AWS::CloudTrail::Trail EventSelector - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::CloudTrail::Trail EventSelector

Use event selectors to further specify the management and data event settings for your trail. By default, trails created without specific event selectors will be configured to log all read and write management events, and no data events. When an event occurs in your account, CloudTrail evaluates the event selector for all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.

You can configure up to five event selectors for a trail.

You cannot apply both event selectors and advanced event selectors to a trail.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "DataResources" : [ DataResource, ... ], "ExcludeManagementEventSources" : [ String, ... ], "IncludeManagementEvents" : Boolean, "ReadWriteType" : String }

Properties

DataResources

CloudTrail supports data event logging for Amazon S3 objects, Amazon Lambda functions, and Amazon DynamoDB tables with basic event selectors. You can specify up to 250 resources for an individual event selector, but the total number of data resources cannot exceed 250 across all event selectors in a trail. This limit does not apply if you configure resource logging for all data events.

For more information, see Data Events and Limits in Amazon CloudTrail in the Amazon CloudTrail User Guide.

Required: Conditional

Type: Array of DataResource

Update requires: No interruption

ExcludeManagementEventSources

An optional list of service event sources from which you do not want management events to be logged on your trail. In this release, the list can be empty (disables the filter), or it can filter out Amazon Key Management Service or Amazon RDS Data API events by containing kms.amazonaws.com or rdsdata.amazonaws.com. By default, ExcludeManagementEventSources is empty, and Amazon KMS and Amazon RDS Data API events are logged to your trail. You can exclude management event sources only in Regions that support the event source.

Required: No

Type: Array of String

Update requires: No interruption

IncludeManagementEvents

Specify if you want your event selector to include management events for your trail.

For more information, see Management Events in the Amazon CloudTrail User Guide.

By default, the value is true.

The first copy of management events is free. You are charged for additional copies of management events that you are logging on any subsequent trail in the same Region. For more information about CloudTrail pricing, see Amazon CloudTrail Pricing.

Required: No

Type: Boolean

Update requires: No interruption

ReadWriteType

Specify if you want your trail to log read-only events, write-only events, or all. For example, the EC2 GetConsoleOutput is a read-only API operation and RunInstances is a write-only API operation.

By default, the value is All.

Required: No

Type: String

Allowed values: All | ReadOnly | WriteOnly

Update requires: No interruption