
+    #   The following is the format of a trail ARN.
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [String]
     #
@@ -752,7 +820,7 @@ module Aws::CloudTrail
     #   configuration. For example, `SNSTopicName` and `SNSTopicARN` are
     #   only returned in results if a trail is configured to send SNS
     #   notifications. Similarly, `KMSKeyId` only appears in results if a
-    #   trail's log files are encrypted with AWS KMS-managed keys.
+    #   trail's log files are encrypted with KMS customer managed keys.
     #   @return [Array<Types::Trail>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/DescribeTrailsResponse AWS API Documentation
@@ -780,9 +848,9 @@ module Aws::CloudTrail
     #   @return [String]
     #
     # @!attribute [rw] access_key_id
-    #   The AWS access key ID that was used to sign the request. If the
-    #   request was made with temporary security credentials, this is the
-    #   access key ID of the temporary credentials.
+    #   The Amazon Web Services access key ID that was used to sign the
+    #   request. If the request was made with temporary security
+    #   credentials, this is the access key ID of the temporary credentials.
     #   @return [String]
     #
     # @!attribute [rw] event_time
@@ -790,7 +858,7 @@ module Aws::CloudTrail
     #   @return [Time]
     #
     # @!attribute [rw] event_source
-    #   The AWS service that the request was made to.
+    #   The Amazon Web Services service to which the request was made.
     #   @return [String]
     #
     # @!attribute [rw] username
@@ -864,15 +932,15 @@ module Aws::CloudTrail
     #   Specify if you want your event selector to include management events
     #   for your trail.
     #
-    #   For more information, see [Management Events][1] in the *AWS
-    #   CloudTrail User Guide*.
+    #   For more information, see [Management Events][1] in the *CloudTrail
+    #   User Guide*.
     #
     #   By default, the value is `true`.
     #
     #   The first copy of management events is free. You are charged for
     #   additional copies of management events that you are logging on any
     #   subsequent trail in the same region. For more information about
-    #   CloudTrail pricing, see [AWS CloudTrail Pricing][2].
+    #   CloudTrail pricing, see [CloudTrail Pricing][2].
     #
     #
     #
@@ -881,15 +949,15 @@ module Aws::CloudTrail
     #   @return [Boolean]
     #
     # @!attribute [rw] data_resources
-    #   CloudTrail supports data event logging for Amazon S3 objects and AWS
-    #   Lambda functions. You can specify up to 250 resources for an
-    #   individual event selector, but the total number of data resources
-    #   cannot exceed 250 across all event selectors in a trail. This limit
-    #   does not apply if you configure resource logging for all data
-    #   events.
+    #   CloudTrail supports data event logging for Amazon S3 objects, Lambda
+    #   functions, and Amazon DynamoDB tables with basic event selectors.
+    #   You can specify up to 250 resources for an individual event
+    #   selector, but the total number of data resources cannot exceed 250
+    #   across all event selectors in a trail. This limit does not apply if
+    #   you configure resource logging for all data events.
     #
-    #   For more information, see [Data Events][1] and [Limits in AWS
-    #   CloudTrail][2] in the *AWS CloudTrail User Guide*.
+    #   For more information, see [Data Events][1] and [Limits in
+    #   CloudTrail][2] in the *CloudTrail User Guide*.
     #
     #
     #
@@ -900,10 +968,11 @@ module Aws::CloudTrail
     # @!attribute [rw] exclude_management_event_sources
     #   An optional list of service event sources from which you do not want
     #   management events to be logged on your trail. In this release, the
-    #   list can be empty (disables the filter), or it can filter out AWS
-    #   Key Management Service events by containing `"kms.amazonaws.com"`.
-    #   By default, `ExcludeManagementEventSources` is empty, and AWS KMS
-    #   events are included in events that are logged to your trail.
+    #   list can be empty (disables the filter), or it can filter out Key
+    #   Management Service or Amazon RDS Data API events by containing
+    #   `kms.amazonaws.com` or `rdsdata.amazonaws.com`. By default,
+    #   `ExcludeManagementEventSources` is empty, and KMS and Amazon RDS
+    #   Data API events are logged to your trail.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/EventSelector AWS API Documentation
@@ -1076,7 +1145,7 @@ module Aws::CloudTrail
     #   Specifies the name or the CloudTrail ARN of the trail for which you
     #   are requesting status. To get the status of a shadow trail (a
     #   replication of the trail in another region), you must specify its
-    #   ARN. The format of a trail ARN is:
+    #   ARN. The following is the format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [String]
@@ -1093,20 +1162,21 @@ module Aws::CloudTrail
     # returns an error.
     #
     # @!attribute [rw] is_logging
-    #   Whether the CloudTrail is currently logging AWS API calls.
+    #   Whether the CloudTrail trail is currently logging Amazon Web
+    #   Services API calls.
     #   @return [Boolean]
     #
     # @!attribute [rw] latest_delivery_error
     #   Displays any Amazon S3 error that CloudTrail encountered when
     #   attempting to deliver log files to the designated bucket. For more
-    #   information see the topic [Error Responses][1] in the Amazon S3 API
+    #   information, see [Error Responses][1] in the Amazon S3 API
     #   Reference.
     #
     #   <note markdown="1"> This error occurs only when there is a problem with the destination
-    #   S3 bucket and will not occur for timeouts. To resolve the issue,
-    #   create a new bucket and call `UpdateTrail` to specify the new
-    #   bucket, or fix the existing objects so that CloudTrail can again
-    #   write to the bucket.
+    #   S3 bucket, and does not occur for requests that time out. To resolve
+    #   the issue, create a new bucket, and then call `UpdateTrail` to
+    #   specify the new bucket; or fix the existing objects so that
+    #   CloudTrail can again write to the bucket.
     #
     #    </note>
     #
@@ -1138,12 +1208,12 @@ module Aws::CloudTrail
     #
     # @!attribute [rw] start_logging_time
     #   Specifies the most recent date and time when CloudTrail started
-    #   recording API calls for an AWS account.
+    #   recording API calls for an Amazon Web Services account.
     #   @return [Time]
     #
     # @!attribute [rw] stop_logging_time
     #   Specifies the most recent date and time when CloudTrail stopped
-    #   recording API calls for an AWS account.
+    #   recording API calls for an Amazon Web Services account.
     #   @return [Time]
     #
     # @!attribute [rw] latest_cloud_watch_logs_delivery_error
@@ -1164,14 +1234,14 @@ module Aws::CloudTrail
     # @!attribute [rw] latest_digest_delivery_error
     #   Displays any Amazon S3 error that CloudTrail encountered when
     #   attempting to deliver a digest file to the designated bucket. For
-    #   more information see the topic [Error Responses][1] in the Amazon S3
-    #   API Reference.
+    #   more information, see [Error Responses][1] in the Amazon S3 API
+    #   Reference.
     #
     #   <note markdown="1"> This error occurs only when there is a problem with the destination
-    #   S3 bucket and will not occur for timeouts. To resolve the issue,
-    #   create a new bucket and call `UpdateTrail` to specify the new
-    #   bucket, or fix the existing objects so that CloudTrail can again
-    #   write to the bucket.
+    #   S3 bucket, and does not occur for requests that time out. To resolve
+    #   the issue, create a new bucket, and then call `UpdateTrail` to
+    #   specify the new bucket; or fix the existing objects so that
+    #   CloudTrail can again write to the bucket.
     #
     #    </note>
     #
@@ -1247,8 +1317,8 @@ module Aws::CloudTrail
     #       }
     #
     # @!attribute [rw] insight_type
-    #   The type of insights to log on a trail. In this release, only
-    #   `ApiCallRateInsight` is supported as an insight type.
+    #   The type of Insights events to log on a trail. The valid Insights
+    #   type in this release is `ApiCallRateInsight`.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/InsightSelector AWS API Documentation
@@ -1287,15 +1357,15 @@ module Aws::CloudTrail
     #
     class InsufficientS3BucketPolicyException < Aws::EmptyStructure; end
 
-    # This exception is thrown when the policy on the SNS topic is not
-    # sufficient.
+    # This exception is thrown when the policy on the Amazon SNS topic is
+    # not sufficient.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/InsufficientSnsTopicPolicyException AWS API Documentation
     #
     class InsufficientSnsTopicPolicyException < Aws::EmptyStructure; end
 
-    # This exception is thrown when the provided CloudWatch log group is not
-    # valid.
+    # This exception is thrown when the provided CloudWatch Logs log group
+    # is not valid.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/InvalidCloudWatchLogsLogGroupArnException AWS API Documentation
     #
@@ -1338,7 +1408,7 @@ module Aws::CloudTrail
     #   selectors for a trail.
     #
     # * Specify a valid value for a parameter. For example, specifying the
-    #   `ReadWriteType` parameter with a value of `read-only` is invalid.
+    #   `ReadWriteType` parameter with a value of `read-only` is not valid.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/InvalidEventSelectorsException AWS API Documentation
     #
@@ -1360,27 +1430,27 @@ module Aws::CloudTrail
     #
     class InvalidInsightSelectorsException < Aws::EmptyStructure; end
 
-    # This exception is thrown when the KMS key ARN is invalid.
+    # This exception is thrown when the KMS key ARN is not valid.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/InvalidKmsKeyIdException AWS API Documentation
     #
     class InvalidKmsKeyIdException < Aws::EmptyStructure; end
 
-    # Occurs when an invalid lookup attribute is specified.
+    # Occurs when a lookup attribute is specified that is not valid.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/InvalidLookupAttributesException AWS API Documentation
     #
     class InvalidLookupAttributesException < Aws::EmptyStructure; end
 
-    # This exception is thrown if the limit specified is invalid.
+    # This exception is thrown if the limit specified is not valid.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/InvalidMaxResultsException AWS API Documentation
     #
     class InvalidMaxResultsException < Aws::EmptyStructure; end
 
-    # Invalid token or token that was previously used in a request with
-    # different parameters. This exception is thrown if the token is
-    # invalid.
+    # A token that is not valid, or a token that was previously used in a
+    # request with different parameters. This exception is thrown if the
+    # token is not valid.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/InvalidNextTokenException AWS API Documentation
     #
@@ -1421,8 +1491,8 @@ module Aws::CloudTrail
     #
     class InvalidTagParameterException < Aws::EmptyStructure; end
 
-    # Occurs if the timestamp values are invalid. Either the start time
-    # occurs after the end time or the time range is outside the range of
+    # Occurs if the timestamp values are not valid. Either the start time
+    # occurs after the end time, or the time range is outside the range of
     # possible values.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/InvalidTimeRangeException AWS API Documentation
@@ -1446,7 +1516,7 @@ module Aws::CloudTrail
     # * Be between 3 and 128 characters
     #
     # * Have no adjacent periods, underscores or dashes. Names like
-    #   `my-_namespace` and `my--namespace` are invalid.
+    #   `my-_namespace` and `my--namespace` are not valid.
     #
     # * Not be in IP address format (for example, 192.168.5.4)
     #
@@ -1469,8 +1539,8 @@ module Aws::CloudTrail
 
     # This exception is thrown when the KMS key does not exist, when the S3
     # bucket and the KMS key are not in the same region, or when the KMS key
-    # associated with the SNS topic either does not exist or is not in the
-    # same region.
+    # associated with the Amazon SNS topic either does not exist or is not
+    # in the same region.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/KmsKeyNotFoundException AWS API Documentation
     #
@@ -1549,7 +1619,7 @@ module Aws::CloudTrail
     #
     # @!attribute [rw] resource_id_list
     #   Specifies a list of trail ARNs whose tags will be listed. The list
-    #   has a limit of 20 ARNs. The format of a trail ARN is:
+    #   has a limit of 20 ARNs. The following is the format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [Array<String>]
@@ -1763,10 +1833,11 @@ module Aws::CloudTrail
     #
     class MaximumNumberOfTrailsExceededException < Aws::EmptyStructure; end
 
-    # This exception is thrown when the AWS account making the request to
-    # create or update an organization trail is not the master account for
-    # an organization in AWS Organizations. For more information, see
-    # [Prepare For Creating a Trail For Your Organization][1].
+    # This exception is thrown when the Amazon Web Services account making
+    # the request to create or update an organization trail is not the
+    # management account for an organization in Organizations. For more
+    # information, see [Prepare For Creating a Trail For Your
+    # Organization][1].
     #
     #
     #
@@ -1783,9 +1854,9 @@ module Aws::CloudTrail
     #
     class OperationNotPermittedException < Aws::EmptyStructure; end
 
-    # This exception is thrown when AWS Organizations is not configured to
-    # support all features. All features must be enabled in AWS Organization
-    # to support creating an organization trail. For more information, see
+    # This exception is thrown when Organizations is not configured to
+    # support all features. All features must be enabled in Organizations to
+    # support creating an organization trail. For more information, see
     # [Prepare For Creating a Trail For Your Organization][1].
     #
     #
@@ -1796,9 +1867,10 @@ module Aws::CloudTrail
     #
     class OrganizationNotInAllFeaturesModeException < Aws::EmptyStructure; end
 
-    # This exception is thrown when the request is made from an AWS account
-    # that is not a member of an organization. To make this request, sign in
-    # using the credentials of an account that belongs to an organization.
+    # This exception is thrown when the request is made from an Amazon Web
+    # Services account that is not a member of an organization. To make this
+    # request, sign in using the credentials of an account that belongs to
+    # an organization.
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/OrganizationsNotInUseException AWS API Documentation
     #
@@ -1881,11 +1953,11 @@ module Aws::CloudTrail
     #   * Be between 3 and 128 characters
     #
     #   * Have no adjacent periods, underscores or dashes. Names like
-    #     `my-_namespace` and `my--namespace` are invalid.
+    #     `my-_namespace` and `my--namespace` are not valid.
     #
     #   * Not be in IP address format (for example, 192.168.5.4)
     #
-    #   If you specify a trail ARN, it must be in the format:
+    #   If you specify a trail ARN, it must be in the following format.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [String]
@@ -1907,8 +1979,8 @@ module Aws::CloudTrail
     #   `EventSelectors`, but not both. If you apply
     #   `AdvancedEventSelectors` to a trail, any existing `EventSelectors`
     #   are overwritten. For more information about advanced event
-    #   selectors, see [Logging data events for trails][1] in the *AWS
-    #   CloudTrail User Guide*.
+    #   selectors, see [Logging data events for trails][1] in the
+    #   *CloudTrail User Guide*.
     #
     #
     #
@@ -1927,7 +1999,7 @@ module Aws::CloudTrail
 
     # @!attribute [rw] trail_arn
     #   Specifies the ARN of the trail that was updated with event
-    #   selectors. The format of a trail ARN is:
+    #   selectors. The following is the format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [String]
@@ -1968,9 +2040,9 @@ module Aws::CloudTrail
     #   @return [String]
     #
     # @!attribute [rw] insight_selectors
-    #   A JSON string that contains the insight types you want to log on a
-    #   trail. In this release, only `ApiCallRateInsight` is supported as an
-    #   insight type.
+    #   A JSON string that contains the Insights types that you want to log
+    #   on a trail. The valid Insights type in this release is
+    #   `ApiCallRateInsight`.
     #   @return [Array<Types::InsightSelector>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/PutInsightSelectorsRequest AWS API Documentation
@@ -1988,9 +2060,9 @@ module Aws::CloudTrail
     #   @return [String]
     #
     # @!attribute [rw] insight_selectors
-    #   A JSON string that contains the insight types you want to log on a
-    #   trail. In this release, only `ApiCallRateInsight` is supported as an
-    #   insight type.
+    #   A JSON string that contains the Insights event types that you want
+    #   to log on a trail. The valid Insights type in this release is
+    #   `ApiCallRateInsight`.
     #   @return [Array<Types::InsightSelector>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/PutInsightSelectorsResponse AWS API Documentation
@@ -2050,9 +2122,10 @@ module Aws::CloudTrail
     #   The type of a resource referenced by the event returned. When the
     #   resource type cannot be determined, null is returned. Some examples
     #   of resource types are: **Instance** for EC2, **Trail** for
-    #   CloudTrail, **DBInstance** for RDS, and **AccessKey** for IAM. To
-    #   learn more about how to look up and filter events by the resource
-    #   types supported for a service, see [Filtering CloudTrail Events][1].
+    #   CloudTrail, **DBInstance** for Amazon RDS, and **AccessKey** for
+    #   IAM. To learn more about how to look up and filter events by the
+    #   resource types supported for a service, see [Filtering CloudTrail
+    #   Events][1].
     #
     #
     #
@@ -2113,8 +2186,8 @@ module Aws::CloudTrail
     #
     class S3BucketDoesNotExistException < Aws::EmptyStructure; end
 
-    # The request to CloudTrail to start logging AWS API calls for an
-    # account.
+    # The request to CloudTrail to start logging Amazon Web Services API
+    # calls for an account.
     #
     # @note When making an API call, you may pass StartLoggingRequest
     #   data as a hash:
@@ -2125,7 +2198,8 @@ module Aws::CloudTrail
     #
     # @!attribute [rw] name
     #   Specifies the name or the CloudTrail ARN of the trail for which
-    #   CloudTrail logs AWS API calls. The format of a trail ARN is:
+    #   CloudTrail logs Amazon Web Services API calls. The following is the
+    #   format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [String]
@@ -2145,8 +2219,8 @@ module Aws::CloudTrail
     #
     class StartLoggingResponse < Aws::EmptyStructure; end
 
-    # Passes the request to CloudTrail to stop logging AWS API calls for the
-    # specified account.
+    # Passes the request to CloudTrail to stop logging Amazon Web Services
+    # API calls for the specified account.
     #
     # @note When making an API call, you may pass StopLoggingRequest
     #   data as a hash:
@@ -2157,8 +2231,8 @@ module Aws::CloudTrail
     #
     # @!attribute [rw] name
     #   Specifies the name or the CloudTrail ARN of the trail for which
-    #   CloudTrail will stop logging AWS API calls. The format of a trail
-    #   ARN is:
+    #   CloudTrail will stop logging Amazon Web Services API calls. The
+    #   following is the format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [String]
@@ -2235,7 +2309,7 @@ module Aws::CloudTrail
     # @!attribute [rw] s3_key_prefix
     #   Specifies the Amazon S3 key prefix that comes after the name of the
     #   bucket you have designated for log file delivery. For more
-    #   information, see [Finding Your CloudTrail Log Files][1].The maximum
+    #   information, see [Finding Your CloudTrail Log Files][1]. The maximum
     #   length is 200 characters.
     #
     #
@@ -2249,15 +2323,15 @@ module Aws::CloudTrail
     #
     # @!attribute [rw] sns_topic_arn
     #   Specifies the ARN of the Amazon SNS topic that CloudTrail uses to
-    #   send notifications when log files are delivered. The format of a
-    #   topic ARN is:
+    #   send notifications when log files are delivered. The following is
+    #   the format of a topic ARN.
     #
     #   `arn:aws:sns:us-east-2:123456789012:MyTopic`
     #   @return [String]
     #
     # @!attribute [rw] include_global_service_events
-    #   Set to **True** to include AWS API calls from AWS global services
-    #   such as IAM. Otherwise, **False**.
+    #   Set to **True** to include Amazon Web Services API calls from Amazon
+    #   Web Services global services such as IAM. Otherwise, **False**.
     #   @return [Boolean]
     #
     # @!attribute [rw] is_multi_region_trail
@@ -2270,7 +2344,8 @@ module Aws::CloudTrail
     #   @return [String]
     #
     # @!attribute [rw] trail_arn
-    #   Specifies the ARN of the trail. The format of a trail ARN is:
+    #   Specifies the ARN of the trail. The following is the format of a
+    #   trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [String]
@@ -2292,7 +2367,7 @@ module Aws::CloudTrail
     # @!attribute [rw] kms_key_id
     #   Specifies the KMS key ID that encrypts the logs delivered by
     #   CloudTrail. The value is a fully specified ARN to a KMS key in the
-    #   format:
+    #   following format.
     #
     #   `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
     #   @return [String]
@@ -2351,7 +2426,7 @@ module Aws::CloudTrail
     #   @return [String]
     #
     # @!attribute [rw] home_region
-    #   The AWS region in which a trail was created.
+    #   The Amazon Web Services Region in which a trail was created.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/TrailInfo AWS API Documentation
@@ -2415,11 +2490,11 @@ module Aws::CloudTrail
     #   * Be between 3 and 128 characters
     #
     #   * Have no adjacent periods, underscores or dashes. Names like
-    #     `my-_namespace` and `my--namespace` are invalid.
+    #     `my-_namespace` and `my--namespace` are not valid.
     #
     #   * Not be in IP address format (for example, 192.168.5.4)
     #
-    #   If `Name` is a trail ARN, it must be in the format:
+    #   If `Name` is a trail ARN, it must be in the following format.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [String]
@@ -2470,7 +2545,7 @@ module Aws::CloudTrail
     #   false.
     #
     #   <note markdown="1"> When you disable log file integrity validation, the chain of digest
-    #   files is broken after one hour. CloudTrail will not create digest
+    #   files is broken after one hour. CloudTrail does not create digest
     #   files for log files that were delivered during a period in which log
     #   file integrity validation was disabled. For example, if you enable
     #   log file integrity validation at noon on January 1, disable it at
@@ -2485,8 +2560,8 @@ module Aws::CloudTrail
     # @!attribute [rw] cloud_watch_logs_log_group_arn
     #   Specifies a log group name using an Amazon Resource Name (ARN), a
     #   unique identifier that represents the log group to which CloudTrail
-    #   logs will be delivered. Not required unless you specify
-    #   CloudWatchLogsRoleArn.
+    #   logs are delivered. Not required unless you specify
+    #   `CloudWatchLogsRoleArn`.
     #   @return [String]
     #
     # @!attribute [rw] cloud_watch_logs_role_arn
@@ -2500,6 +2575,10 @@ module Aws::CloudTrail
     #   fully specified ARN to an alias, a fully specified ARN to a key, or
     #   a globally unique identifier.
     #
+    #   CloudTrail also supports KMS multi-Region keys. For more information
+    #   about multi-Region keys, see [Using multi-Region keys][1] in the
+    #   *Key Management Service Developer Guide*.
+    #
     #   Examples:
     #
     #   * alias/MyAliasName
@@ -2509,19 +2588,24 @@ module Aws::CloudTrail
     #   * arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012
     #
     #   * 12345678-1234-1234-1234-123456789012
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
     #   @return [String]
     #
     # @!attribute [rw] is_organization_trail
     #   Specifies whether the trail is applied to all accounts in an
-    #   organization in AWS Organizations, or only for the current AWS
-    #   account. The default is false, and cannot be true unless the call is
-    #   made on behalf of an AWS account that is the master account for an
-    #   organization in AWS Organizations. If the trail is not an
-    #   organization trail and this is set to true, the trail will be
-    #   created in all AWS accounts that belong to the organization. If the
-    #   trail is an organization trail and this is set to false, the trail
-    #   will remain in the current AWS account but be deleted from all
-    #   member accounts in the organization.
+    #   organization in Organizations, or only for the current Amazon Web
+    #   Services account. The default is false, and cannot be true unless
+    #   the call is made on behalf of an Amazon Web Services account that is
+    #   the management account for an organization in Organizations. If the
+    #   trail is not an organization trail and this is set to `true`, the
+    #   trail will be created in all Amazon Web Services accounts that
+    #   belong to the organization. If the trail is an organization trail
+    #   and this is set to `false`, the trail will remain in the current
+    #   Amazon Web Services account but be deleted from all member accounts
+    #   in the organization.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/UpdateTrailRequest AWS API Documentation
@@ -2557,7 +2641,7 @@ module Aws::CloudTrail
     # @!attribute [rw] s3_key_prefix
     #   Specifies the Amazon S3 key prefix that comes after the name of the
     #   bucket you have designated for log file delivery. For more
-    #   information, see [Finding Your CloudTrail Log Files][1].
+    #   information, see [Finding Your IAM Log Files][1].
     #
     #
     #
@@ -2565,13 +2649,13 @@ module Aws::CloudTrail
     #   @return [String]
     #
     # @!attribute [rw] sns_topic_name
-    #   This field is no longer in use. Use SnsTopicARN.
+    #   This field is no longer in use. Use UpdateTrailResponse$SnsTopicARN.
     #   @return [String]
     #
     # @!attribute [rw] sns_topic_arn
     #   Specifies the ARN of the Amazon SNS topic that CloudTrail uses to
-    #   send notifications when log files are delivered. The format of a
-    #   topic ARN is:
+    #   send notifications when log files are delivered. The following is
+    #   the format of a topic ARN.
     #
     #   `arn:aws:sns:us-east-2:123456789012:MyTopic`
     #   @return [String]
@@ -2586,8 +2670,8 @@ module Aws::CloudTrail
     #   @return [Boolean]
     #
     # @!attribute [rw] trail_arn
-    #   Specifies the ARN of the trail that was updated. The format of a
-    #   trail ARN is:
+    #   Specifies the ARN of the trail that was updated. The following is
+    #   the format of a trail ARN.
     #
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
     #   @return [String]
@@ -2598,7 +2682,7 @@ module Aws::CloudTrail
     #
     # @!attribute [rw] cloud_watch_logs_log_group_arn
     #   Specifies the Amazon Resource Name (ARN) of the log group to which
-    #   CloudTrail logs will be delivered.
+    #   CloudTrail logs are delivered.
     #   @return [String]
     #
     # @!attribute [rw] cloud_watch_logs_role_arn
@@ -2609,7 +2693,7 @@ module Aws::CloudTrail
     # @!attribute [rw] kms_key_id
     #   Specifies the KMS key ID that encrypts the logs delivered by
     #   CloudTrail. The value is a fully specified ARN to a KMS key in the
-    #   format:
+    #   following format.
     #
     #   `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
     #   @return [String]