AWS::CloudTrail::ResourcePolicy - Amazon CloudFormation
SyntaxPropertiesReturn valuesExamples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::CloudTrail::ResourcePolicy

Attaches a resource-based permission policy to a CloudTrail channel that is used for an integration with an event source outside of Amazon. For more information about resource-based policies, see CloudTrail resource-based policy examples in the CloudTrail User Guide.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::CloudTrail::ResourcePolicy",
  "Properties" : {
      "ResourceArn" : String,
      "ResourcePolicy" : Json
    }
}

YAML

Type: AWS::CloudTrail::ResourcePolicy
Properties:
  ResourceArn: String
  ResourcePolicy: Json

Properties

ResourceArn

The Amazon Resource Name (ARN) of the CloudTrail channel attached to the resource-based policy. The following is the format of a resource ARN: arn:aws:cloudtrail:us-east-2:123456789012:channel/MyChannel.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9._/\-:]+$

Minimum: 3

Maximum: 256

Update requires: Replacement

ResourcePolicy

A JSON-formatted string for an Amazon resource-based policy.

The following are requirements for the resource policy:

  • Contains only one action: cloudtrail-data:PutAuditEvents

  • Contains at least one statement. The policy can have a maximum of 20 statements.

  • Each statement contains at least one principal. A statement can have a maximum of 50 principals.

Required: Yes

Type: Json

Minimum: 1

Maximum: 8192

Update requires: No interruption

Return values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource. The resource is a combination of the resource-based policy document and the channel ARN.

Examples

Example

The following example creates a resource policy that allows Amazon account ID 111122223333 to call PutAuditEvents on the channel defined as the resource ARN in the policy. For information about creating a resource policy, see Amazon CloudTrail resource-based policy examples in the Amazon CloudTrail User Guide.

JSON

{
  "Type": "AWS:CloudTrail:ResourcePolicy",
  "Properties": {
    "ResourceArn": "arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE",
    "ResourcePolicy": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"DeliverEventsThroughChannel\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": [ \"arn:aws:iam::111122223333:root\" ] }, \"Action\":\"cloudtrail-data:PutAuditEvents\", \"Resource\": \"arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE\" } ] }"
  }
}

YAML

  Type: AWS:CloudTrail:ResourcePolicy
  Properties:
    ResourceArn: "arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE"
    ResourcePolicy: "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"DeliverEventsThroughChannel\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": [ \"arn:aws:iam::111122223333:root\" ] }, \"Action\":\"cloudtrail-data:PutAuditEvents\", \"Resource\": \"arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE\" } ] }"