AWS CloudFormation
User Guide (API Version 2010-05-15)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

AWS::CloudTrail::Trail

使用 AWS::CloudTrail::Trail 资源可创建跟踪和指定发布日志的位置。AWS CloudTrail (CloudTrail) 跟踪可以捕获您的 AWS 账户发出的 AWS API 调用并向 Amazon S3 存储桶发布日志。有关更多信息,请参阅什么是 AWS CloudTrail?(在 AWS CloudTrail User Guide 中)。

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

Copy
{ "Type" : "AWS::CloudTrail::Trail", "Properties" : { "CloudWatchLogsLogGroupArn" : String, "CloudWatchLogsRoleArn" : String, "EnableLogFileValidation" : Boolean, "EventSelectors" : [ EventSelector, ... ], "IncludeGlobalServiceEvents" : Boolean, "IsLogging" : Boolean, "IsMultiRegionTrail" : Boolean, "KMSKeyId" : String, "S3BucketName" : String, "S3KeyPrefix" : String, "SnsTopicName" : String, "Tags" : [ Resource Tag, ... ], "TrailName" : String } }

YAML

Copy
Type: "AWS::CloudTrail::Trail" Properties: CloudWatchLogsLogGroupArn: String CloudWatchLogsRoleArn: String EnableLogFileValidation: Boolean EventSelectors: - EventSelector IncludeGlobalServiceEvents: Boolean IsLogging: Boolean IsMultiRegionTrail: Boolean KMSKeyId: String S3BucketName: String S3KeyPrefix: String SnsTopicName: String Tags: - Resource Tag TrailName: String

属性

有关更多信息和属性限制,请参阅 AWS CloudTrail API Reference 中的 CreateTrail

CloudWatchLogsLogGroupArn

CloudTrail 日志将传输到的日志组的 Amazon 资源名称 (ARN)。

Required: Conditional。如果未指定 CloudWatchLogsRoleArn 属性,则必须指定此属性。

Type: String

更新要求无需中断

CloudWatchLogsRoleArn

Amazon CloudWatch Logs (CloudWatch Logs) 向日志组写入日志时担任的角色的 ARN。有关更多信息,请参阅 AWS CloudTrail User Guide 中的 CloudTrail 使用 CloudWatch 日志执行监视操作的角色策略文档

Required: No

Type: String

更新要求无需中断

EnableLogFileValidation

指示 CloudTrail 是否验证日志文件的完整性。默认情况下,AWS CloudFormation 将此值设置为 false。禁用日志文件完整性验证后,CloudTrail 停止创建摘要文件。有关更多信息,请参阅 AWS CloudTrail API Reference 中的 CreateTrail

Required: No

Type: Boolean

更新要求无需中断

EventSelectors

配置管理事件和数据事件的日志记录。

Required: No

类型: 的列表 CloudTrail 跟踪 EventSelector

更新要求无需中断

IncludeGlobalServiceEvents

指示跟踪是否将来自全球服务(例如 IAM)的事件发布到日志文件。默认情况下,AWS CloudFormation 将此值设置为 false

Required: No

Type: Boolean

更新要求无需中断

IsLogging

指示 CloudTrail 跟踪目前是否在记录 AWS API 调用。

Required: Yes

Type: Boolean

更新要求无需中断

IsMultiRegionTrail

指示 CloudTrail 跟踪是在创建堆栈的区域创建的 (false),还是在所有区域创建的 (true)。默认情况下,AWS CloudFormation 将此值设置为 false。有关更多信息,请参阅 CloudTrail 在区域和全球范围如何工作?(在 AWS CloudTrail User Guide 中)。

Required: No

Type: Boolean

更新要求无需中断

KMSKeyId

用于加密 CloudTrail 日志的 AWS Key Management Service (AWS KMS) 密钥 ID。您可以指定别名名称(使用 alias/ 前缀)、别名 ARN、密钥 ARN 或全局唯一标识符。

Required: No

Type: String

更新要求无需中断

S3BucketName

CloudTrail 将日志文件发布到的 Amazon S3 存储桶的名称。

Required: Yes

Type: String

更新要求无需中断

S3KeyPrefix

所有日志文件名称前的 Amazon S3 对象键前缀。

Required: No

Type: String

更新要求无需中断

SnsTopicName

发布新日志文件时通知的 Amazon SNS 主题名称。

Required: No

Type: String

更新要求无需中断

Tags

此跟踪的任意标签组(键/值对)。

Required: No

Type: AWS CloudFormation 资源标签

更新要求无需中断.

TrailName

跟踪的名称。有关约束信息,请参阅 AWS CloudTrail API Reference 中的 CreateTrail

Required: No

Type: String

更新要求替换

返回值

Ref

当该资源的逻辑 ID 提供给 Ref内部函数时,Ref 将返回资源名称。

有关使用 Ref 功能的更多信息,请参阅参考

Fn::GetAtt

Fn::GetAtt 返回一个此类型指定属性的值。以下为可用属性和示例返回值。

Arn

CloudTrail 跟踪的 ARN,例如 arn:aws:cloudtrail:us-west-2:123456789012:trail/myCloudTrail

SnsTopicArn

与 CloudTrail 跟踪关联的 Amazon SNS 主题的 ARN,例如 arn:aws:sns:us-west-2:123456789012:mySNSTopic

有关使用 Fn::GetAtt 的更多信息,请参见 Fn::GetAtt

示例

下面的示例创建一个 CloudTrail 跟踪,一个发布日志的 Amazon S3 存储桶以及一个发送通知 Amazon SNS 主题。通过存储桶和主题策略,CloudTrail(从指定区域)可以向 Amazon S3 存储桶发布日志,可以向您指定的电子邮件发送通知。由于 CloudTrail 自动写入 bucket_name/AWSLogs/account_ID/ 文件夹,存储桶策略对该前缀授予写入权限。有关 CloudTrail 存储桶策略的信息,请参阅 AWS CloudTrail User Guide 中的 Amazon S3 存储桶策略

有关 CloudTrail 支持的区域的更多信息,请参阅 AWS CloudTrail User Guide 中的支持的区域

JSON

Copy
{ "AWSTemplateFormatVersion" : "2010-09-09", "Parameters" : { "OperatorEmail": { "Description": "Email address to notify when new logs are published.", "Type": "String" } }, "Resources" : { "S3Bucket": { "DeletionPolicy" : "Retain", "Type": "AWS::S3::Bucket", "Properties": { } }, "BucketPolicy" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "Bucket" : {"Ref" : "S3Bucket"}, "PolicyDocument" : { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck", "Effect": "Allow", "Principal": { "Service":"cloudtrail.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref":"S3Bucket"}]]} }, { "Sid": "AWSCloudTrailWrite", "Effect": "Allow", "Principal": { "Service":"cloudtrail.amazonaws.com"}, "Action": "s3:PutObject", "Resource": { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref":"S3Bucket"}, "/AWSLogs/", {"Ref":"AWS::AccountId"}, "/*"]]}, "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] } } }, "Topic": { "Type": "AWS::SNS::Topic", "Properties": { "Subscription": [ { "Endpoint": { "Ref": "OperatorEmail" }, "Protocol": "email" } ] } }, "TopicPolicy" : { "Type" : "AWS::SNS::TopicPolicy", "Properties" : { "Topics" : [{"Ref":"Topic"}], "PolicyDocument" : { "Version": "2008-10-17", "Statement": [ { "Sid": "AWSCloudTrailSNSPolicy", "Effect": "Allow", "Principal": { "Service":"cloudtrail.amazonaws.com"}, "Resource": "*", "Action": "SNS:Publish" } ] } } }, "myTrail" : { "DependsOn" : ["BucketPolicy", "TopicPolicy"], "Type" : "AWS::CloudTrail::Trail", "Properties" : { "S3BucketName" : {"Ref":"S3Bucket"}, "SnsTopicName" : {"Fn::GetAtt":["Topic","TopicName"]}, "IsLogging" : true } } } }

YAML

Copy
AWSTemplateFormatVersion: "2010-09-09" Parameters: OperatorEmail: Description: "Email address to notify when new logs are published." Type: String Resources: S3Bucket: DeletionPolicy: Retain Type: "AWS::S3::Bucket" Properties: {} BucketPolicy: Type: "AWS::S3::BucketPolicy" Properties: Bucket: Ref: S3Bucket PolicyDocument: Version: "2012-10-17" Statement: - Sid: "AWSCloudTrailAclCheck" Effect: "Allow" Principal: Service: "cloudtrail.amazonaws.com" Action: "s3:GetBucketAcl" Resource: !Sub |- arn:aws:s3:::${S3Bucket} - Sid: "AWSCloudTrailWrite" Effect: "Allow" Principal: Service: "cloudtrail.amazonaws.com" Action: "s3:PutObject" Resource: !Sub |- arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* Condition: StringEquals: s3:x-amz-acl: "bucket-owner-full-control" Topic: Type: "AWS::SNS::Topic" Properties: Subscription: - Endpoint: Ref: OperatorEmail Protocol: email TopicPolicy: Type: "AWS::SNS::TopicPolicy" Properties: Topics: - Ref: "Topic" PolicyDocument: Version: "2008-10-17" Statement: - Sid: "AWSCloudTrailSNSPolicy" Effect: "Allow" Principal: Service: "cloudtrail.amazonaws.com" Resource: "*" Action: "SNS:Publish" myTrail: DependsOn: - BucketPolicy - TopicPolicy Type: "AWS::CloudTrail::Trail" Properties: S3BucketName: Ref: S3Bucket SnsTopicName: Fn::GetAtt: - Topic - TopicName IsLogging: true

本页内容: