AdvancedFieldSelector

Gets and sets the property EndsWith.

An operator that includes events that match the last few characters of the event record field specified as the value of Field.

Gets and sets the property Equals.

An operator that includes events that match the exact value of the event record field specified as the value of Field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.

Gets and sets the property Field.

A field in a CloudTrail event record on which to filter events to be logged. For event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the field is used only for selecting events as filtering is not supported.

For CloudTrail management events, supported fields include readOnly, eventCategory, and eventSource.

For CloudTrail data events, supported fields include readOnly, eventCategory, eventName, resources.type, and resources.ARN.

For event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the only supported field is eventCategory.

• readOnly - Optional. Can be set to Equals a value of true or false. If you do not add this field, CloudTrail logs both read and write events. A value of true logs only read events. A value of false logs only write events.

• eventSource - For filtering management events only. This can be set to NotEquals kms.amazonaws.com or NotEquals rdsdata.amazonaws.com.

• eventName - Can use any operator. You can use it to filter in or filter out any data event logged to CloudTrail, such as PutBucket or GetSnapshotBlock. You can have multiple values for this field, separated by commas.

• eventCategory - This is required and must be set to Equals.

  • For CloudTrail management events, the value must be Management.

  • For CloudTrail data events, the value must be Data.

  The following are used only for event data stores:

  • For CloudTrail Insights events, the value must be Insight.

  • For Config configuration items, the value must be ConfigurationItem.

  • For Audit Manager evidence, the value must be Evidence.

  • For non-Amazon Web Services events, the value must be ActivityAuditLog.

• resources.type - This field is required for CloudTrail data events. resources.type can only use the Equals operator, and the value can be one of the following:

  • AWS::DynamoDB::Table

  • AWS::Lambda::Function

  • AWS::S3::Object

  • AWS::AppConfig::Configuration

  • AWS::B2BI::Transformer

  • AWS::Bedrock::AgentAlias

  • AWS::Bedrock::KnowledgeBase

  • AWS::Cassandra::Table

  • AWS::CloudFront::KeyValueStore

  • AWS::CloudTrail::Channel

  • AWS::CodeWhisperer::Customization

  • AWS::CodeWhisperer::Profile

  • AWS::Cognito::IdentityPool

  • AWS::DynamoDB::Stream

  • AWS::EC2::Snapshot

  • AWS::EMRWAL::Workspace

  • AWS::FinSpace::Environment

  • AWS::Glue::Table

  • AWS::GreengrassV2::ComponentVersion

  • AWS::GreengrassV2::Deployment

  • AWS::GuardDuty::Detector

  • AWS::IoT::Certificate

  • AWS::IoT::Thing

  • AWS::IoTSiteWise::Asset

  • AWS::IoTSiteWise::TimeSeries

  • AWS::IoTTwinMaker::Entity

  • AWS::IoTTwinMaker::Workspace

  • AWS::KendraRanking::ExecutionPlan

  • AWS::KinesisVideo::Stream

  • AWS::ManagedBlockchain::Network

  • AWS::ManagedBlockchain::Node

  • AWS::MedicalImaging::Datastore

  • AWS::NeptuneGraph::Graph

  • AWS::PCAConnectorAD::Connector

  • AWS::QBusiness::Application

  • AWS::QBusiness::DataSource

  • AWS::QBusiness::Index

  • AWS::QBusiness::WebExperience

  • AWS::RDS::DBCluster

  • AWS::S3::AccessPoint

  • AWS::S3ObjectLambda::AccessPoint

  • AWS::S3Outposts::Object

  • AWS::SageMaker::Endpoint

  • AWS::SageMaker::ExperimentTrialComponent

  • AWS::SageMaker::FeatureGroup

  • AWS::ServiceDiscovery::Namespace

  • AWS::ServiceDiscovery::Service

  • AWS::SCN::Instance

  • AWS::SNS::PlatformEndpoint

  • AWS::SNS::Topic

  • AWS::SWF::Domain

  • AWS::SQS::Queue

  • AWS::SSMMessages::ControlChannel

  • AWS::ThinClient::Device

  • AWS::ThinClient::Environment

  • AWS::Timestream::Database

  • AWS::Timestream::Table

  • AWS::VerifiedPermissions::PolicyStore

  You can have only one resources.type field per selector. To log data events on more than one resource type, add another selector.

• resources.ARN - You can use any operator with resources.ARN, but if you use Equals or NotEquals, the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For example, if resources.type equals AWS::S3::Object, the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the StartsWith operator, and include only the bucket ARN as the matching value.

  The trailing slash is intentional; do not exclude it. Replace the text between less than and greater than symbols (<>) with resource-specific information.

  • arn::s3:::/

  • arn::s3::://

  When resources.type equals AWS::DynamoDB::Table, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::dynamodb:::table/

  When resources.type equals AWS::Lambda::Function, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::lambda:::function:

  When resources.type equals AWS::AppConfig::Configuration, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::appconfig:::application//environment//configuration/

  When resources.type equals AWS::B2BI::Transformer, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::b2bi:::transformer/

  When resources.type equals AWS::Bedrock::AgentAlias, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::bedrock:::agent-alias//

  When resources.type equals AWS::Bedrock::KnowledgeBase, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::bedrock:::knowledge-base/

  When resources.type equals AWS::Cassandra::Table, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::cassandra:::/keyspace//table/

  When resources.type equals AWS::CloudFront::KeyValueStore, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::cloudfront:::key-value-store/

  When resources.type equals AWS::CloudTrail::Channel, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::cloudtrail:::channel/

  When resources.type equals AWS::CodeWhisperer::Customization, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::codewhisperer:::customization/

  When resources.type equals AWS::CodeWhisperer::Profile, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::codewhisperer:::profile/

  When resources.type equals AWS::Cognito::IdentityPool, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::cognito-identity:::identitypool/

  When resources.type equals AWS::DynamoDB::Stream, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::dynamodb:::table//stream/

  When resources.type equals AWS::EC2::Snapshot, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::ec2:::snapshot/

  When resources.type equals AWS::EMRWAL::Workspace, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::emrwal:::workspace/

  When resources.type equals AWS::FinSpace::Environment, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::finspace:::environment/

  When resources.type equals AWS::Glue::Table, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::glue:::table//

  When resources.type equals AWS::GreengrassV2::ComponentVersion, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::greengrass:::components/

  When resources.type equals AWS::GreengrassV2::Deployment, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::greengrass:::deployments/

  When resources.type equals AWS::GuardDuty::Detector, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::guardduty:::detector/

  When resources.type equals AWS::IoT::Certificate, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::iot:::cert/

  When resources.type equals AWS::IoT::Thing, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::iot:::thing/

  When resources.type equals AWS::IoTSiteWise::Asset, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::iotsitewise:::asset/

  When resources.type equals AWS::IoTSiteWise::TimeSeries, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::iotsitewise:::timeseries/

  When resources.type equals AWS::IoTTwinMaker::Entity, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::iottwinmaker:::workspace//entity/

  When resources.type equals AWS::IoTTwinMaker::Workspace, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::iottwinmaker:::workspace/

  When resources.type equals AWS::KendraRanking::ExecutionPlan, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::kendra-ranking:::rescore-execution-plan/

  When resources.type equals AWS::KinesisVideo::Stream, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::kinesisvideo:::stream//

  When resources.type equals AWS::ManagedBlockchain::Network, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::managedblockchain:::networks/

  When resources.type equals AWS::ManagedBlockchain::Node, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::managedblockchain:::nodes/

  When resources.type equals AWS::MedicalImaging::Datastore, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::medical-imaging:::datastore/

  When resources.type equals AWS::NeptuneGraph::Graph, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::neptune-graph:::graph/

  When resources.type equals AWS::PCAConnectorAD::Connector, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::pca-connector-ad:::connector/

  When resources.type equals AWS::QBusiness::Application, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::qbusiness:::application/

  When resources.type equals AWS::QBusiness::DataSource, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::qbusiness:::application//index//data-source/

  When resources.type equals AWS::QBusiness::Index, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::qbusiness:::application//index/

  When resources.type equals AWS::QBusiness::WebExperience, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::qbusiness:::application//web-experience/

  When resources.type equals AWS::RDS::DBCluster, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::rds:::cluster/

  When resources.type equals AWS::S3::AccessPoint, and the operator is set to Equals or NotEquals, the ARN must be in one of the following formats. To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the StartsWith or NotStartsWith operators.

  • arn::s3:::accesspoint/

  • arn::s3:::accesspoint//object/

  When resources.type equals AWS::S3ObjectLambda::AccessPoint, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::s3-object-lambda:::accesspoint/

  When resources.type equals AWS::S3Outposts::Object, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::s3-outposts:::

  When resources.type equals AWS::SageMaker::Endpoint, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::sagemaker:::endpoint/

  When resources.type equals AWS::SageMaker::ExperimentTrialComponent, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::sagemaker:::experiment-trial-component/

  When resources.type equals AWS::SageMaker::FeatureGroup, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::sagemaker:::feature-group/

  When resources.type equals AWS::SCN::Instance, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::scn:::instance/

  When resources.type equals AWS::ServiceDiscovery::Namespace, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::servicediscovery:::namespace/

  When resources.type equals AWS::ServiceDiscovery::Service, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::servicediscovery:::service/

  When resources.type equals AWS::SNS::PlatformEndpoint, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::sns:::endpoint///

  When resources.type equals AWS::SNS::Topic, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::sns:::

  When resources.type equals AWS::SWF::Domain, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::swf:::domain/

  When resources.type equals AWS::SQS::Queue, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::sqs:::

  When resources.type equals AWS::SSMMessages::ControlChannel, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::ssmmessages:::control-channel/

  When resources.type equals AWS::ThinClient::Device, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::thinclient:::device/

  When resources.type equals AWS::ThinClient::Environment, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::thinclient:::environment/

  When resources.type equals AWS::Timestream::Database, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::timestream:::database/

  When resources.type equals AWS::Timestream::Table, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::timestream:::database//table/

  When resources.type equals AWS::VerifiedPermissions::PolicyStore, and the operator is set to Equals or NotEquals, the ARN must be in the following format:

  • arn::verifiedpermissions:::policy-store/

Gets and sets the property NotEndsWith.

An operator that excludes events that match the last few characters of the event record field specified as the value of Field.

Gets and sets the property NotEquals.

An operator that excludes events that match the exact value of the event record field specified as the value of Field.

Gets and sets the property NotStartsWith.

An operator that excludes events that match the first few characters of the event record field specified as the value of Field.

Gets and sets the property StartsWith.

An operator that includes events that match the first few characters of the event record field specified as the value of Field.