AWS::CloudTrail::ResourcePolicy - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Attaches a resource-based permission policy to a CloudTrail channel that is used for an integration with an event source outside of Amazon. For more information about resource-based policies, see CloudTrail resource-based policy examples in the CloudTrail User Guide.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::CloudTrail::ResourcePolicy", "Properties" : { "ResourceArn" : String, "ResourcePolicy" : Json } }


Type: AWS::CloudTrail::ResourcePolicy Properties: ResourceArn: String ResourcePolicy: Json



The Amazon Resource Name (ARN) of the CloudTrail channel attached to the resource-based policy. The following is the format of a resource ARN: arn:aws:cloudtrail:us-east-2:123456789012:channel/MyChannel.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9._/\-:]+$

Minimum: 3

Maximum: 256

Update requires: Replacement


A JSON-formatted string for an Amazon resource-based policy.

The following are requirements for the resource policy:

  • Contains only one action: cloudtrail-data:PutAuditEvents

  • Contains at least one statement. The policy can have a maximum of 20 statements.

  • Each statement contains at least one principal. A statement can have a maximum of 50 principals.

Required: Yes

Type: Json

Minimum: 1

Maximum: 8192

Update requires: No interruption

Return values


When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource. The resource is a combination of the resource-based policy document and the channel ARN.



The following example creates a resource policy that allows Amazon account ID 111122223333 to call PutAuditEvents on the channel defined as the resource ARN in the policy. For information about creating a resource policy, see Amazon CloudTrail resource-based policy examples in the Amazon CloudTrail User Guide.


{ "Type": "AWS:CloudTrail:ResourcePolicy", "Properties": { "ResourceArn": "arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE", "ResourcePolicy": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"DeliverEventsThroughChannel\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": [ \"arn:aws:iam::111122223333:root\" ] }, \"Action\":\"cloudtrail-data:PutAuditEvents\", \"Resource\": \"arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE\" } ] }" } }


Type: AWS:CloudTrail:ResourcePolicy Properties: ResourceArn: "arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE" ResourcePolicy: "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"DeliverEventsThroughChannel\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": [ \"arn:aws:iam::111122223333:root\" ] }, \"Action\":\"cloudtrail-data:PutAuditEvents\", \"Resource\": \"arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE\" } ] }"