PyPI - aws-cdk-lib - Versions diffs - 2.149.0__py3-none-any.whl → 2.151.0__py3-none-any.whl - Mend

aws-cdk-lib 2.149.0py3-none-any.whl → 2.151.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of aws-cdk-lib might be problematic. Click here for more details.

Files changed (48) hide show

aws_cdk/__init__.py +6 -16
aws_cdk/_jsii/__init__.py +1 -1
aws_cdk/_jsii/{aws-cdk-lib@2.149.0.jsii.tgz → aws-cdk-lib@2.151.0.jsii.tgz} +0 -0
aws_cdk/aws_apigatewayv2/__init__.py +94 -21
aws_cdk/aws_appconfig/__init__.py +3 -3
aws_cdk/aws_backup/__init__.py +3 -3
aws_cdk/aws_bedrock/__init__.py +58 -46
aws_cdk/aws_cleanrooms/__init__.py +5 -5
aws_cdk/aws_cloudformation/__init__.py +4 -8
aws_cdk/aws_cloudfront/__init__.py +102 -32
aws_cdk/aws_cloudtrail/__init__.py +34 -558
aws_cdk/aws_cloudwatch/__init__.py +1 -1
aws_cdk/aws_codepipeline/__init__.py +11 -5
aws_cdk/aws_cognito/__init__.py +1 -2
aws_cdk/aws_ec2/__init__.py +263 -7
aws_cdk/aws_ecs/__init__.py +16 -10
aws_cdk/aws_eks/__init__.py +26 -20
aws_cdk/aws_elasticloadbalancingv2/__init__.py +106 -11
aws_cdk/aws_emr/__init__.py +18 -20
aws_cdk/aws_entityresolution/__init__.py +27 -21
aws_cdk/aws_events/__init__.py +83 -16
aws_cdk/aws_fsx/__init__.py +25 -23
aws_cdk/aws_glue/__init__.py +3 -3
aws_cdk/aws_guardduty/__init__.py +6 -4
aws_cdk/aws_iam/__init__.py +19 -29
aws_cdk/aws_iotsitewise/__init__.py +8 -8
aws_cdk/aws_lambda/__init__.py +21 -2
aws_cdk/aws_logs/__init__.py +9 -0
aws_cdk/aws_mwaa/__init__.py +3 -3
aws_cdk/aws_pipes/__init__.py +2 -2
aws_cdk/aws_qbusiness/__init__.py +21 -7
aws_cdk/aws_rds/__init__.py +252 -206
aws_cdk/aws_s3/__init__.py +8 -2
aws_cdk/aws_sagemaker/__init__.py +10 -10
aws_cdk/aws_ses/__init__.py +3 -3
aws_cdk/aws_sns/__init__.py +5 -2
aws_cdk/aws_stepfunctions/__init__.py +5 -2
aws_cdk/aws_stepfunctions_tasks/__init__.py +23 -8
aws_cdk/aws_synthetics/__init__.py +174 -22
aws_cdk/custom_resources/__init__.py +91 -23
aws_cdk/pipelines/__init__.py +1 -1
aws_cdk/region_info/__init__.py +32 -12
{aws_cdk_lib-2.149.0.dist-info → aws_cdk_lib-2.151.0.dist-info}/METADATA +1 -1
{aws_cdk_lib-2.149.0.dist-info → aws_cdk_lib-2.151.0.dist-info}/RECORD +48 -48
{aws_cdk_lib-2.149.0.dist-info → aws_cdk_lib-2.151.0.dist-info}/LICENSE +0 -0
{aws_cdk_lib-2.149.0.dist-info → aws_cdk_lib-2.151.0.dist-info}/NOTICE +0 -0
{aws_cdk_lib-2.149.0.dist-info → aws_cdk_lib-2.151.0.dist-info}/WHEEL +0 -0
{aws_cdk_lib-2.149.0.dist-info → aws_cdk_lib-2.151.0.dist-info}/top_level.txt +0 -0

aws_cdk/aws_cloudtrail/__init__.py CHANGED Viewed

@@ -1248,7 +1248,7 @@ class CfnEventDataStore(
         ) -> None:
             '''A single selector statement in an advanced event selector.
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to ﬁlter in or ﬁlter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this ﬁeld, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This ﬁeld is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::AppConfig::Configuration`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::Cassandra::Table`` - ``AWS::CloudFront::KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CloudWatch::Metric`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GreengrassV2::ComponentVersion`` - ``AWS::GreengrassV2::Deployment`` - ``AWS::GuardDuty::Detector`` - ``AWS::IoT::Certificate`` - ``AWS::IoT::Thing`` - ``AWS::IoTSiteWise::Asset`` - ``AWS::IoTSiteWise::TimeSeries`` - ``AWS::IoTTwinMaker::Entity`` - ``AWS::IoTTwinMaker::Workspace`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::Kinesis::Stream`` - ``AWS::Kinesis::StreamConsumer`` - ``AWS::KinesisVideo::Stream`` - ``AWS::MachineLearning::MlModel`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::PCAConnectorSCEP::Connector`` - ``AWS::QApps:QApp`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::RDS::DBCluster`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SCN::Instance`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::SSM::ManagedNode`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::StepFunctions::StateMachine`` - ``AWS::SWF::Domain`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` - ``AWS::XRay::Trace`` You can have only one ``resources.type`` ﬁeld per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've speciﬁed in the template as the value of resources.type. .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs. The ``resources.ARN`` field can be set one of the following. If resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::AppConfig::Configuration`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:appconfig:<region>:<account_ID>:application/<application_ID>/environment/<environment_ID>/configuration/<configuration_profile_ID>`` When resources.type equals ``AWS::B2BI::Transformer`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:b2bi:<region>:<account_ID>:transformer/<transformer_ID>`` When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>`` When resources.type equals ``AWS::Bedrock::KnowledgeBase`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:knowledge-base/<knowledge_base_ID>`` When resources.type equals ``AWS::Cassandra::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cassandra:<region>:<account_ID>:/keyspace/<keyspace_name>/table/<table_name>`` When resources.type equals ``AWS::CloudFront::KeyValueStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudfront:<region>:<account_ID>:key-value-store/<KVS_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Customization`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:customization/<customization_ID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>:<account_ID>:workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GreengrassV2::ComponentVersion`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:greengrass:<region>:<account_ID>:components/<component_name>`` When ``resources.type`` equals ``AWS::GreengrassV2::Deployment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:greengrass:<region>:<account_ID>:deployments/<deployment_ID`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::IoT::Certificate`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iot:<region>:<account_ID>:cert/<certificate_ID>`` When ``resources.type`` equals ``AWS::IoT::Thing`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iot:<region>:<account_ID>:thing/<thing_ID>`` When ``resources.type`` equals ``AWS::IoTSiteWise::Asset`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iotsitewise:<region>:<account_ID>:asset/<asset_ID>`` When ``resources.type`` equals ``AWS::IoTSiteWise::TimeSeries`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iotsitewise:<region>:<account_ID>:timeseries/<timeseries_ID>`` When ``resources.type`` equals ``AWS::IoTTwinMaker::Entity`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>/entity/<entity_ID>`` When ``resources.type`` equals ``AWS::IoTTwinMaker::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::Kinesis::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesis:<region>:<account_ID>:stream/<stream_name>`` When ``resources.type`` equals ``AWS::Kinesis::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesis:<region>:<account_ID>:<stream_type>/<stream_name>/consumer/<consumer_name>:<consumer_creation_timestamp>`` When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name>/<creation_time>`` When ``resources.type`` equals ``AWS::MachineLearning::MlModel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:machinelearning:<region>:<account_ID>:mlmodel/<model_ID>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::NeptuneGraph::Graph`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:neptune-graph:<region>:<account_ID>:graph/<graph_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorSCEP::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-scep:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::QApps:QApp`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qapps:<region>:<account_ID>:application/<application_UUID>/qapp/<qapp_UUID>`` When ``resources.type`` equals ``AWS::QBusiness::Application`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>`` When ``resources.type`` equals ``AWS::QBusiness::DataSource`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>/data-source/<datasource_ID>`` When ``resources.type`` equals ``AWS::QBusiness::Index`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>`` When ``resources.type`` equals ``AWS::QBusiness::WebExperience`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/web-experience/<web_experience_ID>`` When ``resources.type`` equals ``AWS::RDS::DBCluster`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:rds:<region>:<account_ID>:cluster/<cluster_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::SCN::Instance`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:scn:<region>:<account_ID>:instance/<instance_ID>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Namespace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:namespace/<namespace_ID>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Service`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:service/<service_ID>`` When ``resources.type`` equals ``AWS::SNS::PlatformEndpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:endpoint/<endpoint_type>/<endpoint_name>/<endpoint_ID>`` When ``resources.type`` equals ``AWS::SNS::Topic`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:<topic_name>`` When ``resources.type`` equals ``AWS::SQS::Queue`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sqs:<region>:<account_ID>:<queue_name>`` When ``resources.type`` equals ``AWS::SSM::ManagedNode`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats: - ``arn:<partition>:ssm:<region>:<account_ID>:managed-instance/<instance_ID>`` - ``arn:<partition>:ec2:<region>:<account_ID>:instance/<instance_ID>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When ``resources.type`` equals ``AWS::StepFunctions::StateMachine`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats: - ``arn:<partition>:states:<region>:<account_ID>:stateMachine:<stateMachine_name>`` - ``arn:<partition>:states:<region>:<account_ID>:stateMachine:<stateMachine_name>/<label_name>`` When ``resources.type`` equals ``AWS::SWF::Domain`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:swf:<region>:<account_ID>:domain/<domain_name>`` When ``resources.type`` equals ``AWS::ThinClient::Device`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:thinclient:<region>:<account_ID>:device/<device_ID>`` When ``resources.type`` equals ``AWS::ThinClient::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:thinclient:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>`` When ``resources.type`` equals ``AWS::Timestream::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>/table/<table_name>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to ﬁlter in or ﬁlter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this ﬁeld, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This ﬁeld is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::AppConfig::Configuration`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::FlowAlias`` - ``AWS::Bedrock::Guardrail`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::Cassandra::Table`` - ``AWS::CloudFront::KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CloudWatch::Metric`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::DynamoDB::Table`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GreengrassV2::ComponentVersion`` - ``AWS::GreengrassV2::Deployment`` - ``AWS::GuardDuty::Detector`` - ``AWS::IoT::Certificate`` - ``AWS::IoT::Thing`` - ``AWS::IoTSiteWise::Asset`` - ``AWS::IoTSiteWise::TimeSeries`` - ``AWS::IoTTwinMaker::Entity`` - ``AWS::IoTTwinMaker::Workspace`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::Kinesis::Stream`` - ``AWS::Kinesis::StreamConsumer`` - ``AWS::KinesisVideo::Stream`` - ``AWS::Lambda::Function`` - ``AWS::MachineLearning::MlModel`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::One::UKey`` - ``AWS::One::User`` - ``AWS::PaymentCryptography::Alias`` - ``AWS::PaymentCryptography::Key`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::PCAConnectorSCEP::Connector`` - ``AWS::QApps:QApp`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::RDS::DBCluster`` - ``AWS::S3::AccessPoint`` - ``AWS::S3::Object`` - ``AWS::S3Express::Object`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SCN::Instance`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::SSM::ManagedNode`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::StepFunctions::StateMachine`` - ``AWS::SWF::Domain`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` - ``AWS::XRay::Trace`` You can have only one ``resources.type`` ﬁeld per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've speciﬁed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs.
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -1328,12 +1328,11 @@ class CfnEventDataStore(
             - For Audit Manager evidence, the value must be ``Evidence`` .
             - For non- AWS events, the value must be ``ActivityAuditLog`` .
             - *``resources.type``* - This ﬁeld is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following:
-            - ``AWS::DynamoDB::Table``
-            - ``AWS::Lambda::Function``
-            - ``AWS::S3::Object``
             - ``AWS::AppConfig::Configuration``
             - ``AWS::B2BI::Transformer``
             - ``AWS::Bedrock::AgentAlias``
+            - ``AWS::Bedrock::FlowAlias``
+            - ``AWS::Bedrock::Guardrail``
             - ``AWS::Bedrock::KnowledgeBase``
             - ``AWS::Cassandra::Table``
             - ``AWS::CloudFront::KeyValueStore``
@@ -1343,6 +1342,7 @@ class CfnEventDataStore(
             - ``AWS::CodeWhisperer::Profile``
             - ``AWS::Cognito::IdentityPool``
             - ``AWS::DynamoDB::Stream``
+            - ``AWS::DynamoDB::Table``
             - ``AWS::EC2::Snapshot``
             - ``AWS::EMRWAL::Workspace``
             - ``AWS::FinSpace::Environment``
@@ -1360,11 +1360,16 @@ class CfnEventDataStore(
             - ``AWS::Kinesis::Stream``
             - ``AWS::Kinesis::StreamConsumer``
             - ``AWS::KinesisVideo::Stream``
+            - ``AWS::Lambda::Function``
             - ``AWS::MachineLearning::MlModel``
             - ``AWS::ManagedBlockchain::Network``
             - ``AWS::ManagedBlockchain::Node``
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::NeptuneGraph::Graph``
+            - ``AWS::One::UKey``
+            - ``AWS::One::User``
+            - ``AWS::PaymentCryptography::Alias``
+            - ``AWS::PaymentCryptography::Key``
             - ``AWS::PCAConnectorAD::Connector``
             - ``AWS::PCAConnectorSCEP::Connector``
             - ``AWS::QApps:QApp``
@@ -1374,6 +1379,8 @@ class CfnEventDataStore(
             - ``AWS::QBusiness::WebExperience``
             - ``AWS::RDS::DBCluster``
             - ``AWS::S3::AccessPoint``
+            - ``AWS::S3::Object``
+            - ``AWS::S3Express::Object``
             - ``AWS::S3ObjectLambda::AccessPoint``
             - ``AWS::S3Outposts::Object``
             - ``AWS::SageMaker::Endpoint``
@@ -1398,280 +1405,12 @@ class CfnEventDataStore(
             You can have only one ``resources.type`` ﬁeld per selector. To log data events on more than one resource type, add another selector.
-            - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've speciﬁed in the template as the value of resources.type.
+            - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've speciﬁed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* .
             .. epigraph::
                You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs.
-            The ``resources.ARN`` field can be set one of the following.
-            If resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value.
-            The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.
-            - ``arn:<partition>:s3:::<bucket_name>/``
-            - ``arn:<partition>:s3:::<bucket_name>/<object_path>/``
-            When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>``
-            When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>``
-            When resources.type equals ``AWS::AppConfig::Configuration`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:appconfig:<region>:<account_ID>:application/<application_ID>/environment/<environment_ID>/configuration/<configuration_profile_ID>``
-            When resources.type equals ``AWS::B2BI::Transformer`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:b2bi:<region>:<account_ID>:transformer/<transformer_ID>``
-            When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>``
-            When resources.type equals ``AWS::Bedrock::KnowledgeBase`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:bedrock:<region>:<account_ID>:knowledge-base/<knowledge_base_ID>``
-            When resources.type equals ``AWS::Cassandra::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:cassandra:<region>:<account_ID>:/keyspace/<keyspace_name>/table/<table_name>``
-            When resources.type equals ``AWS::CloudFront::KeyValueStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:cloudfront:<region>:<account_ID>:key-value-store/<KVS_name>``
-            When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>``
-            When resources.type equals ``AWS::CodeWhisperer::Customization`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:codewhisperer:<region>:<account_ID>:customization/<customization_ID>``
-            When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>``
-            When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>``
-            When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>``
-            When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>``
-            When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:emrwal:<region>:<account_ID>:workspace/<workspace_name>``
-            When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>``
-            When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>``
-            When ``resources.type`` equals ``AWS::GreengrassV2::ComponentVersion`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:greengrass:<region>:<account_ID>:components/<component_name>``
-            When ``resources.type`` equals ``AWS::GreengrassV2::Deployment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:greengrass:<region>:<account_ID>:deployments/<deployment_ID``
-            When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>``
-            When ``resources.type`` equals ``AWS::IoT::Certificate`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iot:<region>:<account_ID>:cert/<certificate_ID>``
-            When ``resources.type`` equals ``AWS::IoT::Thing`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iot:<region>:<account_ID>:thing/<thing_ID>``
-            When ``resources.type`` equals ``AWS::IoTSiteWise::Asset`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iotsitewise:<region>:<account_ID>:asset/<asset_ID>``
-            When ``resources.type`` equals ``AWS::IoTSiteWise::TimeSeries`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iotsitewise:<region>:<account_ID>:timeseries/<timeseries_ID>``
-            When ``resources.type`` equals ``AWS::IoTTwinMaker::Entity`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>/entity/<entity_ID>``
-            When ``resources.type`` equals ``AWS::IoTTwinMaker::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>``
-            When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>``
-            When ``resources.type`` equals ``AWS::Kinesis::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:kinesis:<region>:<account_ID>:stream/<stream_name>``
-            When ``resources.type`` equals ``AWS::Kinesis::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:kinesis:<region>:<account_ID>:<stream_type>/<stream_name>/consumer/<consumer_name>:<consumer_creation_timestamp>``
-            When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name>/<creation_time>``
-            When ``resources.type`` equals ``AWS::MachineLearning::MlModel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:machinelearning:<region>:<account_ID>:mlmodel/<model_ID>``
-            When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:managedblockchain:::networks/<network_name>``
-            When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>``
-            When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>``
-            When ``resources.type`` equals ``AWS::NeptuneGraph::Graph`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:neptune-graph:<region>:<account_ID>:graph/<graph_ID>``
-            When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>``
-            When ``resources.type`` equals ``AWS::PCAConnectorSCEP::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:pca-connector-scep:<region>:<account_ID>:connector/<connector_ID>``
-            When ``resources.type`` equals ``AWS::QApps:QApp`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qapps:<region>:<account_ID>:application/<application_UUID>/qapp/<qapp_UUID>``
-            When ``resources.type`` equals ``AWS::QBusiness::Application`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>``
-            When ``resources.type`` equals ``AWS::QBusiness::DataSource`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>/data-source/<datasource_ID>``
-            When ``resources.type`` equals ``AWS::QBusiness::Index`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>``
-            When ``resources.type`` equals ``AWS::QBusiness::WebExperience`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/web-experience/<web_experience_ID>``
-            When ``resources.type`` equals ``AWS::RDS::DBCluster`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:rds:<region>:<account_ID>:cluster/<cluster_name>``
-            When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators.
-            - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>``
-            - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>``
-            When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>``
-            When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>``
-            When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>``
-            When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>``
-            When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>``
-            When ``resources.type`` equals ``AWS::SCN::Instance`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:scn:<region>:<account_ID>:instance/<instance_ID>``
-            When ``resources.type`` equals ``AWS::ServiceDiscovery::Namespace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:servicediscovery:<region>:<account_ID>:namespace/<namespace_ID>``
-            When ``resources.type`` equals ``AWS::ServiceDiscovery::Service`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:servicediscovery:<region>:<account_ID>:service/<service_ID>``
-            When ``resources.type`` equals ``AWS::SNS::PlatformEndpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sns:<region>:<account_ID>:endpoint/<endpoint_type>/<endpoint_name>/<endpoint_ID>``
-            When ``resources.type`` equals ``AWS::SNS::Topic`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sns:<region>:<account_ID>:<topic_name>``
-            When ``resources.type`` equals ``AWS::SQS::Queue`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sqs:<region>:<account_ID>:<queue_name>``
-            When ``resources.type`` equals ``AWS::SSM::ManagedNode`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats:
-            - ``arn:<partition>:ssm:<region>:<account_ID>:managed-instance/<instance_ID>``
-            - ``arn:<partition>:ec2:<region>:<account_ID>:instance/<instance_ID>``
-            When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>``
-            When ``resources.type`` equals ``AWS::StepFunctions::StateMachine`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats:
-            - ``arn:<partition>:states:<region>:<account_ID>:stateMachine:<stateMachine_name>``
-            - ``arn:<partition>:states:<region>:<account_ID>:stateMachine:<stateMachine_name>/<label_name>``
-            When ``resources.type`` equals ``AWS::SWF::Domain`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:swf:<region>:<account_ID>:domain/<domain_name>``
-            When ``resources.type`` equals ``AWS::ThinClient::Device`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:thinclient:<region>:<account_ID>:device/<device_ID>``
-            When ``resources.type`` equals ``AWS::ThinClient::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:thinclient:<region>:<account_ID>:environment/<environment_ID>``
-            When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>``
-            When ``resources.type`` equals ``AWS::Timestream::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>/table/<table_name>``
-            When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-eventdatastore-advancedfieldselector.html#cfn-cloudtrail-eventdatastore-advancedfieldselector-field
             '''
             result = self._values.get("field")
@@ -2938,7 +2677,7 @@ class CfnTrail(
         ) -> None:
             '''A single selector statement in an advanced event selector.
-            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to ﬁlter in or ﬁlter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this ﬁeld, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This ﬁeld is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::DynamoDB::Table`` - ``AWS::Lambda::Function`` - ``AWS::S3::Object`` - ``AWS::AppConfig::Configuration`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::Cassandra::Table`` - ``AWS::CloudFront::KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CloudWatch::Metric`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GreengrassV2::ComponentVersion`` - ``AWS::GreengrassV2::Deployment`` - ``AWS::GuardDuty::Detector`` - ``AWS::IoT::Certificate`` - ``AWS::IoT::Thing`` - ``AWS::IoTSiteWise::Asset`` - ``AWS::IoTSiteWise::TimeSeries`` - ``AWS::IoTTwinMaker::Entity`` - ``AWS::IoTTwinMaker::Workspace`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::Kinesis::Stream`` - ``AWS::Kinesis::StreamConsumer`` - ``AWS::KinesisVideo::Stream`` - ``AWS::MachineLearning::MlModel`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::PCAConnectorSCEP::Connector`` - ``AWS::QApps:QApp`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::RDS::DBCluster`` - ``AWS::S3::AccessPoint`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SCN::Instance`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::SSM::ManagedNode`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::StepFunctions::StateMachine`` - ``AWS::SWF::Domain`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` - ``AWS::XRay::Trace`` You can have only one ``resources.type`` ﬁeld per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've speciﬁed in the template as the value of resources.type. .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs. The ``resources.ARN`` field can be set one of the following. If resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information. - ``arn:<partition>:s3:::<bucket_name>/`` - ``arn:<partition>:s3:::<bucket_name>/<object_path>/`` When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>`` When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>`` When resources.type equals ``AWS::AppConfig::Configuration`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:appconfig:<region>:<account_ID>:application/<application_ID>/environment/<environment_ID>/configuration/<configuration_profile_ID>`` When resources.type equals ``AWS::B2BI::Transformer`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:b2bi:<region>:<account_ID>:transformer/<transformer_ID>`` When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>`` When resources.type equals ``AWS::Bedrock::KnowledgeBase`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:bedrock:<region>:<account_ID>:knowledge-base/<knowledge_base_ID>`` When resources.type equals ``AWS::Cassandra::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cassandra:<region>:<account_ID>:/keyspace/<keyspace_name>/table/<table_name>`` When resources.type equals ``AWS::CloudFront::KeyValueStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudfront:<region>:<account_ID>:key-value-store/<KVS_name>`` When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>`` When resources.type equals ``AWS::CodeWhisperer::Customization`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:customization/<customization_ID>`` When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>`` When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>`` When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>`` When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>`` When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:emrwal:<region>:<account_ID>:workspace/<workspace_name>`` When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>`` When ``resources.type`` equals ``AWS::GreengrassV2::ComponentVersion`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:greengrass:<region>:<account_ID>:components/<component_name>`` When ``resources.type`` equals ``AWS::GreengrassV2::Deployment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:greengrass:<region>:<account_ID>:deployments/<deployment_ID`` When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>`` When ``resources.type`` equals ``AWS::IoT::Certificate`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iot:<region>:<account_ID>:cert/<certificate_ID>`` When ``resources.type`` equals ``AWS::IoT::Thing`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iot:<region>:<account_ID>:thing/<thing_ID>`` When ``resources.type`` equals ``AWS::IoTSiteWise::Asset`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iotsitewise:<region>:<account_ID>:asset/<asset_ID>`` When ``resources.type`` equals ``AWS::IoTSiteWise::TimeSeries`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iotsitewise:<region>:<account_ID>:timeseries/<timeseries_ID>`` When ``resources.type`` equals ``AWS::IoTTwinMaker::Entity`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>/entity/<entity_ID>`` When ``resources.type`` equals ``AWS::IoTTwinMaker::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>`` When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>`` When ``resources.type`` equals ``AWS::Kinesis::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesis:<region>:<account_ID>:stream/<stream_name>`` When ``resources.type`` equals ``AWS::Kinesis::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesis:<region>:<account_ID>:<stream_type>/<stream_name>/consumer/<consumer_name>:<consumer_creation_timestamp>`` When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name>/<creation_time>`` When ``resources.type`` equals ``AWS::MachineLearning::MlModel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:machinelearning:<region>:<account_ID>:mlmodel/<model_ID>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:::networks/<network_name>`` When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>`` When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>`` When ``resources.type`` equals ``AWS::NeptuneGraph::Graph`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:neptune-graph:<region>:<account_ID>:graph/<graph_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::PCAConnectorSCEP::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:pca-connector-scep:<region>:<account_ID>:connector/<connector_ID>`` When ``resources.type`` equals ``AWS::QApps:QApp`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qapps:<region>:<account_ID>:application/<application_UUID>/qapp/<qapp_UUID>`` When ``resources.type`` equals ``AWS::QBusiness::Application`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>`` When ``resources.type`` equals ``AWS::QBusiness::DataSource`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>/data-source/<datasource_ID>`` When ``resources.type`` equals ``AWS::QBusiness::Index`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>`` When ``resources.type`` equals ``AWS::QBusiness::WebExperience`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/web-experience/<web_experience_ID>`` When ``resources.type`` equals ``AWS::RDS::DBCluster`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:rds:<region>:<account_ID>:cluster/<cluster_name>`` When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators. - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>`` - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>`` When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>`` When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>`` When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>`` When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>`` When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>`` When ``resources.type`` equals ``AWS::SCN::Instance`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:scn:<region>:<account_ID>:instance/<instance_ID>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Namespace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:namespace/<namespace_ID>`` When ``resources.type`` equals ``AWS::ServiceDiscovery::Service`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:servicediscovery:<region>:<account_ID>:service/<service_ID>`` When ``resources.type`` equals ``AWS::SNS::PlatformEndpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:endpoint/<endpoint_type>/<endpoint_name>/<endpoint_ID>`` When ``resources.type`` equals ``AWS::SNS::Topic`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sns:<region>:<account_ID>:<topic_name>`` When ``resources.type`` equals ``AWS::SQS::Queue`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:sqs:<region>:<account_ID>:<queue_name>`` When ``resources.type`` equals ``AWS::SSM::ManagedNode`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats: - ``arn:<partition>:ssm:<region>:<account_ID>:managed-instance/<instance_ID>`` - ``arn:<partition>:ec2:<region>:<account_ID>:instance/<instance_ID>`` When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>`` When ``resources.type`` equals ``AWS::StepFunctions::StateMachine`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats: - ``arn:<partition>:states:<region>:<account_ID>:stateMachine:<stateMachine_name>`` - ``arn:<partition>:states:<region>:<account_ID>:stateMachine:<stateMachine_name>/<label_name>`` When ``resources.type`` equals ``AWS::SWF::Domain`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:swf:<region>:<account_ID>:domain/<domain_name>`` When ``resources.type`` equals ``AWS::ThinClient::Device`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:thinclient:<region>:<account_ID>:device/<device_ID>`` When ``resources.type`` equals ``AWS::ThinClient::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:thinclient:<region>:<account_ID>:environment/<environment_ID>`` When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>`` When ``resources.type`` equals ``AWS::Timestream::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>/table/<table_name>`` When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format: - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
+            :param field: A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the field is used only for selecting events as filtering is not supported. For CloudTrail management events, supported fields include ``readOnly`` , ``eventCategory`` , and ``eventSource`` . For CloudTrail data events, supported fields include ``readOnly`` , ``eventCategory`` , ``eventName`` , ``resources.type`` , and ``resources.ARN`` . For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is ``eventCategory`` . - *``readOnly``* - Optional. Can be set to ``Equals`` a value of ``true`` or ``false`` . If you do not add this field, CloudTrail logs both ``read`` and ``write`` events. A value of ``true`` logs only ``read`` events. A value of ``false`` logs only ``write`` events. - *``eventSource``* - For filtering management events only. This can be set to ``NotEquals`` ``kms.amazonaws.com`` or ``NotEquals`` ``rdsdata.amazonaws.com`` . - *``eventName``* - Can use any operator. You can use it to ﬁlter in or ﬁlter out any data event logged to CloudTrail, such as ``PutBucket`` or ``GetSnapshotBlock`` . You can have multiple values for this ﬁeld, separated by commas. - *``eventCategory``* - This is required and must be set to ``Equals`` . - For CloudTrail management events, the value must be ``Management`` . - For CloudTrail data events, the value must be ``Data`` . The following are used only for event data stores: - For CloudTrail Insights events, the value must be ``Insight`` . - For AWS Config configuration items, the value must be ``ConfigurationItem`` . - For Audit Manager evidence, the value must be ``Evidence`` . - For non- AWS events, the value must be ``ActivityAuditLog`` . - *``resources.type``* - This ﬁeld is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following: - ``AWS::AppConfig::Configuration`` - ``AWS::B2BI::Transformer`` - ``AWS::Bedrock::AgentAlias`` - ``AWS::Bedrock::FlowAlias`` - ``AWS::Bedrock::Guardrail`` - ``AWS::Bedrock::KnowledgeBase`` - ``AWS::Cassandra::Table`` - ``AWS::CloudFront::KeyValueStore`` - ``AWS::CloudTrail::Channel`` - ``AWS::CloudWatch::Metric`` - ``AWS::CodeWhisperer::Customization`` - ``AWS::CodeWhisperer::Profile`` - ``AWS::Cognito::IdentityPool`` - ``AWS::DynamoDB::Stream`` - ``AWS::DynamoDB::Table`` - ``AWS::EC2::Snapshot`` - ``AWS::EMRWAL::Workspace`` - ``AWS::FinSpace::Environment`` - ``AWS::Glue::Table`` - ``AWS::GreengrassV2::ComponentVersion`` - ``AWS::GreengrassV2::Deployment`` - ``AWS::GuardDuty::Detector`` - ``AWS::IoT::Certificate`` - ``AWS::IoT::Thing`` - ``AWS::IoTSiteWise::Asset`` - ``AWS::IoTSiteWise::TimeSeries`` - ``AWS::IoTTwinMaker::Entity`` - ``AWS::IoTTwinMaker::Workspace`` - ``AWS::KendraRanking::ExecutionPlan`` - ``AWS::Kinesis::Stream`` - ``AWS::Kinesis::StreamConsumer`` - ``AWS::KinesisVideo::Stream`` - ``AWS::Lambda::Function`` - ``AWS::MachineLearning::MlModel`` - ``AWS::ManagedBlockchain::Network`` - ``AWS::ManagedBlockchain::Node`` - ``AWS::MedicalImaging::Datastore`` - ``AWS::NeptuneGraph::Graph`` - ``AWS::One::UKey`` - ``AWS::One::User`` - ``AWS::PaymentCryptography::Alias`` - ``AWS::PaymentCryptography::Key`` - ``AWS::PCAConnectorAD::Connector`` - ``AWS::PCAConnectorSCEP::Connector`` - ``AWS::QApps:QApp`` - ``AWS::QBusiness::Application`` - ``AWS::QBusiness::DataSource`` - ``AWS::QBusiness::Index`` - ``AWS::QBusiness::WebExperience`` - ``AWS::RDS::DBCluster`` - ``AWS::S3::AccessPoint`` - ``AWS::S3::Object`` - ``AWS::S3Express::Object`` - ``AWS::S3ObjectLambda::AccessPoint`` - ``AWS::S3Outposts::Object`` - ``AWS::SageMaker::Endpoint`` - ``AWS::SageMaker::ExperimentTrialComponent`` - ``AWS::SageMaker::FeatureGroup`` - ``AWS::ServiceDiscovery::Namespace`` - ``AWS::ServiceDiscovery::Service`` - ``AWS::SCN::Instance`` - ``AWS::SNS::PlatformEndpoint`` - ``AWS::SNS::Topic`` - ``AWS::SQS::Queue`` - ``AWS::SSM::ManagedNode`` - ``AWS::SSMMessages::ControlChannel`` - ``AWS::StepFunctions::StateMachine`` - ``AWS::SWF::Domain`` - ``AWS::ThinClient::Device`` - ``AWS::ThinClient::Environment`` - ``AWS::Timestream::Database`` - ``AWS::Timestream::Table`` - ``AWS::VerifiedPermissions::PolicyStore`` - ``AWS::XRay::Trace`` You can have only one ``resources.type`` ﬁeld per selector. To log data events on more than one resource type, add another selector. - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've speciﬁed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs.
             :param ends_with: An operator that includes events that match the last few characters of the event record field specified as the value of ``Field`` .
             :param equal_to: An operator that includes events that match the exact value of the event record field specified as the value of ``Field`` . This is the only valid operator that you can use with the ``readOnly`` , ``eventCategory`` , and ``resources.type`` fields.
             :param not_ends_with: An operator that excludes events that match the last few characters of the event record field specified as the value of ``Field`` .
@@ -3018,12 +2757,11 @@ class CfnTrail(
             - For Audit Manager evidence, the value must be ``Evidence`` .
             - For non- AWS events, the value must be ``ActivityAuditLog`` .
             - *``resources.type``* - This ﬁeld is required for CloudTrail data events. ``resources.type`` can only use the ``Equals`` operator, and the value can be one of the following:
-            - ``AWS::DynamoDB::Table``
-            - ``AWS::Lambda::Function``
-            - ``AWS::S3::Object``
             - ``AWS::AppConfig::Configuration``
             - ``AWS::B2BI::Transformer``
             - ``AWS::Bedrock::AgentAlias``
+            - ``AWS::Bedrock::FlowAlias``
+            - ``AWS::Bedrock::Guardrail``
             - ``AWS::Bedrock::KnowledgeBase``
             - ``AWS::Cassandra::Table``
             - ``AWS::CloudFront::KeyValueStore``
@@ -3033,6 +2771,7 @@ class CfnTrail(
             - ``AWS::CodeWhisperer::Profile``
             - ``AWS::Cognito::IdentityPool``
             - ``AWS::DynamoDB::Stream``
+            - ``AWS::DynamoDB::Table``
             - ``AWS::EC2::Snapshot``
             - ``AWS::EMRWAL::Workspace``
             - ``AWS::FinSpace::Environment``
@@ -3050,11 +2789,16 @@ class CfnTrail(
             - ``AWS::Kinesis::Stream``
             - ``AWS::Kinesis::StreamConsumer``
             - ``AWS::KinesisVideo::Stream``
+            - ``AWS::Lambda::Function``
             - ``AWS::MachineLearning::MlModel``
             - ``AWS::ManagedBlockchain::Network``
             - ``AWS::ManagedBlockchain::Node``
             - ``AWS::MedicalImaging::Datastore``
             - ``AWS::NeptuneGraph::Graph``
+            - ``AWS::One::UKey``
+            - ``AWS::One::User``
+            - ``AWS::PaymentCryptography::Alias``
+            - ``AWS::PaymentCryptography::Key``
             - ``AWS::PCAConnectorAD::Connector``
             - ``AWS::PCAConnectorSCEP::Connector``
             - ``AWS::QApps:QApp``
@@ -3064,6 +2808,8 @@ class CfnTrail(
             - ``AWS::QBusiness::WebExperience``
             - ``AWS::RDS::DBCluster``
             - ``AWS::S3::AccessPoint``
+            - ``AWS::S3::Object``
+            - ``AWS::S3Express::Object``
             - ``AWS::S3ObjectLambda::AccessPoint``
             - ``AWS::S3Outposts::Object``
             - ``AWS::SageMaker::Endpoint``
@@ -3088,280 +2834,12 @@ class CfnTrail(
             You can have only one ``resources.type`` ﬁeld per selector. To log data events on more than one resource type, add another selector.
-            - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've speciﬁed in the template as the value of resources.type.
+            - *``resources.ARN``* - You can use any operator with ``resources.ARN`` , but if you use ``Equals`` or ``NotEquals`` , the value must exactly match the ARN of a valid resource of the type you've speciﬁed in the template as the value of resources.type. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value. For information about filtering on the ``resources.ARN`` field, see `Filtering data events by resources.ARN <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn>`_ in the *AWS CloudTrail User Guide* .
             .. epigraph::
                You can't use the ``resources.ARN`` field to filter resource types that do not have ARNs.
-            The ``resources.ARN`` field can be set one of the following.
-            If resources.type equals ``AWS::S3::Object`` , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the ``StartsWith`` operator, and include only the bucket ARN as the matching value.
-            The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.
-            - ``arn:<partition>:s3:::<bucket_name>/``
-            - ``arn:<partition>:s3:::<bucket_name>/<object_path>/``
-            When resources.type equals ``AWS::DynamoDB::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>``
-            When resources.type equals ``AWS::Lambda::Function`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:lambda:<region>:<account_ID>:function:<function_name>``
-            When resources.type equals ``AWS::AppConfig::Configuration`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:appconfig:<region>:<account_ID>:application/<application_ID>/environment/<environment_ID>/configuration/<configuration_profile_ID>``
-            When resources.type equals ``AWS::B2BI::Transformer`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:b2bi:<region>:<account_ID>:transformer/<transformer_ID>``
-            When resources.type equals ``AWS::Bedrock::AgentAlias`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:bedrock:<region>:<account_ID>:agent-alias/<agent_ID>/<alias_ID>``
-            When resources.type equals ``AWS::Bedrock::KnowledgeBase`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:bedrock:<region>:<account_ID>:knowledge-base/<knowledge_base_ID>``
-            When resources.type equals ``AWS::Cassandra::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:cassandra:<region>:<account_ID>:/keyspace/<keyspace_name>/table/<table_name>``
-            When resources.type equals ``AWS::CloudFront::KeyValueStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:cloudfront:<region>:<account_ID>:key-value-store/<KVS_name>``
-            When resources.type equals ``AWS::CloudTrail::Channel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:cloudtrail:<region>:<account_ID>:channel/<channel_UUID>``
-            When resources.type equals ``AWS::CodeWhisperer::Customization`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:codewhisperer:<region>:<account_ID>:customization/<customization_ID>``
-            When resources.type equals ``AWS::CodeWhisperer::Profile`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:codewhisperer:<region>:<account_ID>:profile/<profile_ID>``
-            When resources.type equals ``AWS::Cognito::IdentityPool`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:cognito-identity:<region>:<account_ID>:identitypool/<identity_pool_ID>``
-            When ``resources.type`` equals ``AWS::DynamoDB::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:dynamodb:<region>:<account_ID>:table/<table_name>/stream/<date_time>``
-            When ``resources.type`` equals ``AWS::EC2::Snapshot`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:ec2:<region>::snapshot/<snapshot_ID>``
-            When ``resources.type`` equals ``AWS::EMRWAL::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:emrwal:<region>:<account_ID>:workspace/<workspace_name>``
-            When ``resources.type`` equals ``AWS::FinSpace::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:finspace:<region>:<account_ID>:environment/<environment_ID>``
-            When ``resources.type`` equals ``AWS::Glue::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:glue:<region>:<account_ID>:table/<database_name>/<table_name>``
-            When ``resources.type`` equals ``AWS::GreengrassV2::ComponentVersion`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:greengrass:<region>:<account_ID>:components/<component_name>``
-            When ``resources.type`` equals ``AWS::GreengrassV2::Deployment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:greengrass:<region>:<account_ID>:deployments/<deployment_ID``
-            When ``resources.type`` equals ``AWS::GuardDuty::Detector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:guardduty:<region>:<account_ID>:detector/<detector_ID>``
-            When ``resources.type`` equals ``AWS::IoT::Certificate`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iot:<region>:<account_ID>:cert/<certificate_ID>``
-            When ``resources.type`` equals ``AWS::IoT::Thing`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iot:<region>:<account_ID>:thing/<thing_ID>``
-            When ``resources.type`` equals ``AWS::IoTSiteWise::Asset`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iotsitewise:<region>:<account_ID>:asset/<asset_ID>``
-            When ``resources.type`` equals ``AWS::IoTSiteWise::TimeSeries`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iotsitewise:<region>:<account_ID>:timeseries/<timeseries_ID>``
-            When ``resources.type`` equals ``AWS::IoTTwinMaker::Entity`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>/entity/<entity_ID>``
-            When ``resources.type`` equals ``AWS::IoTTwinMaker::Workspace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:iottwinmaker:<region>:<account_ID>:workspace/<workspace_ID>``
-            When ``resources.type`` equals ``AWS::KendraRanking::ExecutionPlan`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:kendra-ranking:<region>:<account_ID>:rescore-execution-plan/<rescore_execution_plan_ID>``
-            When ``resources.type`` equals ``AWS::Kinesis::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:kinesis:<region>:<account_ID>:stream/<stream_name>``
-            When ``resources.type`` equals ``AWS::Kinesis::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:kinesis:<region>:<account_ID>:<stream_type>/<stream_name>/consumer/<consumer_name>:<consumer_creation_timestamp>``
-            When ``resources.type`` equals ``AWS::KinesisVideo::Stream`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:kinesisvideo:<region>:<account_ID>:stream/<stream_name>/<creation_time>``
-            When ``resources.type`` equals ``AWS::MachineLearning::MlModel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:machinelearning:<region>:<account_ID>:mlmodel/<model_ID>``
-            When ``resources.type`` equals ``AWS::ManagedBlockchain::Network`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:managedblockchain:::networks/<network_name>``
-            When ``resources.type`` equals ``AWS::ManagedBlockchain::Node`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:managedblockchain:<region>:<account_ID>:nodes/<node_ID>``
-            When ``resources.type`` equals ``AWS::MedicalImaging::Datastore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:medical-imaging:<region>:<account_ID>:datastore/<data_store_ID>``
-            When ``resources.type`` equals ``AWS::NeptuneGraph::Graph`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:neptune-graph:<region>:<account_ID>:graph/<graph_ID>``
-            When ``resources.type`` equals ``AWS::PCAConnectorAD::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:pca-connector-ad:<region>:<account_ID>:connector/<connector_ID>``
-            When ``resources.type`` equals ``AWS::PCAConnectorSCEP::Connector`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:pca-connector-scep:<region>:<account_ID>:connector/<connector_ID>``
-            When ``resources.type`` equals ``AWS::QApps:QApp`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qapps:<region>:<account_ID>:application/<application_UUID>/qapp/<qapp_UUID>``
-            When ``resources.type`` equals ``AWS::QBusiness::Application`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>``
-            When ``resources.type`` equals ``AWS::QBusiness::DataSource`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>/data-source/<datasource_ID>``
-            When ``resources.type`` equals ``AWS::QBusiness::Index`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/index/<index_ID>``
-            When ``resources.type`` equals ``AWS::QBusiness::WebExperience`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:qbusiness:<region>:<account_ID>:application/<application_ID>/web-experience/<web_experience_ID>``
-            When ``resources.type`` equals ``AWS::RDS::DBCluster`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:rds:<region>:<account_ID>:cluster/<cluster_name>``
-            When ``resources.type`` equals ``AWS::S3::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the ``StartsWith`` or ``NotStartsWith`` operators.
-            - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>``
-            - ``arn:<partition>:s3:<region>:<account_ID>:accesspoint/<access_point_name>/object/<object_path>``
-            When ``resources.type`` equals ``AWS::S3ObjectLambda::AccessPoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:s3-object-lambda:<region>:<account_ID>:accesspoint/<access_point_name>``
-            When ``resources.type`` equals ``AWS::S3Outposts::Object`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:s3-outposts:<region>:<account_ID>:<object_path>``
-            When ``resources.type`` equals ``AWS::SageMaker::Endpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sagemaker:<region>:<account_ID>:endpoint/<endpoint_name>``
-            When ``resources.type`` equals ``AWS::SageMaker::ExperimentTrialComponent`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sagemaker:<region>:<account_ID>:experiment-trial-component/<experiment_trial_component_name>``
-            When ``resources.type`` equals ``AWS::SageMaker::FeatureGroup`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sagemaker:<region>:<account_ID>:feature-group/<feature_group_name>``
-            When ``resources.type`` equals ``AWS::SCN::Instance`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:scn:<region>:<account_ID>:instance/<instance_ID>``
-            When ``resources.type`` equals ``AWS::ServiceDiscovery::Namespace`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:servicediscovery:<region>:<account_ID>:namespace/<namespace_ID>``
-            When ``resources.type`` equals ``AWS::ServiceDiscovery::Service`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:servicediscovery:<region>:<account_ID>:service/<service_ID>``
-            When ``resources.type`` equals ``AWS::SNS::PlatformEndpoint`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sns:<region>:<account_ID>:endpoint/<endpoint_type>/<endpoint_name>/<endpoint_ID>``
-            When ``resources.type`` equals ``AWS::SNS::Topic`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sns:<region>:<account_ID>:<topic_name>``
-            When ``resources.type`` equals ``AWS::SQS::Queue`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:sqs:<region>:<account_ID>:<queue_name>``
-            When ``resources.type`` equals ``AWS::SSM::ManagedNode`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats:
-            - ``arn:<partition>:ssm:<region>:<account_ID>:managed-instance/<instance_ID>``
-            - ``arn:<partition>:ec2:<region>:<account_ID>:instance/<instance_ID>``
-            When ``resources.type`` equals ``AWS::SSMMessages::ControlChannel`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:ssmmessages:<region>:<account_ID>:control-channel/<channel_ID>``
-            When ``resources.type`` equals ``AWS::StepFunctions::StateMachine`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in one of the following formats:
-            - ``arn:<partition>:states:<region>:<account_ID>:stateMachine:<stateMachine_name>``
-            - ``arn:<partition>:states:<region>:<account_ID>:stateMachine:<stateMachine_name>/<label_name>``
-            When ``resources.type`` equals ``AWS::SWF::Domain`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:swf:<region>:<account_ID>:domain/<domain_name>``
-            When ``resources.type`` equals ``AWS::ThinClient::Device`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:thinclient:<region>:<account_ID>:device/<device_ID>``
-            When ``resources.type`` equals ``AWS::ThinClient::Environment`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:thinclient:<region>:<account_ID>:environment/<environment_ID>``
-            When ``resources.type`` equals ``AWS::Timestream::Database`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>``
-            When ``resources.type`` equals ``AWS::Timestream::Table`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:timestream:<region>:<account_ID>:database/<database_name>/table/<table_name>``
-            When resources.type equals ``AWS::VerifiedPermissions::PolicyStore`` , and the operator is set to ``Equals`` or ``NotEquals`` , the ARN must be in the following format:
-            - ``arn:<partition>:verifiedpermissions:<region>:<account_ID>:policy-store/<policy_store_UUID>``
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-trail-advancedfieldselector.html#cfn-cloudtrail-trail-advancedfieldselector-field
             '''
             result = self._values.get("field")
@@ -3447,25 +2925,20 @@ class CfnTrail(
             type: builtins.str,
             values: typing.Optional[typing.Sequence[builtins.str]] = None,
         ) -> None:
-            '''Data events provide information about the resource operations performed on or within a resource itself.
-            These are also known as data plane operations. You can specify up to 250 data resources for a trail.
-            Configure the ``DataResource`` to specify the resource type and resource ARNs for which you want to log data events.
-            You can specify the following resource types in your event selectors for your trail:
+            '''You can configure the ``DataResource`` in an ``EventSelector`` to log data events for the following three resource types:.
             - ``AWS::DynamoDB::Table``
             - ``AWS::Lambda::Function``
             - ``AWS::S3::Object``
+            To log data events for all other resource types including objects stored in `directory buckets <https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html>`_ , you must use `AdvancedEventSelectors <https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html>`_ . You must also use ``AdvancedEventSelectors`` if you want to filter on the ``eventName`` field.
+            Configure the ``DataResource`` to specify the resource type and resource ARNs for which you want to log data events.
             .. epigraph::
                The total number of allowed data resources is 250. This number can be distributed between 1 and 5 event selectors, but the total cannot exceed 250 across all selectors for the trail.
-               If you are using advanced event selectors, the maximum total number of values for all conditions, across all advanced event selectors for the trail, is 500.
-            The following example demonstrates how logging works when you configure logging of all data events for an S3 bucket named ``DOC-EXAMPLE-BUCKET1`` . In this example, the CloudTrail user specified an empty prefix, and the option to log both ``Read`` and ``Write`` data events.
+            The following example demonstrates how logging works when you configure logging of all data events for a general purpose bucket named ``DOC-EXAMPLE-BUCKET1`` . In this example, the CloudTrail user specified an empty prefix, and the option to log both ``Read`` and ``Write`` data events.
             - A user uploads an image file to ``DOC-EXAMPLE-BUCKET1`` .
             - The ``PutObject`` API operation is an Amazon S3 object-level API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified an S3 bucket with an empty prefix, events that occur on any object in that bucket are logged. The trail processes and logs the event.
@@ -3594,7 +3067,7 @@ class CfnTrail(
             You cannot apply both event selectors and advanced event selectors to a trail.
-            :param data_resources: CloudTrail supports data event logging for Amazon S3 objects, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events. For more information, see `Data Events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html>`_ and `Limits in AWS CloudTrail <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html>`_ in the *AWS CloudTrail User Guide* .
+            :param data_resources: CloudTrail supports data event logging for Amazon S3 objects in standard S3 buckets, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events. For more information, see `Data Events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html>`_ and `Limits in AWS CloudTrail <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html>`_ in the *AWS CloudTrail User Guide* . .. epigraph:: To log data events for all other resource types including objects stored in `directory buckets <https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html>`_ , you must use `AdvancedEventSelectors <https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html>`_ . You must also use ``AdvancedEventSelectors`` if you want to filter on the ``eventName`` field.
             :param exclude_management_event_sources: An optional list of service event sources from which you do not want management events to be logged on your trail. In this release, the list can be empty (disables the filter), or it can filter out AWS Key Management Service or Amazon RDS Data API events by containing ``kms.amazonaws.com`` or ``rdsdata.amazonaws.com`` . By default, ``ExcludeManagementEventSources`` is empty, and AWS KMS and Amazon RDS Data API events are logged to your trail. You can exclude management event sources only in Regions that support the event source.
             :param include_management_events: Specify if you want your event selector to include management events for your trail. For more information, see `Management Events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html>`_ in the *AWS CloudTrail User Guide* . By default, the value is ``true`` . The first copy of management events is free. You are charged for additional copies of management events that you are logging on any subsequent trail in the same Region. For more information about CloudTrail pricing, see `AWS CloudTrail Pricing <https://docs.aws.amazon.com/cloudtrail/pricing/>`_ .
             :param read_write_type: Specify if you want your trail to log read-only events, write-only events, or all. For example, the EC2 ``GetConsoleOutput`` is a read-only API operation and ``RunInstances`` is a write-only API operation. By default, the value is ``All`` .
@@ -3640,11 +3113,14 @@ class CfnTrail(
         def data_resources(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnTrail.DataResourceProperty"]]]]:
-            '''CloudTrail supports data event logging for Amazon S3 objects, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors.
+            '''CloudTrail supports data event logging for Amazon S3 objects in standard S3 buckets, AWS Lambda functions, and Amazon DynamoDB tables with basic event selectors.
             You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.
             For more information, see `Data Events <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html>`_ and `Limits in AWS CloudTrail <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html>`_ in the *AWS CloudTrail User Guide* .
+            .. epigraph::
+               To log data events for all other resource types including objects stored in `directory buckets <https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html>`_ , you must use `AdvancedEventSelectors <https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html>`_ . You must also use ``AdvancedEventSelectors`` if you want to filter on the ``eventName`` field.
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudtrail-trail-eventselector.html#cfn-cloudtrail-trail-eventselector-dataresources
             '''

aws-cdk-lib 2.149.0__py3-none-any.whl → 2.151.0__py3-none-any.whl

Potentially problematic release.

aws-cdk-lib 2.149.0py3-none-any.whl → 2.151.0py3-none-any.whl