aws-sdk-cloudtrail 1.91.0 → 1.93.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -81,11 +81,12 @@ module Aws::CloudTrail
81
81
  class AddTagsResponse < Aws::EmptyStructure; end
82
82
 
83
83
  # Advanced event selectors let you create fine-grained selectors for
84
- # CloudTrail management and data events. They help you control costs by
85
- # logging only those events that are important to you. For more
86
- # information about advanced event selectors, see [Logging management
87
- # events][1] and [Logging data events][2] in the *CloudTrail User
88
- # Guide*.
84
+ # CloudTrail management, data, and network activity events. They help
85
+ # you control costs by logging only those events that are important to
86
+ # you. For more information about configuring advanced event selectors,
87
+ # see the [Logging data events][1], [Logging network activity
88
+ # events][2], and [Logging management events][3] topics in the
89
+ # *CloudTrail User Guide*.
89
90
  #
90
91
  # You cannot apply both event selectors and advanced event selectors to
91
92
  # a trail.
@@ -110,6 +111,25 @@ module Aws::CloudTrail
110
111
  #
111
112
  # * `resources.ARN`
112
113
  #
114
+ # **Supported CloudTrail event record fields for network activity
115
+ # events**
116
+ #
117
+ # <note markdown="1"> Network activity events is in preview release for CloudTrail and is
118
+ # subject to change.
119
+ #
120
+ # </note>
121
+ #
122
+ # * `eventCategory` (required)
123
+ #
124
+ # * `eventSource` (required)
125
+ #
126
+ # * `eventName`
127
+ #
128
+ # * `errorCode` - The only valid value for `errorCode` is
129
+ # `VpceAccessDenied`.
130
+ #
131
+ # * `vpcEndpointId`
132
+ #
113
133
  # <note markdown="1"> For event data stores for CloudTrail Insights events, Config
114
134
  # configuration items, Audit Manager evidence, or events outside of
115
135
  # Amazon Web Services, the only supported field is `eventCategory`.
@@ -118,8 +138,9 @@ module Aws::CloudTrail
118
138
  #
119
139
  #
120
140
  #
121
- # [1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html
122
- # [2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
141
+ # [1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
142
+ # [2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html
143
+ # [3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html
123
144
  #
124
145
  # @!attribute [rw] name
125
146
  # An optional, descriptive name for an advanced event selector, such
@@ -149,38 +170,68 @@ module Aws::CloudTrail
149
170
  # filtering is not supported.
150
171
  #
151
172
  # For CloudTrail management events, supported fields include
152
- # `readOnly`, `eventCategory`, and `eventSource`.
173
+ # `eventCategory` (required), `eventSource`, and `readOnly`.
174
+ #
175
+ # For CloudTrail data events, supported fields include `eventCategory`
176
+ # (required), `resources.type` (required), `eventName`, `readOnly`,
177
+ # and `resources.ARN`.
153
178
  #
154
- # For CloudTrail data events, supported fields include `readOnly`,
155
- # `eventCategory`, `eventName`, `resources.type`, and `resources.ARN`.
179
+ # For CloudTrail network activity events, supported fields include
180
+ # `eventCategory` (required), `eventSource` (required), `eventName`,
181
+ # `errorCode`, and `vpcEndpointId`.
156
182
  #
157
183
  # For event data stores for CloudTrail Insights events, Config
158
184
  # configuration items, Audit Manager evidence, or events outside of
159
185
  # Amazon Web Services, the only supported field is `eventCategory`.
160
186
  #
161
- # * <b> <code>readOnly</code> </b> - Optional. Can be set to `Equals`
162
- # a value of `true` or `false`. If you do not add this field,
163
- # CloudTrail logs both `read` and `write` events. A value of `true`
164
- # logs only `read` events. A value of `false` logs only `write`
165
- # events.
187
+ # * <b> <code>readOnly</code> </b> - This is an optional field that is
188
+ # only used for management events and data events. This field can be
189
+ # set to `Equals` with a value of `true` or `false`. If you do not
190
+ # add this field, CloudTrail logs both `read` and `write` events. A
191
+ # value of `true` logs only `read` events. A value of `false` logs
192
+ # only `write` events.
193
+ #
194
+ # * <b> <code>eventSource</code> </b> - This field is only used for
195
+ # management events and network activity events.
196
+ #
197
+ # For management events, this is an optional field that can be set
198
+ # to `NotEquals` `kms.amazonaws.com` to exclude KMS management
199
+ # events, or `NotEquals` `rdsdata.amazonaws.com` to exclude RDS
200
+ # management events.
201
+ #
202
+ # For network activity events, this is a required field that only
203
+ # uses the `Equals` operator. Set this field to the event source for
204
+ # which you want to log network activity events. If you want to log
205
+ # network activity events for multiple event sources, you must
206
+ # create a separate field selector for each event source.
207
+ #
208
+ # The following are valid values for network activity events:
166
209
  #
167
- # * <b> <code>eventSource</code> </b> - For filtering management
168
- # events only. This can be set to `NotEquals` `kms.amazonaws.com` or
169
- # `NotEquals` `rdsdata.amazonaws.com`.
210
+ # * `cloudtrail.amazonaws.com`
170
211
  #
171
- # * <b> <code>eventName</code> </b> - Can use any operator. You can
172
- # use it to filter in or filter out any data event logged to
173
- # CloudTrail, such as `PutBucket` or `GetSnapshotBlock`. You can
174
- # have multiple values for this field, separated by commas.
212
+ # * `ec2.amazonaws.com`
175
213
  #
176
- # * <b> <code>eventCategory</code> </b> - This is required and must be
177
- # set to `Equals`.
214
+ # * `kms.amazonaws.com`
215
+ #
216
+ # * `secretsmanager.amazonaws.com`
217
+ #
218
+ # * <b> <code>eventName</code> </b> - This is an optional field that
219
+ # is only used for data events and network activity events. You can
220
+ # use any operator with `eventName`. You can use it to filter in or
221
+ # filter out specific events. You can have multiple values for this
222
+ # field, separated by commas.
223
+ #
224
+ # * <b> <code>eventCategory</code> </b> - This field is required and
225
+ # must be set to `Equals`.
178
226
  #
179
227
  # * For CloudTrail management events, the value must be
180
228
  # `Management`.
181
229
  #
182
230
  # * For CloudTrail data events, the value must be `Data`.
183
231
  #
232
+ # * For CloudTrail network activity events, the value must be
233
+ # `NetworkActivity`.
234
+ #
184
235
  # The following are used only for event data stores:
185
236
  #
186
237
  # * For CloudTrail Insights events, the value must be `Insight`.
@@ -193,15 +244,17 @@ module Aws::CloudTrail
193
244
  # * For non-Amazon Web Services events, the value must be
194
245
  # `ActivityAuditLog`.
195
246
  #
247
+ # * <b> <code>errorCode</code> </b> - This field is only used to filter
248
+ # CloudTrail network activity events and is optional. This is the
249
+ # error code to filter on. Currently, the only valid `errorCode` is
250
+ # `VpceAccessDenied`. `errorCode` can only use the `Equals`
251
+ # operator.
252
+ #
196
253
  # * <b> <code>resources.type</code> </b> - This field is required for
197
254
  # CloudTrail data events. `resources.type` can only use the `Equals`
198
- # operator, and the value can be one of the following:
199
- #
200
- # * `AWS::DynamoDB::Table`
201
- #
202
- # * `AWS::Lambda::Function`
255
+ # operator.
203
256
  #
204
- # * `AWS::S3::Object`
257
+ # The value can be one of the following:
205
258
  #
206
259
  # * `AWS::AppConfig::Configuration`
207
260
  #
@@ -209,6 +262,10 @@ module Aws::CloudTrail
209
262
  #
210
263
  # * `AWS::Bedrock::AgentAlias`
211
264
  #
265
+ # * `AWS::Bedrock::FlowAlias`
266
+ #
267
+ # * `AWS::Bedrock::Guardrail`
268
+ #
212
269
  # * `AWS::Bedrock::KnowledgeBase`
213
270
  #
214
271
  # * `AWS::Cassandra::Table`
@@ -217,6 +274,8 @@ module Aws::CloudTrail
217
274
  #
218
275
  # * `AWS::CloudTrail::Channel`
219
276
  #
277
+ # * `AWS::CloudWatch::Metric`
278
+ #
220
279
  # * `AWS::CodeWhisperer::Customization`
221
280
  #
222
281
  # * `AWS::CodeWhisperer::Profile`
@@ -225,6 +284,8 @@ module Aws::CloudTrail
225
284
  #
226
285
  # * `AWS::DynamoDB::Stream`
227
286
  #
287
+ # * `AWS::DynamoDB::Table`
288
+ #
228
289
  # * `AWS::EC2::Snapshot`
229
290
  #
230
291
  # * `AWS::EMRWAL::Workspace`
@@ -253,8 +314,16 @@ module Aws::CloudTrail
253
314
  #
254
315
  # * `AWS::KendraRanking::ExecutionPlan`
255
316
  #
317
+ # * `AWS::Kinesis::Stream`
318
+ #
319
+ # * `AWS::Kinesis::StreamConsumer`
320
+ #
256
321
  # * `AWS::KinesisVideo::Stream`
257
322
  #
323
+ # * `AWS::Lambda::Function`
324
+ #
325
+ # * `AWS::MachineLearning::MlModel`
326
+ #
258
327
  # * `AWS::ManagedBlockchain::Network`
259
328
  #
260
329
  # * `AWS::ManagedBlockchain::Node`
@@ -263,8 +332,18 @@ module Aws::CloudTrail
263
332
  #
264
333
  # * `AWS::NeptuneGraph::Graph`
265
334
  #
335
+ # * `AWS::One::UKey`
336
+ #
337
+ # * `AWS::One::User`
338
+ #
339
+ # * `AWS::PaymentCryptography::Alias`
340
+ #
341
+ # * `AWS::PaymentCryptography::Key`
342
+ #
266
343
  # * `AWS::PCAConnectorAD::Connector`
267
344
  #
345
+ # * `AWS::PCAConnectorSCEP::Connector`
346
+ #
268
347
  # * `AWS::QApps:QApp`
269
348
  #
270
349
  # * `AWS::QBusiness::Application`
@@ -277,8 +356,14 @@ module Aws::CloudTrail
277
356
  #
278
357
  # * `AWS::RDS::DBCluster`
279
358
  #
359
+ # * `AWS::RUM::AppMonitor`
360
+ #
280
361
  # * `AWS::S3::AccessPoint`
281
362
  #
363
+ # * `AWS::S3::Object`
364
+ #
365
+ # * `AWS::S3Express::Object`
366
+ #
282
367
  # * `AWS::S3ObjectLambda::AccessPoint`
283
368
  #
284
369
  # * `AWS::S3Outposts::Object`
@@ -305,6 +390,8 @@ module Aws::CloudTrail
305
390
  #
306
391
  # * `AWS::SSMMessages::ControlChannel`
307
392
  #
393
+ # * `AWS::StepFunctions::StateMachine`
394
+ #
308
395
  # * `AWS::SWF::Domain`
309
396
  #
310
397
  # * `AWS::ThinClient::Device`
@@ -320,509 +407,34 @@ module Aws::CloudTrail
320
407
  # * `AWS::XRay::Trace`
321
408
  #
322
409
  # You can have only one `resources.type` field per selector. To log
323
- # data events on more than one resource type, add another selector.
410
+ # events on more than one resource type, add another selector.
324
411
  #
325
- # * <b> <code>resources.ARN</code> </b> - You can use any operator
326
- # with `resources.ARN`, but if you use `Equals` or `NotEquals`, the
327
- # value must exactly match the ARN of a valid resource of the type
328
- # you've specified in the template as the value of resources.type.
412
+ # * <b> <code>resources.ARN</code> </b> - The `resources.ARN` is an
413
+ # optional field for data events. You can use any operator with
414
+ # `resources.ARN`, but if you use `Equals` or `NotEquals`, the value
415
+ # must exactly match the ARN of a valid resource of the type you've
416
+ # specified in the template as the value of resources.type. To log
417
+ # all data events for all objects in a specific S3 bucket, use the
418
+ # `StartsWith` operator, and include only the bucket ARN as the
419
+ # matching value.
420
+ #
421
+ # For information about filtering data events on the `resources.ARN`
422
+ # field, see [Filtering data events by resources.ARN][1] in the
423
+ # *CloudTrail User Guide*.
329
424
  #
330
425
  # <note markdown="1"> You can't use the `resources.ARN` field to filter resource types
331
426
  # that do not have ARNs.
332
427
  #
333
428
  # </note>
334
429
  #
335
- # The `resources.ARN` field can be set one of the following.
336
- #
337
- # If resources.type equals `AWS::S3::Object`, the ARN must be in one
338
- # of the following formats. To log all data events for all objects
339
- # in a specific S3 bucket, use the `StartsWith` operator, and
340
- # include only the bucket ARN as the matching value.
341
- #
342
- # The trailing slash is intentional; do not exclude it. Replace the
343
- # text between less than and greater than symbols (&lt;&gt;) with
344
- # resource-specific information.
345
- #
346
- # * `arn:<partition>:s3:::<bucket_name>/`
347
- #
348
- # * `arn:<partition>:s3:::<bucket_name>/<object_path>/`
349
- #
350
- # When resources.type equals `AWS::DynamoDB::Table`, and the
351
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
352
- # following format:
353
- #
354
- # * `arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`
355
- #
356
- # ^
357
- #
358
- # When resources.type equals `AWS::Lambda::Function`, and the
359
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
360
- # following format:
361
- #
362
- # * `arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`
363
- #
364
- # ^
365
- #
366
- # When resources.type equals `AWS::AppConfig::Configuration`, and
367
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
368
- # the following format:
369
- #
370
- # * `arn:<partition>:appconfig:<region>:<account_ID>:application/<application_ID>/environment/<environment_ID>/configuration/<configuration_profile_ID>`
371
- #
372
- # ^
373
- #
374
- # When resources.type equals `AWS::B2BI::Transformer`, and the
375
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
376
- # following format:
377
- #
378
- # * `arn:<partition>:b2bi:<region>:<account_ID>:transformer/<transformer_ID>`
379
- #
380
- # ^
381
- #
382
- # When resources.type equals `AWS::Bedrock::AgentAlias`, and the
383
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
384
- # following format:
385
- #
386
- # * `arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>`
387
- #
388
- # ^
389
- #
390
- # When resources.type equals `AWS::Bedrock::KnowledgeBase`, and the
391
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
392
- # following format:
393
- #
394
- # * `arn:<partition>:bedrock:<region>:<account_ID>:knowledge-base/<knowledge_base_ID>`
395
- #
396
- # ^
397
- #
398
- # When resources.type equals `AWS::Cassandra::Table`, and the
399
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
400
- # following format:
401
- #
402
- # * `arn:<partition>:cassandra:<region>:<account_ID>:/keyspace/<keyspace_name>/table/<table_name>`
403
- #
404
- # ^
405
- #
406
- # When resources.type equals `AWS::CloudFront::KeyValueStore`, and
407
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
408
- # the following format:
409
- #
410
- # * `arn:<partition>:cloudfront:<region>:<account_ID>:key-value-store/<KVS_name>`
411
- #
412
- # ^
413
- #
414
- # When resources.type equals `AWS::CloudTrail::Channel`, and the
415
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
416
- # following format:
417
- #
418
- # * `arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`
419
- #
420
- # ^
421
- #
422
- # When resources.type equals `AWS::CodeWhisperer::Customization`,
423
- # and the operator is set to `Equals` or `NotEquals`, the ARN must
424
- # be in the following format:
425
- #
426
- # * `arn:<partition>:codewhisperer:<region>:<account_ID>:customization/<customization_ID>`
427
- #
428
- # ^
429
- #
430
- # When resources.type equals `AWS::CodeWhisperer::Profile`, and the
431
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
432
- # following format:
433
- #
434
- # * `arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`
435
- #
436
- # ^
437
- #
438
- # When resources.type equals `AWS::Cognito::IdentityPool`, and the
439
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
440
- # following format:
441
- #
442
- # * `arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`
443
- #
444
- # ^
445
- #
446
- # When `resources.type` equals `AWS::DynamoDB::Stream`, and the
447
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
448
- # following format:
449
- #
450
- # * `arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`
451
- #
452
- # ^
453
- #
454
- # When `resources.type` equals `AWS::EC2::Snapshot`, and the
455
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
456
- # following format:
457
- #
458
- # * `arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`
459
- #
460
- # ^
461
- #
462
- # When `resources.type` equals `AWS::EMRWAL::Workspace`, and the
463
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
464
- # following format:
465
- #
466
- # * `arn:<partition>:emrwal:<region>:<account_ID>:workspace/<workspace_name>`
467
- #
468
- # ^
469
- #
470
- # When `resources.type` equals `AWS::FinSpace::Environment`, and the
471
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
472
- # following format:
473
- #
474
- # * `arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`
475
- #
476
- # ^
477
- #
478
- # When `resources.type` equals `AWS::Glue::Table`, and the operator
479
- # is set to `Equals` or `NotEquals`, the ARN must be in the
480
- # following format:
481
- #
482
- # * `arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`
483
- #
484
- # ^
485
- #
486
- # When `resources.type` equals
487
- # `AWS::GreengrassV2::ComponentVersion`, and the operator is set to
488
- # `Equals` or `NotEquals`, the ARN must be in the following format:
489
- #
490
- # * `arn:<partition>:greengrass:<region>:<account_ID>:components/<component_name>`
491
- #
492
- # ^
493
- #
494
- # When `resources.type` equals `AWS::GreengrassV2::Deployment`, and
495
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
496
- # the following format:
497
- #
498
- # * `arn:<partition>:greengrass:<region>:<account_ID>:deployments/<deployment_ID`
499
- #
500
- # ^
501
- #
502
- # When `resources.type` equals `AWS::GuardDuty::Detector`, and the
503
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
504
- # following format:
505
- #
506
- # * `arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`
507
- #
508
- # ^
509
- #
510
- # When `resources.type` equals `AWS::IoT::Certificate`, and the
511
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
512
- # following format:
513
- #
514
- # * `arn:<partition>:iot:<region>:<account_ID>:cert/<certificate_ID>`
515
- #
516
- # ^
517
- #
518
- # When `resources.type` equals `AWS::IoT::Thing`, and the operator
519
- # is set to `Equals` or `NotEquals`, the ARN must be in the
520
- # following format:
521
- #
522
- # * `arn:<partition>:iot:<region>:<account_ID>:thing/<thing_ID>`
523
- #
524
- # ^
525
- #
526
- # When `resources.type` equals `AWS::IoTSiteWise::Asset`, and the
527
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
528
- # following format:
529
- #
530
- # * `arn:<partition>:iotsitewise:<region>:<account_ID>:asset/<asset_ID>`
531
- #
532
- # ^
533
- #
534
- # When `resources.type` equals `AWS::IoTSiteWise::TimeSeries`, and
535
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
536
- # the following format:
537
- #
538
- # * `arn:<partition>:iotsitewise:<region>:<account_ID>:timeseries/<timeseries_ID>`
539
- #
540
- # ^
541
- #
542
- # When `resources.type` equals `AWS::IoTTwinMaker::Entity`, and the
543
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
544
- # following format:
545
- #
546
- # * `arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>/entity/<entity_ID>`
430
+ # * <b> <code>vpcEndpointId</code> </b> - This field is only used to
431
+ # filter CloudTrail network activity events and is optional. This
432
+ # field identifies the VPC endpoint that the request passed through.
433
+ # You can use any operator with `vpcEndpointId`.
547
434
  #
548
- # ^
549
435
  #
550
- # When `resources.type` equals `AWS::IoTTwinMaker::Workspace`, and
551
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
552
- # the following format:
553
436
  #
554
- # * `arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>`
555
- #
556
- # ^
557
- #
558
- # When `resources.type` equals `AWS::KendraRanking::ExecutionPlan`,
559
- # and the operator is set to `Equals` or `NotEquals`, the ARN must
560
- # be in the following format:
561
- #
562
- # * `arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`
563
- #
564
- # ^
565
- #
566
- # When `resources.type` equals `AWS::KinesisVideo::Stream`, and the
567
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
568
- # following format:
569
- #
570
- # * `arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name>/<creation_time>`
571
- #
572
- # ^
573
- #
574
- # When `resources.type` equals `AWS::ManagedBlockchain::Network`,
575
- # and the operator is set to `Equals` or `NotEquals`, the ARN must
576
- # be in the following format:
577
- #
578
- # * `arn:<partition>:managedblockchain:::networks/<network_name>`
579
- #
580
- # ^
581
- #
582
- # When `resources.type` equals `AWS::ManagedBlockchain::Node`, and
583
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
584
- # the following format:
585
- #
586
- # * `arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`
587
- #
588
- # ^
589
- #
590
- # When `resources.type` equals `AWS::MedicalImaging::Datastore`, and
591
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
592
- # the following format:
593
- #
594
- # * `arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`
595
- #
596
- # ^
597
- #
598
- # When `resources.type` equals `AWS::NeptuneGraph::Graph`, and the
599
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
600
- # following format:
601
- #
602
- # * `arn:<partition>:neptune-graph:<region>:<account_ID>:graph/<graph_ID>`
603
- #
604
- # ^
605
- #
606
- # When `resources.type` equals `AWS::PCAConnectorAD::Connector`, and
607
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
608
- # the following format:
609
- #
610
- # * `arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`
611
- #
612
- # ^
613
- #
614
- # When `resources.type` equals `AWS::QApps:QApp`, and the operator
615
- # is set to `Equals` or `NotEquals`, the ARN must be in the
616
- # following format:
617
- #
618
- # * `arn:<partition>:qapps:<region>:<account_ID>:application/<application_UUID>/qapp/<qapp_UUID>`
619
- #
620
- # ^
621
- #
622
- # When `resources.type` equals `AWS::QBusiness::Application`, and
623
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
624
- # the following format:
625
- #
626
- # * `arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>`
627
- #
628
- # ^
629
- #
630
- # When `resources.type` equals `AWS::QBusiness::DataSource`, and the
631
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
632
- # following format:
633
- #
634
- # * `arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>/data-source/<datasource_ID>`
635
- #
636
- # ^
637
- #
638
- # When `resources.type` equals `AWS::QBusiness::Index`, and the
639
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
640
- # following format:
641
- #
642
- # * `arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>`
643
- #
644
- # ^
645
- #
646
- # When `resources.type` equals `AWS::QBusiness::WebExperience`, and
647
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
648
- # the following format:
649
- #
650
- # * `arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/web-experience/<web_experience_ID>`
651
- #
652
- # ^
653
- #
654
- # When `resources.type` equals `AWS::RDS::DBCluster`, and the
655
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
656
- # following format:
657
- #
658
- # * `arn:<partition>:rds:<region>:<account_ID>:cluster/<cluster_name>`
659
- #
660
- # ^
661
- #
662
- # When `resources.type` equals `AWS::S3::AccessPoint`, and the
663
- # operator is set to `Equals` or `NotEquals`, the ARN must be in one
664
- # of the following formats. To log events on all objects in an S3
665
- # access point, we recommend that you use only the access point ARN,
666
- # don’t include the object path, and use the `StartsWith` or
667
- # `NotStartsWith` operators.
668
- #
669
- # * `arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`
670
- #
671
- # * `arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`
672
- #
673
- # When `resources.type` equals `AWS::S3ObjectLambda::AccessPoint`,
674
- # and the operator is set to `Equals` or `NotEquals`, the ARN must
675
- # be in the following format:
676
- #
677
- # * `arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`
678
- #
679
- # ^
680
- #
681
- # When `resources.type` equals `AWS::S3Outposts::Object`, and the
682
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
683
- # following format:
684
- #
685
- # * `arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`
686
- #
687
- # ^
688
- #
689
- # When `resources.type` equals `AWS::SageMaker::Endpoint`, and the
690
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
691
- # following format:
692
- #
693
- # * `arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>`
694
- #
695
- # ^
696
- #
697
- # When `resources.type` equals
698
- # `AWS::SageMaker::ExperimentTrialComponent`, and the operator is
699
- # set to `Equals` or `NotEquals`, the ARN must be in the following
700
- # format:
701
- #
702
- # * `arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`
703
- #
704
- # ^
705
- #
706
- # When `resources.type` equals `AWS::SageMaker::FeatureGroup`, and
707
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
708
- # the following format:
709
- #
710
- # * `arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`
711
- #
712
- # ^
713
- #
714
- # When `resources.type` equals `AWS::SCN::Instance`, and the
715
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
716
- # following format:
717
- #
718
- # * `arn:<partition>:scn:<region>:<account_ID>:instance/<instance_ID>`
719
- #
720
- # ^
721
- #
722
- # When `resources.type` equals `AWS::ServiceDiscovery::Namespace`,
723
- # and the operator is set to `Equals` or `NotEquals`, the ARN must
724
- # be in the following format:
725
- #
726
- # * `arn:<partition>:servicediscovery:<region>:<account_ID>:namespace/<namespace_ID>`
727
- #
728
- # ^
729
- #
730
- # When `resources.type` equals `AWS::ServiceDiscovery::Service`, and
731
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
732
- # the following format:
733
- #
734
- # * `arn:<partition>:servicediscovery:<region>:<account_ID>:service/<service_ID>`
735
- #
736
- # ^
737
- #
738
- # When `resources.type` equals `AWS::SNS::PlatformEndpoint`, and the
739
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
740
- # following format:
741
- #
742
- # * `arn:<partition>:sns:<region>:<account_ID>:endpoint/<endpoint_type>/<endpoint_name>/<endpoint_ID>`
743
- #
744
- # ^
745
- #
746
- # When `resources.type` equals `AWS::SNS::Topic`, and the operator
747
- # is set to `Equals` or `NotEquals`, the ARN must be in the
748
- # following format:
749
- #
750
- # * `arn:<partition>:sns:<region>:<account_ID>:<topic_name>`
751
- #
752
- # ^
753
- #
754
- # When `resources.type` equals `AWS::SQS::Queue`, and the operator
755
- # is set to `Equals` or `NotEquals`, the ARN must be in the
756
- # following format:
757
- #
758
- # * `arn:<partition>:sqs:<region>:<account_ID>:<queue_name>`
759
- #
760
- # ^
761
- #
762
- # When `resources.type` equals `AWS::SSM::ManagedNode`, and the
763
- # operator is set to `Equals` or `NotEquals`, the ARN must be in one
764
- # of the following formats:
765
- #
766
- # * `arn:<partition>:ssm:<region>:<account_ID>:managed-instance/<instance_ID>`
767
- #
768
- # * `arn:<partition>:ec2:<region>:<account_ID>:instance/<instance_ID>`
769
- #
770
- # When `resources.type` equals `AWS::SSMMessages::ControlChannel`,
771
- # and the operator is set to `Equals` or `NotEquals`, the ARN must
772
- # be in the following format:
773
- #
774
- # * `arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`
775
- #
776
- # ^
777
- #
778
- # When `resources.type` equals `AWS::SWF::Domain`, and the operator
779
- # is set to `Equals` or `NotEquals`, the ARN must be in the
780
- # following format:
781
- #
782
- # * `arn:<partition>:swf:<region>:<account_ID>:domain/<domain_name>`
783
- #
784
- # ^
785
- #
786
- # When `resources.type` equals `AWS::ThinClient::Device`, and the
787
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
788
- # following format:
789
- #
790
- # * `arn:<partition>:thinclient:<region>:<account_ID>:device/<device_ID>`
791
- #
792
- # ^
793
- #
794
- # When `resources.type` equals `AWS::ThinClient::Environment`, and
795
- # the operator is set to `Equals` or `NotEquals`, the ARN must be in
796
- # the following format:
797
- #
798
- # * `arn:<partition>:thinclient:<region>:<account_ID>:environment/<environment_ID>`
799
- #
800
- # ^
801
- #
802
- # When `resources.type` equals `AWS::Timestream::Database`, and the
803
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
804
- # following format:
805
- #
806
- # * `arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>`
807
- #
808
- # ^
809
- #
810
- # When `resources.type` equals `AWS::Timestream::Table`, and the
811
- # operator is set to `Equals` or `NotEquals`, the ARN must be in the
812
- # following format:
813
- #
814
- # * `arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>/table/<table_name>`
815
- #
816
- # ^
817
- #
818
- # When resources.type equals
819
- # `AWS::VerifiedPermissions::PolicyStore`, and the operator is set
820
- # to `Equals` or `NotEquals`, the ARN must be in the following
821
- # format:
822
- #
823
- # * `arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>`
824
- #
825
- # ^
437
+ # [1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn
826
438
  # @return [String]
827
439
  #
828
440
  # @!attribute [rw] equals
@@ -1591,16 +1203,8 @@ module Aws::CloudTrail
1591
1203
  include Aws::Structure
1592
1204
  end
1593
1205
 
1594
- # Data events provide information about the resource operations
1595
- # performed on or within a resource itself. These are also known as data
1596
- # plane operations. You can specify up to 250 data resources for a
1597
- # trail.
1598
- #
1599
- # Configure the `DataResource` to specify the resource type and resource
1600
- # ARNs for which you want to log data events.
1601
- #
1602
- # You can specify the following resource types in your event selectors
1603
- # for your trail:
1206
+ # You can configure the `DataResource` in an `EventSelector` to log data
1207
+ # events for the following three resource types:
1604
1208
  #
1605
1209
  # * `AWS::DynamoDB::Table`
1606
1210
  #
@@ -1608,22 +1212,28 @@ module Aws::CloudTrail
1608
1212
  #
1609
1213
  # * `AWS::S3::Object`
1610
1214
  #
1215
+ # To log data events for all other resource types including objects
1216
+ # stored in [directory buckets][1], you must use
1217
+ # [AdvancedEventSelectors][2]. You must also use
1218
+ # `AdvancedEventSelectors` if you want to filter on the `eventName`
1219
+ # field.
1220
+ #
1221
+ # Configure the `DataResource` to specify the resource type and resource
1222
+ # ARNs for which you want to log data events.
1223
+ #
1611
1224
  # <note markdown="1"> The total number of allowed data resources is 250. This number can be
1612
1225
  # distributed between 1 and 5 event selectors, but the total cannot
1613
1226
  # exceed 250 across all selectors for the trail.
1614
1227
  #
1615
- # If you are using advanced event selectors, the maximum total number of
1616
- # values for all conditions, across all advanced event selectors for the
1617
- # trail, is 500.
1618
- #
1619
1228
  # </note>
1620
1229
  #
1621
1230
  # The following example demonstrates how logging works when you
1622
- # configure logging of all data events for an S3 bucket named
1623
- # `bucket-1`. In this example, the CloudTrail user specified an empty
1624
- # prefix, and the option to log both `Read` and `Write` data events.
1231
+ # configure logging of all data events for a general purpose bucket
1232
+ # named `amzn-s3-demo-bucket1`. In this example, the CloudTrail user
1233
+ # specified an empty prefix, and the option to log both `Read` and
1234
+ # `Write` data events.
1625
1235
  #
1626
- # 1. A user uploads an image file to `bucket-1`.
1236
+ # 1. A user uploads an image file to `amzn-s3-demo-bucket1`.
1627
1237
  #
1628
1238
  # 2. The `PutObject` API operation is an Amazon S3 object-level API. It
1629
1239
  # is recorded as a data event in CloudTrail. Because the CloudTrail
@@ -1632,7 +1242,7 @@ module Aws::CloudTrail
1632
1242
  # and logs the event.
1633
1243
  #
1634
1244
  # 3. A user uploads an object to an Amazon S3 bucket named
1635
- # `arn:aws:s3:::bucket-2`.
1245
+ # `arn:aws:s3:::amzn-s3-demo-bucket1`.
1636
1246
  #
1637
1247
  # 4. The `PutObject` API operation occurred for an object in an S3
1638
1248
  # bucket that the CloudTrail user didn't specify for the trail. The
@@ -1658,6 +1268,11 @@ module Aws::CloudTrail
1658
1268
  # *MyOtherLambdaFunction* does not match the function specified for
1659
1269
  # the trail. The trail doesn’t log the event.
1660
1270
  #
1271
+ #
1272
+ #
1273
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html
1274
+ # [2]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html
1275
+ #
1661
1276
  # @!attribute [rw] type
1662
1277
  # The resource type in which you want to log data events. You can
1663
1278
  # specify the following *basic* event selector resource types:
@@ -1693,13 +1308,13 @@ module Aws::CloudTrail
1693
1308
  #
1694
1309
  # * To log data events for all objects in an S3 bucket, specify the
1695
1310
  # bucket and an empty object prefix such as
1696
- # `arn:aws:s3:::bucket-1/`. The trail logs data events for all
1697
- # objects in this S3 bucket.
1311
+ # `arn:aws:s3:::amzn-s3-demo-bucket1/`. The trail logs data events
1312
+ # for all objects in this S3 bucket.
1698
1313
  #
1699
1314
  # * To log data events for specific objects, specify the S3 bucket and
1700
- # object prefix such as `arn:aws:s3:::bucket-1/example-images`. The
1701
- # trail logs data events for objects in this S3 bucket that match
1702
- # the prefix.
1315
+ # object prefix such as
1316
+ # `arn:aws:s3:::amzn-s3-demo-bucket1/example-images`. The trail logs
1317
+ # data events for objects in this S3 bucket that match the prefix.
1703
1318
  #
1704
1319
  # * To log data events for all Lambda functions in your Amazon Web
1705
1320
  # Services account, specify the prefix as `arn:aws:lambda`.
@@ -2306,20 +1921,31 @@ module Aws::CloudTrail
2306
1921
  # @return [Boolean]
2307
1922
  #
2308
1923
  # @!attribute [rw] data_resources
2309
- # CloudTrail supports data event logging for Amazon S3 objects, Lambda
2310
- # functions, and Amazon DynamoDB tables with basic event selectors.
2311
- # You can specify up to 250 resources for an individual event
2312
- # selector, but the total number of data resources cannot exceed 250
2313
- # across all event selectors in a trail. This limit does not apply if
2314
- # you configure resource logging for all data events.
1924
+ # CloudTrail supports data event logging for Amazon S3 objects in
1925
+ # standard S3 buckets, Lambda functions, and Amazon DynamoDB tables
1926
+ # with basic event selectors. You can specify up to 250 resources for
1927
+ # an individual event selector, but the total number of data resources
1928
+ # cannot exceed 250 across all event selectors in a trail. This limit
1929
+ # does not apply if you configure resource logging for all data
1930
+ # events.
2315
1931
  #
2316
1932
  # For more information, see [Data Events][1] and [Limits in
2317
1933
  # CloudTrail][2] in the *CloudTrail User Guide*.
2318
1934
  #
1935
+ # <note markdown="1"> To log data events for all other resource types including objects
1936
+ # stored in [directory buckets][3], you must use
1937
+ # [AdvancedEventSelectors][4]. You must also use
1938
+ # `AdvancedEventSelectors` if you want to filter on the `eventName`
1939
+ # field.
1940
+ #
1941
+ # </note>
1942
+ #
2319
1943
  #
2320
1944
  #
2321
1945
  # [1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
2322
1946
  # [2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html
1947
+ # [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html
1948
+ # [4]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html
2323
1949
  # @return [Array<Types::DataResource>]
2324
1950
  #
2325
1951
  # @!attribute [rw] exclude_management_event_sources
@@ -4234,28 +3860,43 @@ module Aws::CloudTrail
4234
3860
  # @return [String]
4235
3861
  #
4236
3862
  # @!attribute [rw] event_selectors
4237
- # Specifies the settings for your event selectors. You can configure
4238
- # up to five event selectors for a trail. You can use either
4239
- # `EventSelectors` or `AdvancedEventSelectors` in a
3863
+ # Specifies the settings for your event selectors. You can use event
3864
+ # selectors to log management events and data events for the following
3865
+ # resource types:
3866
+ #
3867
+ # * `AWS::DynamoDB::Table`
3868
+ #
3869
+ # * `AWS::Lambda::Function`
3870
+ #
3871
+ # * `AWS::S3::Object`
3872
+ #
3873
+ # You can't use event selectors to log network activity events.
3874
+ #
3875
+ # You can configure up to five event selectors for a trail. You can
3876
+ # use either `EventSelectors` or `AdvancedEventSelectors` in a
4240
3877
  # `PutEventSelectors` request, but not both. If you apply
4241
3878
  # `EventSelectors` to a trail, any existing `AdvancedEventSelectors`
4242
3879
  # are overwritten.
4243
3880
  # @return [Array<Types::EventSelector>]
4244
3881
  #
4245
3882
  # @!attribute [rw] advanced_event_selectors
4246
- # Specifies the settings for advanced event selectors. You can add
4247
- # advanced event selectors, and conditions for your advanced event
4248
- # selectors, up to a maximum of 500 values for all conditions and
4249
- # selectors on a trail. You can use either `AdvancedEventSelectors` or
4250
- # `EventSelectors`, but not both. If you apply
4251
- # `AdvancedEventSelectors` to a trail, any existing `EventSelectors`
4252
- # are overwritten. For more information about advanced event
4253
- # selectors, see [Logging data events][1] in the *CloudTrail User
4254
- # Guide*.
3883
+ # Specifies the settings for advanced event selectors. You can use
3884
+ # advanced event selectors to log management events, data events for
3885
+ # all resource types, and network activity events.
3886
+ #
3887
+ # You can add advanced event selectors, and conditions for your
3888
+ # advanced event selectors, up to a maximum of 500 values for all
3889
+ # conditions and selectors on a trail. You can use either
3890
+ # `AdvancedEventSelectors` or `EventSelectors`, but not both. If you
3891
+ # apply `AdvancedEventSelectors` to a trail, any existing
3892
+ # `EventSelectors` are overwritten. For more information about
3893
+ # advanced event selectors, see [Logging data events][1] and [Logging
3894
+ # network activity events][2] in the *CloudTrail User Guide*.
4255
3895
  #
4256
3896
  #
4257
3897
  #
4258
3898
  # [1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
3899
+ # [2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html
4259
3900
  # @return [Array<Types::AdvancedEventSelector>]
4260
3901
  #
4261
3902
  # @see http://docs.aws.amazon.com/goto/WebAPI/cloudtrail-2013-11-01/PutEventSelectorsRequest AWS API Documentation