From 88273bad20d44ca5b8627cf5da424063b0c6f847 Mon Sep 17 00:00:00 2001
From: awstools This exception is thrown when the Amazon Web Services account making the request to
* create or update an organization trail or event data store is not the management account
- * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/CreateEventDataStoreCommand.ts b/clients/client-cloudtrail/src/commands/CreateEventDataStoreCommand.ts index e8cd4f6967a9..d7b0f85c8ce0 100644 --- a/clients/client-cloudtrail/src/commands/CreateEventDataStoreCommand.ts +++ b/clients/client-cloudtrail/src/commands/CreateEventDataStoreCommand.ts @@ -133,7 +133,7 @@ export interface CreateEventDataStoreCommandOutput extends CreateEventDataStoreR * @see {@link CloudTrailClientResolvedConfig | config} for CloudTrailClient's `config` shape. * * @throws {@link CloudTrailAccessNotEnabledException} (client fault) - *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* * @throws {@link ConflictException} (client fault) *This exception is thrown when the specified resource is not ready for an operation. This @@ -212,7 +212,7 @@ export interface CreateEventDataStoreCommandOutput extends CreateEventDataStoreR * @throws {@link NotOrganizationMasterAccountException} (client fault) *
This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/CreateTrailCommand.ts b/clients/client-cloudtrail/src/commands/CreateTrailCommand.ts index 150ac58c1d95..74993d13aad2 100644 --- a/clients/client-cloudtrail/src/commands/CreateTrailCommand.ts +++ b/clients/client-cloudtrail/src/commands/CreateTrailCommand.ts @@ -81,7 +81,7 @@ export interface CreateTrailCommandOutput extends CreateTrailResponse, __Metadat * @see {@link CloudTrailClientResolvedConfig | config} for CloudTrailClient's `config` shape. * * @throws {@link CloudTrailAccessNotEnabledException} (client fault) - *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* * @throws {@link CloudTrailInvalidClientTokenIdException} (client fault) *This exception is thrown when a call results in the InvalidClientTokenId
@@ -188,7 +188,7 @@ export interface CreateTrailCommandOutput extends CreateTrailResponse, __Metadat
* @throws {@link NotOrganizationMasterAccountException} (client fault)
*
This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/DeleteEventDataStoreCommand.ts b/clients/client-cloudtrail/src/commands/DeleteEventDataStoreCommand.ts index 3bad67cc4d37..02335b40186e 100644 --- a/clients/client-cloudtrail/src/commands/DeleteEventDataStoreCommand.ts +++ b/clients/client-cloudtrail/src/commands/DeleteEventDataStoreCommand.ts @@ -108,7 +108,7 @@ export interface DeleteEventDataStoreCommandOutput extends DeleteEventDataStoreR * @throws {@link NotOrganizationMasterAccountException} (client fault) *This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/DeleteTrailCommand.ts b/clients/client-cloudtrail/src/commands/DeleteTrailCommand.ts index 6bcb3e82e221..a73a95f0938f 100644 --- a/clients/client-cloudtrail/src/commands/DeleteTrailCommand.ts +++ b/clients/client-cloudtrail/src/commands/DeleteTrailCommand.ts @@ -107,7 +107,7 @@ export interface DeleteTrailCommandOutput extends DeleteTrailResponse, __Metadat * @throws {@link NotOrganizationMasterAccountException} (client fault) *This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/DeregisterOrganizationDelegatedAdminCommand.ts b/clients/client-cloudtrail/src/commands/DeregisterOrganizationDelegatedAdminCommand.ts index 286c90c4828e..2b2379a1439e 100644 --- a/clients/client-cloudtrail/src/commands/DeregisterOrganizationDelegatedAdminCommand.ts +++ b/clients/client-cloudtrail/src/commands/DeregisterOrganizationDelegatedAdminCommand.ts @@ -66,7 +66,7 @@ export interface DeregisterOrganizationDelegatedAdminCommandOutput *This exception is thrown when the specified account is not registered as the CloudTrail delegated administrator.
* * @throws {@link CloudTrailAccessNotEnabledException} (client fault) - *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* * @throws {@link ConflictException} (client fault) *This exception is thrown when the specified resource is not ready for an operation. This diff --git a/clients/client-cloudtrail/src/commands/DisableFederationCommand.ts b/clients/client-cloudtrail/src/commands/DisableFederationCommand.ts index 6c616f96c109..a4350dc23843 100644 --- a/clients/client-cloudtrail/src/commands/DisableFederationCommand.ts +++ b/clients/client-cloudtrail/src/commands/DisableFederationCommand.ts @@ -62,7 +62,7 @@ export interface DisableFederationCommandOutput extends DisableFederationRespons *
* * @throws {@link CloudTrailAccessNotEnabledException} (client fault) - *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* * @throws {@link ConcurrentModificationException} (client fault) *@@ -94,7 +94,7 @@ export interface DisableFederationCommandOutput extends DisableFederationRespons * @throws {@link NotOrganizationMasterAccountException} (client fault) *
This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/EnableFederationCommand.ts b/clients/client-cloudtrail/src/commands/EnableFederationCommand.ts index 4175eb187d8e..90d35d4b4d65 100644 --- a/clients/client-cloudtrail/src/commands/EnableFederationCommand.ts +++ b/clients/client-cloudtrail/src/commands/EnableFederationCommand.ts @@ -70,7 +70,7 @@ export interface EnableFederationCommandOutput extends EnableFederationResponse, * * * @throws {@link CloudTrailAccessNotEnabledException} (client fault) - *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* * @throws {@link ConcurrentModificationException} (client fault) *@@ -108,7 +108,7 @@ export interface EnableFederationCommandOutput extends EnableFederationResponse, * @throws {@link NotOrganizationMasterAccountException} (client fault) *
This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/GetEventDataStoreCommand.ts b/clients/client-cloudtrail/src/commands/GetEventDataStoreCommand.ts index 2823e21140fd..a77499d5bdbe 100644 --- a/clients/client-cloudtrail/src/commands/GetEventDataStoreCommand.ts +++ b/clients/client-cloudtrail/src/commands/GetEventDataStoreCommand.ts @@ -80,6 +80,12 @@ export interface GetEventDataStoreCommandOutput extends GetEventDataStoreRespons * // BillingMode: "EXTENDABLE_RETENTION_PRICING" || "FIXED_RETENTION_PRICING", * // FederationStatus: "ENABLING" || "ENABLED" || "DISABLING" || "DISABLED", * // FederationRoleArn: "STRING_VALUE", + * // PartitionKeys: [ // PartitionKeyList + * // { // PartitionKey + * // Name: "STRING_VALUE", // required + * // Type: "STRING_VALUE", // required + * // }, + * // ], * // }; * * ``` diff --git a/clients/client-cloudtrail/src/commands/PutEventSelectorsCommand.ts b/clients/client-cloudtrail/src/commands/PutEventSelectorsCommand.ts index ec6efaccb131..af84246b1954 100644 --- a/clients/client-cloudtrail/src/commands/PutEventSelectorsCommand.ts +++ b/clients/client-cloudtrail/src/commands/PutEventSelectorsCommand.ts @@ -30,7 +30,7 @@ export interface PutEventSelectorsCommandOutput extends PutEventSelectorsRespons *Configures an event selector or advanced event selectors for your trail. Use event * selectors or advanced event selectors to specify management and data event settings for * your trail. If you want your trail to log Insights events, be sure the event selector - * enables logging of the Insights event types you want configured for your trail. For more information about logging Insights events, see Logging Insights events for trails in the CloudTrail User Guide. + * enables logging of the Insights event types you want configured for your trail. For more information about logging Insights events, see Logging Insights events in the CloudTrail User Guide. * By default, trails created without specific event selectors are configured to * log all read and write management events, and no data events.
*When an event occurs in your account, CloudTrail evaluates the event selectors or @@ -267,7 +267,7 @@ export interface PutEventSelectorsCommandOutput extends PutEventSelectorsRespons * @throws {@link NotOrganizationMasterAccountException} (client fault) *
This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/PutInsightSelectorsCommand.ts b/clients/client-cloudtrail/src/commands/PutInsightSelectorsCommand.ts index e8232386c2d4..2dc3a3ca3d35 100644 --- a/clients/client-cloudtrail/src/commands/PutInsightSelectorsCommand.ts +++ b/clients/client-cloudtrail/src/commands/PutInsightSelectorsCommand.ts @@ -154,7 +154,7 @@ export interface PutInsightSelectorsCommandOutput extends PutInsightSelectorsRes * @throws {@link NotOrganizationMasterAccountException} (client fault) *This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/RegisterOrganizationDelegatedAdminCommand.ts b/clients/client-cloudtrail/src/commands/RegisterOrganizationDelegatedAdminCommand.ts index 8c319cf1c15e..75397d66844f 100644 --- a/clients/client-cloudtrail/src/commands/RegisterOrganizationDelegatedAdminCommand.ts +++ b/clients/client-cloudtrail/src/commands/RegisterOrganizationDelegatedAdminCommand.ts @@ -70,7 +70,7 @@ export interface RegisterOrganizationDelegatedAdminCommandOutput * the CloudTrail delegated administrator. * * @throws {@link CloudTrailAccessNotEnabledException} (client fault) - *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* * @throws {@link ConflictException} (client fault) *This exception is thrown when the specified resource is not ready for an operation. This diff --git a/clients/client-cloudtrail/src/commands/RemoveTagsCommand.ts b/clients/client-cloudtrail/src/commands/RemoveTagsCommand.ts index 3e9891dbd838..418d468f58e1 100644 --- a/clients/client-cloudtrail/src/commands/RemoveTagsCommand.ts +++ b/clients/client-cloudtrail/src/commands/RemoveTagsCommand.ts @@ -117,7 +117,7 @@ export interface RemoveTagsCommandOutput extends RemoveTagsResponse, __MetadataB * @throws {@link NotOrganizationMasterAccountException} (client fault) *
This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/RestoreEventDataStoreCommand.ts b/clients/client-cloudtrail/src/commands/RestoreEventDataStoreCommand.ts index e65f2644727d..e86376662a0d 100644 --- a/clients/client-cloudtrail/src/commands/RestoreEventDataStoreCommand.ts +++ b/clients/client-cloudtrail/src/commands/RestoreEventDataStoreCommand.ts @@ -91,7 +91,7 @@ export interface RestoreEventDataStoreCommandOutput extends RestoreEventDataStor * @see {@link CloudTrailClientResolvedConfig | config} for CloudTrailClient's `config` shape. * * @throws {@link CloudTrailAccessNotEnabledException} (client fault) - *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* * @throws {@link EventDataStoreARNInvalidException} (client fault) *The specified event data store ARN is not valid or does not map to an event data store @@ -121,7 +121,7 @@ export interface RestoreEventDataStoreCommandOutput extends RestoreEventDataStor * @throws {@link NotOrganizationMasterAccountException} (client fault) *
This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/StartEventDataStoreIngestionCommand.ts b/clients/client-cloudtrail/src/commands/StartEventDataStoreIngestionCommand.ts index 3975a06ec459..65f61b0f10ee 100644 --- a/clients/client-cloudtrail/src/commands/StartEventDataStoreIngestionCommand.ts +++ b/clients/client-cloudtrail/src/commands/StartEventDataStoreIngestionCommand.ts @@ -84,7 +84,7 @@ export interface StartEventDataStoreIngestionCommandOutput * @throws {@link NotOrganizationMasterAccountException} (client fault) *This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/StartImportCommand.ts b/clients/client-cloudtrail/src/commands/StartImportCommand.ts index 263b293a5251..a328d8150e06 100644 --- a/clients/client-cloudtrail/src/commands/StartImportCommand.ts +++ b/clients/client-cloudtrail/src/commands/StartImportCommand.ts @@ -32,7 +32,7 @@ export interface StartImportCommandOutput extends StartImportResponse, __Metadat *CloudTrail
prefix and the prefixes inside the CloudTrail
prefix, and does not check prefixes for other Amazon Web Services
* services. If you want to import CloudTrail events contained in another prefix, you
* must include the prefix in the S3LocationUri
. For more considerations about
- * importing trail events, see Considerations.
+ * importing trail events, see Considerations for copying trail events in the CloudTrail User Guide.
* When you start a new import, the Destinations
and
* ImportSource
parameters are required. Before starting a new import, disable
* any access control lists (ACLs) attached to the source S3 bucket. For more information
diff --git a/clients/client-cloudtrail/src/commands/StartLoggingCommand.ts b/clients/client-cloudtrail/src/commands/StartLoggingCommand.ts
index d4aefa5473e6..b1b5a27c1f24 100644
--- a/clients/client-cloudtrail/src/commands/StartLoggingCommand.ts
+++ b/clients/client-cloudtrail/src/commands/StartLoggingCommand.ts
@@ -108,7 +108,7 @@ export interface StartLoggingCommandOutput extends StartLoggingResponse, __Metad
* @throws {@link NotOrganizationMasterAccountException} (client fault)
*
This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/StopEventDataStoreIngestionCommand.ts b/clients/client-cloudtrail/src/commands/StopEventDataStoreIngestionCommand.ts index a7bec4057273..575724f365d4 100644 --- a/clients/client-cloudtrail/src/commands/StopEventDataStoreIngestionCommand.ts +++ b/clients/client-cloudtrail/src/commands/StopEventDataStoreIngestionCommand.ts @@ -81,7 +81,7 @@ export interface StopEventDataStoreIngestionCommandOutput * @throws {@link NotOrganizationMasterAccountException} (client fault) *This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/StopLoggingCommand.ts b/clients/client-cloudtrail/src/commands/StopLoggingCommand.ts index 333c116b8b0c..b23b1cbb3000 100644 --- a/clients/client-cloudtrail/src/commands/StopLoggingCommand.ts +++ b/clients/client-cloudtrail/src/commands/StopLoggingCommand.ts @@ -111,7 +111,7 @@ export interface StopLoggingCommandOutput extends StopLoggingResponse, __Metadat * @throws {@link NotOrganizationMasterAccountException} (client fault) *This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/UpdateEventDataStoreCommand.ts b/clients/client-cloudtrail/src/commands/UpdateEventDataStoreCommand.ts index 8aaa17c28d90..9d5452cef0ed 100644 --- a/clients/client-cloudtrail/src/commands/UpdateEventDataStoreCommand.ts +++ b/clients/client-cloudtrail/src/commands/UpdateEventDataStoreCommand.ts @@ -132,7 +132,7 @@ export interface UpdateEventDataStoreCommandOutput extends UpdateEventDataStoreR * @see {@link CloudTrailClientResolvedConfig | config} for CloudTrailClient's `config` shape. * * @throws {@link CloudTrailAccessNotEnabledException} (client fault) - *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* * @throws {@link EventDataStoreAlreadyExistsException} (client fault) *An event data store with that name already exists.
@@ -223,7 +223,7 @@ export interface UpdateEventDataStoreCommandOutput extends UpdateEventDataStoreR * @throws {@link NotOrganizationMasterAccountException} (client fault) *This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/commands/UpdateTrailCommand.ts b/clients/client-cloudtrail/src/commands/UpdateTrailCommand.ts index f99350ebfea8..cdd83a031672 100644 --- a/clients/client-cloudtrail/src/commands/UpdateTrailCommand.ts +++ b/clients/client-cloudtrail/src/commands/UpdateTrailCommand.ts @@ -79,7 +79,7 @@ export interface UpdateTrailCommandOutput extends UpdateTrailResponse, __Metadat * @see {@link CloudTrailClientResolvedConfig | config} for CloudTrailClient's `config` shape. * * @throws {@link CloudTrailAccessNotEnabledException} (client fault) - *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* * @throws {@link CloudTrailARNInvalidException} (client fault) *This exception is thrown when an operation is called with an ARN that is not valid.
@@ -224,7 +224,7 @@ export interface UpdateTrailCommandOutput extends UpdateTrailResponse, __Metadat * @throws {@link NotOrganizationMasterAccountException} (client fault) *This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * * @throws {@link OperationNotPermittedException} (client fault) *This exception is thrown when the requested operation is not permitted.
diff --git a/clients/client-cloudtrail/src/models/models_0.ts b/clients/client-cloudtrail/src/models/models_0.ts index 1e5ba64a8334..a73083726cc2 100644 --- a/clients/client-cloudtrail/src/models/models_0.ts +++ b/clients/client-cloudtrail/src/models/models_0.ts @@ -491,7 +491,7 @@ export class NoManagementAccountSLRExistsException extends __BaseException { /** *This exception is thrown when the Amazon Web Services account making the request to * create or update an organization trail or event data store is not the management account - * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
+ * for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores. * @public */ export class NotOrganizationMasterAccountException extends __BaseException { @@ -920,6 +920,11 @@ export interface AdvancedFieldSelector { * *
+ * AWS::QApps:QApp
+ *
* AWS::QBusiness::Application
*
- * AWS::SWF::Domain
+ * AWS::SQS::Queue
*
- * AWS::SQS::Queue
+ * AWS::SSM::ManagedNode
*
+ * AWS::SWF::Domain
+ *
* AWS::ThinClient::Device
*
AWS::VerifiedPermissions::PolicyStore
*
*
+ *
+ * AWS::XRay::Trace
+ *
You can have only one resources.type
field per selector. To log data
* events on more than one resource type, add another selector.
resources.ARN
, but if you use Equals
or
* NotEquals
, the value must exactly match the ARN of a valid resource
- * of the type you've specified in the template as the value of resources.type. For
- * example, if resources.type equals AWS::S3::Object
, the ARN must be in
+ * of the type you've specified in the template as the value of resources.type.
+ * You can't use the resources.ARN
field to filter resource types that do not have ARNs.
The resources.ARN
field can be set one of the following.
If resources.type equals AWS::S3::Object
, the ARN must be in
* one of the following formats. To log all data events for all objects in a specific S3
* bucket, use the StartsWith
operator, and include only the bucket ARN as
* the matching value.
When resources.type
equals AWS::QApps:QApp
,
+ * and the operator is set to Equals
or NotEquals
, the ARN
+ * must be in the following format:
+ * arn:
+ *
When resources.type
equals AWS::QBusiness::Application
,
* and the operator is set to Equals
or NotEquals
, the ARN
* must be in the following format:
When resources.type
equals AWS::SWF::Domain
,
+ *
When resources.type
equals AWS::SQS::Queue
,
* and the operator is set to Equals
or NotEquals
, the ARN
* must be in the following format:
- * arn:
+ * arn:
*
When resources.type
equals AWS::SQS::Queue
,
- * and the operator is set to Equals
or NotEquals
, the ARN
- * must be in the following format:
When resources.type
equals AWS::SSM::ManagedNode
, and
+ * the operator is set to Equals
or NotEquals
, the ARN must be
+ * in one of the following formats:
- * arn:
+ * arn:
+ *
+ * arn:
*
When resources.type
equals AWS::SWF::Domain
,
+ * and the operator is set to Equals
or NotEquals
, the ARN
+ * must be in the following format:
+ * arn:
+ *
When resources.type
equals AWS::ThinClient::Device
, and
* the operator is set to Equals
or NotEquals
, the ARN must be
* in the following format:
This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
+ *This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
* @public */ export class CloudTrailAccessNotEnabledException extends __BaseException { @@ -2244,9 +2288,9 @@ export interface CreateEventDataStoreRequest { * configure up to five advanced event selectors for each event data store. *For more information about how to use advanced event selectors to log CloudTrail * events, see Log events by using advanced event selectors in the CloudTrail User Guide.
- *For more information about how to use advanced event selectors to include Config configuration items in your event data store, see Create an event data store for Config configuration
+ * For more information about how to use advanced event selectors to include Config configuration items in your event data store, see Create an event data store for Config configuration
* items in the CloudTrail User Guide. For more information about how to use advanced event selectors to include non-Amazon Web Services events in your event data store, see Create an integration to log events from outside Amazon Web Services in the CloudTrail User Guide. For more information about how to use advanced event selectors to include events outside of Amazon Web Services events in your event data store, see Create an integration to log events from outside Amazon Web Services in the CloudTrail User Guide. Specifies the name of the Amazon S3 bucket designated for publishing log files.
- * See Amazon S3
- * Bucket Naming Requirements.
Specifies the Amazon S3 key prefix that comes after the name of the bucket you - * have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200 + * have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200 * characters.
* @public */ @@ -3002,7 +3047,7 @@ export interface CreateTrailResponse { /** *Specifies the Amazon S3 key prefix that comes after the name of the bucket you - * have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files.
+ * have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. * @public */ S3KeyPrefix?: string; @@ -3971,15 +4016,15 @@ export interface Trail { /** *Name of the Amazon S3 bucket into which CloudTrail delivers your trail - * files. See Amazon S3 - * Bucket Naming Requirements.
+ * files. See Amazon S3 + * Bucket naming rules. * @public */ S3BucketName?: string; /** *Specifies the Amazon S3 key prefix that comes after the name of the bucket you - * have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200 + * have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200 * characters.
* @public */ @@ -4354,6 +4399,24 @@ export interface GetEventDataStoreRequest { EventDataStore: string | undefined; } +/** + *Contains information about a partition key for an event data store.
+ * @public + */ +export interface PartitionKey { + /** + *The name of the partition key.
+ * @public + */ + Name: string | undefined; + + /** + *The data type of the partition key. For example, bigint
or string
.
The partition keys for the event data store. To improve query performance and efficiency, CloudTrail Lake organizes + * event data into partitions based on values derived from partition keys.
+ * @public + */ + PartitionKeys?: PartitionKey[]; } /** @@ -4492,10 +4562,28 @@ export interface GetEventSelectorsRequest { } /** - *The Amazon S3 buckets, Lambda functions, or Amazon DynamoDB tables that you specify in your event selectors for your trail to log data events. Data - * events provide information about the resource operations performed on or within a resource + *
Data events provide information about the resource operations performed on or within a resource * itself. These are also known as data plane operations. You can specify up to 250 data * resources for a trail.
+ *Configure the DataResource
to specify the resource type and resource ARNs for which you want to log data events.
You can specify the following resource types in your event selectors for your trail:
+ *
+ * AWS::DynamoDB::Table
+ *
+ * AWS::Lambda::Function
+ *
+ * AWS::S3::Object
+ *
The total number of allowed data resources is 250. This number can be distributed * between 1 and 5 event selectors, but the total cannot exceed 250 across all @@ -4583,7 +4671,7 @@ export interface DataResource { /** *
An array of Amazon Resource Name (ARN) strings or partial ARN strings for the specified - * objects.
+ * resource type. *To log data events for all objects in all S3 buckets in your Amazon Web Services account, specify the prefix as arn:aws:s3
.
This error occurs only when there is a problem with the destination S3 bucket, and
- * does not occur for requests that time out. To resolve the issue, create a new bucket,
- * and then call UpdateTrail
to specify the new bucket; or fix the existing
- * objects so that CloudTrail can again write to the bucket.
UpdateTrail
to specify the new bucket.
* This error occurs only when there is a problem with the destination S3 bucket, and
- * does not occur for requests that time out. To resolve the issue, create a new bucket,
- * and then call UpdateTrail
to specify the new bucket; or fix the existing
- * objects so that CloudTrail can again write to the bucket.
UpdateTrail
to specify the new bucket.
* A storage lake of event data against which you can run complex SQL-based queries. An * event data store can include events that you have logged on your account. To select events for an event data - * store, use advanced event selectors.
+ * store, use advanced event selectors. * @public */ export interface EventDataStore { @@ -7797,15 +7885,15 @@ export interface UpdateTrailRequest { /** *Specifies the name of the Amazon S3 bucket designated for publishing log files. - * See Amazon S3 - * Bucket Naming Requirements.
+ * See Amazon S3 + * Bucket naming rules. * @public */ S3BucketName?: string; /** *Specifies the Amazon S3 key prefix that comes after the name of the bucket you - * have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200 + * have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200 * characters.
* @public */ @@ -7929,7 +8017,7 @@ export interface UpdateTrailResponse { /** *Specifies the Amazon S3 key prefix that comes after the name of the bucket you - * have designated for log file delivery. For more information, see Finding Your IAM Log Files.
+ * have designated for log file delivery. For more information, see Finding Your IAM Log Files. * @public */ S3KeyPrefix?: string; diff --git a/clients/client-cloudtrail/src/protocols/Aws_json1_1.ts b/clients/client-cloudtrail/src/protocols/Aws_json1_1.ts index 20a223b4fa47..bf435f5651c4 100644 --- a/clients/client-cloudtrail/src/protocols/Aws_json1_1.ts +++ b/clients/client-cloudtrail/src/protocols/Aws_json1_1.ts @@ -3921,6 +3921,7 @@ const de_GetEventDataStoreResponse = (output: any, context: __SerdeContext): Get MultiRegionEnabled: __expectBoolean, Name: __expectString, OrganizationEnabled: __expectBoolean, + PartitionKeys: _json, RetentionPeriod: __expectInt32, Status: __expectString, TerminationProtectionEnabled: __expectBoolean, @@ -4238,6 +4239,10 @@ const de_LookupEventsResponse = (output: any, context: __SerdeContext): LookupEv // de_OrganizationsNotInUseException omitted. +// de_PartitionKey omitted. + +// de_PartitionKeyList omitted. + /** * deserializeAws_json1_1PublicKey */ diff --git a/codegen/sdk-codegen/aws-models/cloudtrail.json b/codegen/sdk-codegen/aws-models/cloudtrail.json index 3aafdfaf5466..a7e4bf6669a6 100644 --- a/codegen/sdk-codegen/aws-models/cloudtrail.json +++ b/codegen/sdk-codegen/aws-models/cloudtrail.json @@ -266,7 +266,7 @@ "Field": { "target": "com.amazonaws.cloudtrail#SelectorField", "traits": { - "smithy.api#documentation": "A field in a CloudTrail event record on which to filter events to be logged. For\n event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the field is used only for\n selecting events as filtering is not supported.
\nFor CloudTrail management events, supported fields include readOnly
,\n eventCategory
, and eventSource
.
For CloudTrail data events, supported fields include readOnly
,\n eventCategory
, eventName
, resources.type
, and resources.ARN
.
For event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the only supported field is\n eventCategory
.
\n \n readOnly
\n - Optional. Can be set to\n Equals
a value of true
or false
. If you do\n not add this field, CloudTrail logs both read
and\n write
events. A value of true
logs only\n read
events. A value of false
logs only\n write
events.
\n \n eventSource
\n - For filtering\n management events only. This can be set to NotEquals
\n kms.amazonaws.com
or NotEquals
\n rdsdata.amazonaws.com
.
\n \n eventName
\n - Can use any operator.\n You can use it to filter in or filter out any data event logged to CloudTrail,\n such as PutBucket
or GetSnapshotBlock
. You can have\n multiple values for this field, separated by commas.
\n \n eventCategory
\n - This is required and\n must be set to Equals
. \n
\n For CloudTrail management events, the value\n must be Management
. \n
\n For CloudTrail data events, the value\n must be Data
. \n
The following are used only for event data stores:
\n\n For CloudTrail Insights events, the value\n must be Insight
. \n
\n For Config\n configuration items, the value must be ConfigurationItem
.\n
\n For Audit Manager evidence, the value must be Evidence
.\n
\n For non-Amazon Web Services events, the value must be ActivityAuditLog
.\n
\n \n resources.type
\n - This field is\n required for CloudTrail data events. resources.type
can only\n use the Equals
operator, and the value can be one of the\n following:
\n AWS::DynamoDB::Table
\n
\n AWS::Lambda::Function
\n
\n AWS::S3::Object
\n
\n AWS::AppConfig::Configuration
\n
\n AWS::B2BI::Transformer
\n
\n AWS::Bedrock::AgentAlias
\n
\n AWS::Bedrock::KnowledgeBase
\n
\n AWS::Cassandra::Table
\n
\n AWS::CloudFront::KeyValueStore
\n
\n AWS::CloudTrail::Channel
\n
\n AWS::CodeWhisperer::Customization
\n
\n AWS::CodeWhisperer::Profile
\n
\n AWS::Cognito::IdentityPool
\n
\n AWS::DynamoDB::Stream
\n
\n AWS::EC2::Snapshot
\n
\n AWS::EMRWAL::Workspace
\n
\n AWS::FinSpace::Environment
\n
\n AWS::Glue::Table
\n
\n AWS::GreengrassV2::ComponentVersion
\n
\n AWS::GreengrassV2::Deployment
\n
\n AWS::GuardDuty::Detector
\n
\n AWS::IoT::Certificate
\n
\n AWS::IoT::Thing
\n
\n AWS::IoTSiteWise::Asset
\n
\n AWS::IoTSiteWise::TimeSeries
\n
\n AWS::IoTTwinMaker::Entity
\n
\n AWS::IoTTwinMaker::Workspace
\n
\n AWS::KendraRanking::ExecutionPlan
\n
\n AWS::KinesisVideo::Stream
\n
\n AWS::ManagedBlockchain::Network
\n
\n AWS::ManagedBlockchain::Node
\n
\n AWS::MedicalImaging::Datastore
\n
\n AWS::NeptuneGraph::Graph
\n
\n AWS::PCAConnectorAD::Connector
\n
\n AWS::QBusiness::Application
\n
\n AWS::QBusiness::DataSource
\n
\n AWS::QBusiness::Index
\n
\n AWS::QBusiness::WebExperience
\n
\n AWS::RDS::DBCluster
\n
\n AWS::S3::AccessPoint
\n
\n AWS::S3ObjectLambda::AccessPoint
\n
\n AWS::S3Outposts::Object
\n
\n AWS::SageMaker::Endpoint
\n
\n AWS::SageMaker::ExperimentTrialComponent
\n
\n AWS::SageMaker::FeatureGroup
\n
\n AWS::ServiceDiscovery::Namespace
\n
\n AWS::ServiceDiscovery::Service
\n
\n AWS::SCN::Instance
\n
\n AWS::SNS::PlatformEndpoint
\n
\n AWS::SNS::Topic
\n
\n AWS::SWF::Domain
\n
\n AWS::SQS::Queue
\n
\n AWS::SSMMessages::ControlChannel
\n
\n AWS::ThinClient::Device
\n
\n AWS::ThinClient::Environment
\n
\n AWS::Timestream::Database
\n
\n AWS::Timestream::Table
\n
\n AWS::VerifiedPermissions::PolicyStore
\n
You can have only one resources.type
field per selector. To log data\n events on more than one resource type, add another selector.
\n \n resources.ARN
\n - You can use any\n operator with resources.ARN
, but if you use Equals
or\n NotEquals
, the value must exactly match the ARN of a valid resource\n of the type you've specified in the template as the value of resources.type. For\n example, if resources.type equals AWS::S3::Object
, the ARN must be in\n one of the following formats. To log all data events for all objects in a specific S3\n bucket, use the StartsWith
operator, and include only the bucket ARN as\n the matching value.
The trailing slash is intentional; do not exclude it. Replace the text between\n less than and greater than symbols (<>) with resource-specific information.
\n\n arn:
\n
\n arn:
\n
When resources.type equals AWS::DynamoDB::Table
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Lambda::Function
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::AppConfig::Configuration
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::B2BI::Transformer
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Bedrock::AgentAlias
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Bedrock::KnowledgeBase
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Cassandra::Table
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::CloudFront::KeyValueStore
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::CloudTrail::Channel
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::CodeWhisperer::Customization
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::CodeWhisperer::Profile
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Cognito::IdentityPool
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type
equals AWS::DynamoDB::Stream
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::EC2::Snapshot
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::EMRWAL::Workspace
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::FinSpace::Environment
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::Glue::Table
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::GreengrassV2::ComponentVersion
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::GreengrassV2::Deployment
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
When resources.type
equals AWS::GuardDuty::Detector
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::IoT::Certificate
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoT::Thing
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoTSiteWise::Asset
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoTSiteWise::TimeSeries
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoTTwinMaker::Entity
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoTTwinMaker::Workspace
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::KendraRanking::ExecutionPlan
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::KinesisVideo::Stream
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::ManagedBlockchain::Network
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::ManagedBlockchain::Node
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::MedicalImaging::Datastore
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::NeptuneGraph::Graph
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::PCAConnectorAD::Connector
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::QBusiness::Application
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::QBusiness::DataSource
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::QBusiness::Index
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::QBusiness::WebExperience
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::RDS::DBCluster
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::S3::AccessPoint
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n one of the following formats. To log events on all objects in an S3 access point, we\n recommend that you use only the access point ARN, don’t include the object path, and\n use the StartsWith
or NotStartsWith
operators.
\n arn:
\n
\n arn:
\n
When resources.type
equals\n AWS::S3ObjectLambda::AccessPoint
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following\n format:
\n arn:
\n
When resources.type
equals AWS::S3Outposts::Object
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::SageMaker::Endpoint
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SageMaker::ExperimentTrialComponent
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SageMaker::FeatureGroup
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SCN::Instance
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::ServiceDiscovery::Namespace
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::ServiceDiscovery::Service
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SNS::PlatformEndpoint
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SNS::Topic
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SWF::Domain
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SQS::Queue
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SSMMessages::ControlChannel
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::ThinClient::Device
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::ThinClient::Environment
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::Timestream::Database
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::Timestream::Table
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type equals AWS::VerifiedPermissions::PolicyStore
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
A field in a CloudTrail event record on which to filter events to be logged. For\n event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the field is used only for\n selecting events as filtering is not supported.
\nFor CloudTrail management events, supported fields include readOnly
,\n eventCategory
, and eventSource
.
For CloudTrail data events, supported fields include readOnly
,\n eventCategory
, eventName
, resources.type
, and resources.ARN
.
For event data stores for CloudTrail Insights events, Config configuration items, Audit Manager evidence, or events outside of Amazon Web Services, the only supported field is\n eventCategory
.
\n \n readOnly
\n - Optional. Can be set to\n Equals
a value of true
or false
. If you do\n not add this field, CloudTrail logs both read
and\n write
events. A value of true
logs only\n read
events. A value of false
logs only\n write
events.
\n \n eventSource
\n - For filtering\n management events only. This can be set to NotEquals
\n kms.amazonaws.com
or NotEquals
\n rdsdata.amazonaws.com
.
\n \n eventName
\n - Can use any operator.\n You can use it to filter in or filter out any data event logged to CloudTrail,\n such as PutBucket
or GetSnapshotBlock
. You can have\n multiple values for this field, separated by commas.
\n \n eventCategory
\n - This is required and\n must be set to Equals
. \n
\n For CloudTrail management events, the value\n must be Management
. \n
\n For CloudTrail data events, the value\n must be Data
. \n
The following are used only for event data stores:
\n\n For CloudTrail Insights events, the value\n must be Insight
. \n
\n For Config\n configuration items, the value must be ConfigurationItem
.\n
\n For Audit Manager evidence, the value must be Evidence
.\n
\n For non-Amazon Web Services events, the value must be ActivityAuditLog
.\n
\n \n resources.type
\n - This field is\n required for CloudTrail data events. resources.type
can only\n use the Equals
operator, and the value can be one of the\n following:
\n AWS::DynamoDB::Table
\n
\n AWS::Lambda::Function
\n
\n AWS::S3::Object
\n
\n AWS::AppConfig::Configuration
\n
\n AWS::B2BI::Transformer
\n
\n AWS::Bedrock::AgentAlias
\n
\n AWS::Bedrock::KnowledgeBase
\n
\n AWS::Cassandra::Table
\n
\n AWS::CloudFront::KeyValueStore
\n
\n AWS::CloudTrail::Channel
\n
\n AWS::CodeWhisperer::Customization
\n
\n AWS::CodeWhisperer::Profile
\n
\n AWS::Cognito::IdentityPool
\n
\n AWS::DynamoDB::Stream
\n
\n AWS::EC2::Snapshot
\n
\n AWS::EMRWAL::Workspace
\n
\n AWS::FinSpace::Environment
\n
\n AWS::Glue::Table
\n
\n AWS::GreengrassV2::ComponentVersion
\n
\n AWS::GreengrassV2::Deployment
\n
\n AWS::GuardDuty::Detector
\n
\n AWS::IoT::Certificate
\n
\n AWS::IoT::Thing
\n
\n AWS::IoTSiteWise::Asset
\n
\n AWS::IoTSiteWise::TimeSeries
\n
\n AWS::IoTTwinMaker::Entity
\n
\n AWS::IoTTwinMaker::Workspace
\n
\n AWS::KendraRanking::ExecutionPlan
\n
\n AWS::KinesisVideo::Stream
\n
\n AWS::ManagedBlockchain::Network
\n
\n AWS::ManagedBlockchain::Node
\n
\n AWS::MedicalImaging::Datastore
\n
\n AWS::NeptuneGraph::Graph
\n
\n AWS::PCAConnectorAD::Connector
\n
\n AWS::QApps:QApp
\n
\n AWS::QBusiness::Application
\n
\n AWS::QBusiness::DataSource
\n
\n AWS::QBusiness::Index
\n
\n AWS::QBusiness::WebExperience
\n
\n AWS::RDS::DBCluster
\n
\n AWS::S3::AccessPoint
\n
\n AWS::S3ObjectLambda::AccessPoint
\n
\n AWS::S3Outposts::Object
\n
\n AWS::SageMaker::Endpoint
\n
\n AWS::SageMaker::ExperimentTrialComponent
\n
\n AWS::SageMaker::FeatureGroup
\n
\n AWS::ServiceDiscovery::Namespace
\n
\n AWS::ServiceDiscovery::Service
\n
\n AWS::SCN::Instance
\n
\n AWS::SNS::PlatformEndpoint
\n
\n AWS::SNS::Topic
\n
\n AWS::SQS::Queue
\n
\n AWS::SSM::ManagedNode
\n
\n AWS::SSMMessages::ControlChannel
\n
\n AWS::SWF::Domain
\n
\n AWS::ThinClient::Device
\n
\n AWS::ThinClient::Environment
\n
\n AWS::Timestream::Database
\n
\n AWS::Timestream::Table
\n
\n AWS::VerifiedPermissions::PolicyStore
\n
\n AWS::XRay::Trace
\n
You can have only one resources.type
field per selector. To log data\n events on more than one resource type, add another selector.
\n \n resources.ARN
\n - You can use any\n operator with resources.ARN
, but if you use Equals
or\n NotEquals
, the value must exactly match the ARN of a valid resource\n of the type you've specified in the template as the value of resources.type.
You can't use the resources.ARN
field to filter resource types that do not have ARNs.
The resources.ARN
field can be set one of the following.
If resources.type equals AWS::S3::Object
, the ARN must be in\n one of the following formats. To log all data events for all objects in a specific S3\n bucket, use the StartsWith
operator, and include only the bucket ARN as\n the matching value.
The trailing slash is intentional; do not exclude it. Replace the text between\n less than and greater than symbols (<>) with resource-specific information.
\n\n arn:
\n
\n arn:
\n
When resources.type equals AWS::DynamoDB::Table
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Lambda::Function
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::AppConfig::Configuration
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::B2BI::Transformer
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Bedrock::AgentAlias
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Bedrock::KnowledgeBase
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Cassandra::Table
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::CloudFront::KeyValueStore
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::CloudTrail::Channel
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::CodeWhisperer::Customization
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::CodeWhisperer::Profile
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type equals AWS::Cognito::IdentityPool
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
When resources.type
equals AWS::DynamoDB::Stream
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::EC2::Snapshot
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::EMRWAL::Workspace
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::FinSpace::Environment
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::Glue::Table
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::GreengrassV2::ComponentVersion
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::GreengrassV2::Deployment
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
When resources.type
equals AWS::GuardDuty::Detector
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::IoT::Certificate
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoT::Thing
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoTSiteWise::Asset
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoTSiteWise::TimeSeries
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoTTwinMaker::Entity
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::IoTTwinMaker::Workspace
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::KendraRanking::ExecutionPlan
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::KinesisVideo::Stream
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n the following format:
\n arn:
\n
When resources.type
equals AWS::ManagedBlockchain::Network
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::ManagedBlockchain::Node
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::MedicalImaging::Datastore
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::NeptuneGraph::Graph
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::PCAConnectorAD::Connector
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::QApps:QApp
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::QBusiness::Application
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::QBusiness::DataSource
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::QBusiness::Index
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::QBusiness::WebExperience
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::RDS::DBCluster
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::S3::AccessPoint
, and the\n operator is set to Equals
or NotEquals
, the ARN must be in\n one of the following formats. To log events on all objects in an S3 access point, we\n recommend that you use only the access point ARN, don’t include the object path, and\n use the StartsWith
or NotStartsWith
operators.
\n arn:
\n
\n arn:
\n
When resources.type
equals\n AWS::S3ObjectLambda::AccessPoint
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following\n format:
\n arn:
\n
When resources.type
equals AWS::S3Outposts::Object
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::SageMaker::Endpoint
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SageMaker::ExperimentTrialComponent
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SageMaker::FeatureGroup
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SCN::Instance
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::ServiceDiscovery::Namespace
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::ServiceDiscovery::Service
, and the operator is set to\n Equals
or NotEquals
, the ARN must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SNS::PlatformEndpoint
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SNS::Topic
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SQS::Queue
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::SSM::ManagedNode
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in one of the following formats:
\n arn:
\n
\n arn:
\n
When resources.type
equals AWS::SSMMessages::ControlChannel
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::SWF::Domain
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::ThinClient::Device
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::ThinClient::Environment
, and\n the operator is set to Equals
or NotEquals
, the ARN must be\n in the following format:
\n arn:
\n
When resources.type
equals AWS::Timestream::Database
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type
equals AWS::Timestream::Table
,\n and the operator is set to Equals
or NotEquals
, the ARN\n must be in the following format:
\n arn:
\n
When resources.type equals AWS::VerifiedPermissions::PolicyStore
, and the operator is\n set to Equals
or NotEquals
, the ARN must be in the\n following format:
\n arn:
\n
This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see Enabling Trusted Access with Other Amazon Web Services Services and Prepare For Creating a Trail For Your Organization.
", + "smithy.api#documentation": "This exception is thrown when trusted access has not been enabled between CloudTrail and Organizations. For more information, see How to enable or disable trusted access in the Organizations User Guide and Prepare For Creating a Trail For Your Organization in the CloudTrail User Guide.
", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -2121,7 +2121,7 @@ "AdvancedEventSelectors": { "target": "com.amazonaws.cloudtrail#AdvancedEventSelectors", "traits": { - "smithy.api#documentation": "The advanced event selectors to use to select the events for the data store. You can\n configure up to five advanced event selectors for each event data store.
\nFor more information about how to use advanced event selectors to log CloudTrail\n events, see Log events by using advanced event selectors in the CloudTrail User Guide.
\nFor more information about how to use advanced event selectors to include Config configuration items in your event data store, see Create an event data store for Config configuration\n items in the CloudTrail User Guide.
\nFor more information about how to use advanced event selectors to include non-Amazon Web Services events in your event data store, see Create an integration to log events from outside Amazon Web Services in the CloudTrail User Guide.
" + "smithy.api#documentation": "The advanced event selectors to use to select the events for the data store. You can\n configure up to five advanced event selectors for each event data store.
\nFor more information about how to use advanced event selectors to log CloudTrail\n events, see Log events by using advanced event selectors in the CloudTrail User Guide.
\nFor more information about how to use advanced event selectors to include Config configuration items in your event data store, see Create an event data store for Config configuration\n items in the CloudTrail User Guide.
\nFor more information about how to use advanced event selectors to include events outside of Amazon Web Services events in your event data store, see Create an integration to log events from outside Amazon Web Services in the CloudTrail User Guide.
" } }, "MultiRegionEnabled": { @@ -2384,14 +2384,14 @@ "S3BucketName": { "target": "com.amazonaws.cloudtrail#String", "traits": { - "smithy.api#documentation": "Specifies the name of the Amazon S3 bucket designated for publishing log files.\n See Amazon S3\n Bucket Naming Requirements.
", + "smithy.api#documentation": "Specifies the name of the Amazon S3 bucket designated for publishing log files. \n For information about bucket naming rules, see Bucket naming rules \n in the Amazon Simple Storage Service User Guide.\n
", "smithy.api#required": {} } }, "S3KeyPrefix": { "target": "com.amazonaws.cloudtrail#String", "traits": { - "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200\n characters.
" + "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200\n characters.
" } }, "SnsTopicName": { @@ -2469,7 +2469,7 @@ "S3KeyPrefix": { "target": "com.amazonaws.cloudtrail#String", "traits": { - "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files.
" + "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files.
" } }, "SnsTopicName": { @@ -2551,12 +2551,12 @@ "Values": { "target": "com.amazonaws.cloudtrail#DataResourceValues", "traits": { - "smithy.api#documentation": "An array of Amazon Resource Name (ARN) strings or partial ARN strings for the specified\n objects.
\nTo log data events for all objects in all S3 buckets in your Amazon Web Services account, specify the prefix as arn:aws:s3
.
This also enables logging of data event activity performed by any user or role\n in your Amazon Web Services account, even if that activity is performed on a bucket\n that belongs to another Amazon Web Services account.
\nTo log data events for all objects in an S3 bucket, specify the bucket and an\n empty object prefix such as arn:aws:s3:::bucket-1/
. The trail logs data\n events for all objects in this S3 bucket.
To log data events for specific objects, specify the S3 bucket and object prefix\n such as arn:aws:s3:::bucket-1/example-images
. The trail logs data events\n for objects in this S3 bucket that match the prefix.
To log data events for all Lambda functions in your Amazon Web Services account, specify the prefix as arn:aws:lambda
.
This also enables logging of Invoke
activity performed by any user\n or role in your Amazon Web Services account, even if that activity is performed on\n a function that belongs to another Amazon Web Services account.
To log data events for a specific Lambda function, specify the\n function ARN.
\nLambda function ARNs are exact. For example, if you specify a\n function ARN\n arn:aws:lambda:us-west-2:111111111111:function:helloworld,\n data events will only be logged for\n arn:aws:lambda:us-west-2:111111111111:function:helloworld.\n They will not be logged for\n arn:aws:lambda:us-west-2:111111111111:function:helloworld2.
\nTo log data events for all DynamoDB tables in your Amazon Web Services account, specify the prefix as arn:aws:dynamodb
.
An array of Amazon Resource Name (ARN) strings or partial ARN strings for the specified\n resource type.
\nTo log data events for all objects in all S3 buckets in your Amazon Web Services account, specify the prefix as arn:aws:s3
.
This also enables logging of data event activity performed by any user or role\n in your Amazon Web Services account, even if that activity is performed on a bucket\n that belongs to another Amazon Web Services account.
\nTo log data events for all objects in an S3 bucket, specify the bucket and an\n empty object prefix such as arn:aws:s3:::bucket-1/
. The trail logs data\n events for all objects in this S3 bucket.
To log data events for specific objects, specify the S3 bucket and object prefix\n such as arn:aws:s3:::bucket-1/example-images
. The trail logs data events\n for objects in this S3 bucket that match the prefix.
To log data events for all Lambda functions in your Amazon Web Services account, specify the prefix as arn:aws:lambda
.
This also enables logging of Invoke
activity performed by any user\n or role in your Amazon Web Services account, even if that activity is performed on\n a function that belongs to another Amazon Web Services account.
To log data events for a specific Lambda function, specify the\n function ARN.
\nLambda function ARNs are exact. For example, if you specify a\n function ARN\n arn:aws:lambda:us-west-2:111111111111:function:helloworld,\n data events will only be logged for\n arn:aws:lambda:us-west-2:111111111111:function:helloworld.\n They will not be logged for\n arn:aws:lambda:us-west-2:111111111111:function:helloworld2.
\nTo log data events for all DynamoDB tables in your Amazon Web Services account, specify the prefix as arn:aws:dynamodb
.
The Amazon S3 buckets, Lambda functions, or Amazon DynamoDB tables that you specify in your event selectors for your trail to log data events. Data\n events provide information about the resource operations performed on or within a resource\n itself. These are also known as data plane operations. You can specify up to 250 data\n resources for a trail.
\nThe total number of allowed data resources is 250. This number can be distributed\n between 1 and 5 event selectors, but the total cannot exceed 250 across all\n selectors for the trail.
\nIf you are using advanced event selectors, the maximum total number of values for\n all conditions, across all advanced event selectors for the trail, is 500.
\nThe following example demonstrates how logging works when you configure logging of all\n data events for an S3 bucket named bucket-1
. In this example, the CloudTrail user specified an empty prefix, and the option to log both Read
\n and Write
data events.
A user uploads an image file to bucket-1
.
The PutObject
API operation is an Amazon S3 object-level API.\n It is recorded as a data event in CloudTrail. Because the CloudTrail\n user specified an S3 bucket with an empty prefix, events that occur on any object in\n that bucket are logged. The trail processes and logs the event.
A user uploads an object to an Amazon S3 bucket named\n arn:aws:s3:::bucket-2
.
The PutObject
API operation occurred for an object in an S3 bucket\n that the CloudTrail user didn't specify for the trail. The trail doesn’t log\n the event.
The following example demonstrates how logging works when you configure logging of\n Lambda data events for a Lambda function named\n MyLambdaFunction, but not for all Lambda\n functions.
\nA user runs a script that includes a call to the\n MyLambdaFunction function and the\n MyOtherLambdaFunction function.
\nThe Invoke
API operation on MyLambdaFunction is\n an Lambda API. It is recorded as a data event in CloudTrail.\n Because the CloudTrail user specified logging data events for\n MyLambdaFunction, any invocations of that function are\n logged. The trail processes and logs the event.
The Invoke
API operation on\n MyOtherLambdaFunction is an Lambda API. Because\n the CloudTrail user did not specify logging data events for all Lambda functions, the Invoke
operation for\n MyOtherLambdaFunction does not match the function specified\n for the trail. The trail doesn’t log the event.
Data events provide information about the resource operations performed on or within a resource\n itself. These are also known as data plane operations. You can specify up to 250 data\n resources for a trail.
\nConfigure the DataResource
to specify the resource type and resource ARNs for which you want to log data events.
You can specify the following resource types in your event selectors for your trail:
\n\n AWS::DynamoDB::Table
\n
\n AWS::Lambda::Function
\n
\n AWS::S3::Object
\n
The total number of allowed data resources is 250. This number can be distributed\n between 1 and 5 event selectors, but the total cannot exceed 250 across all\n selectors for the trail.
\nIf you are using advanced event selectors, the maximum total number of values for\n all conditions, across all advanced event selectors for the trail, is 500.
\nThe following example demonstrates how logging works when you configure logging of all\n data events for an S3 bucket named bucket-1
. In this example, the CloudTrail user specified an empty prefix, and the option to log both Read
\n and Write
data events.
A user uploads an image file to bucket-1
.
The PutObject
API operation is an Amazon S3 object-level API.\n It is recorded as a data event in CloudTrail. Because the CloudTrail\n user specified an S3 bucket with an empty prefix, events that occur on any object in\n that bucket are logged. The trail processes and logs the event.
A user uploads an object to an Amazon S3 bucket named\n arn:aws:s3:::bucket-2
.
The PutObject
API operation occurred for an object in an S3 bucket\n that the CloudTrail user didn't specify for the trail. The trail doesn’t log\n the event.
The following example demonstrates how logging works when you configure logging of\n Lambda data events for a Lambda function named\n MyLambdaFunction, but not for all Lambda\n functions.
\nA user runs a script that includes a call to the\n MyLambdaFunction function and the\n MyOtherLambdaFunction function.
\nThe Invoke
API operation on MyLambdaFunction is\n an Lambda API. It is recorded as a data event in CloudTrail.\n Because the CloudTrail user specified logging data events for\n MyLambdaFunction, any invocations of that function are\n logged. The trail processes and logs the event.
The Invoke
API operation on\n MyOtherLambdaFunction is an Lambda API. Because\n the CloudTrail user did not specify logging data events for all Lambda functions, the Invoke
operation for\n MyOtherLambdaFunction does not match the function specified\n for the trail. The trail doesn’t log the event.
A storage lake of event data against which you can run complex SQL-based queries. An\n event data store can include events that you have logged on your account. To select events for an event data\n store, use advanced event selectors.
" + "smithy.api#documentation": "A storage lake of event data against which you can run complex SQL-based queries. An\n event data store can include events that you have logged on your account. To select events for an event data\n store, use advanced event selectors.
" } }, "com.amazonaws.cloudtrail#EventDataStoreARNInvalidException": { @@ -4155,6 +4155,12 @@ "traits": { "smithy.api#documentation": "\n If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store.\n
" } + }, + "PartitionKeys": { + "target": "com.amazonaws.cloudtrail#PartitionKeyList", + "traits": { + "smithy.api#documentation": "The partition keys for the event data store. To improve query performance and efficiency, CloudTrail Lake organizes \n event data into partitions based on values derived from partition keys.
" + } } }, "traits": { @@ -4742,7 +4748,7 @@ "LatestDeliveryError": { "target": "com.amazonaws.cloudtrail#String", "traits": { - "smithy.api#documentation": "Displays any Amazon S3 error that CloudTrail encountered when attempting\n to deliver log files to the designated bucket. For more information, see Error\n Responses in the Amazon S3 API Reference.
\nThis error occurs only when there is a problem with the destination S3 bucket, and\n does not occur for requests that time out. To resolve the issue, create a new bucket,\n and then call UpdateTrail
to specify the new bucket; or fix the existing\n objects so that CloudTrail can again write to the bucket.
Displays any Amazon S3 error that CloudTrail encountered when attempting\n to deliver log files to the designated bucket. For more information, see Error\n Responses in the Amazon S3 API Reference.
\nThis error occurs only when there is a problem with the destination S3 bucket, and\n does not occur for requests that time out. To resolve the issue, \n fix the bucket policy so that CloudTrail \n can write to the bucket; or create a new bucket and call UpdateTrail
to specify the new bucket.
Displays any Amazon S3 error that CloudTrail encountered when attempting\n to deliver a digest file to the designated bucket. For more information, see Error\n Responses in the Amazon S3 API Reference.
\nThis error occurs only when there is a problem with the destination S3 bucket, and\n does not occur for requests that time out. To resolve the issue, create a new bucket,\n and then call UpdateTrail
to specify the new bucket; or fix the existing\n objects so that CloudTrail can again write to the bucket.
Displays any Amazon S3 error that CloudTrail encountered when attempting\n to deliver a digest file to the designated bucket. For more information, see Error\n Responses in the Amazon S3 API Reference.
\nThis error occurs only when there is a problem with the destination S3 bucket, and\n does not occur for requests that time out. To resolve the issue, \n fix the bucket policy so that CloudTrail \n can write to the bucket; or create a new bucket and call UpdateTrail
to specify the new bucket.
This exception is thrown when the Amazon Web Services account making the request to\n create or update an organization trail or event data store is not the management account\n for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Create an event data store.
", + "smithy.api#documentation": "This exception is thrown when the Amazon Web Services account making the request to\n create or update an organization trail or event data store is not the management account\n for an organization in Organizations. For more information, see Prepare For Creating a Trail For Your Organization or Organization event data stores.
", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -7208,6 +7214,60 @@ "smithy.api#pattern": ".*" } }, + "com.amazonaws.cloudtrail#PartitionKey": { + "type": "structure", + "members": { + "Name": { + "target": "com.amazonaws.cloudtrail#PartitionKeyName", + "traits": { + "smithy.api#documentation": "The name of the partition key.
", + "smithy.api#required": {} + } + }, + "Type": { + "target": "com.amazonaws.cloudtrail#PartitionKeyType", + "traits": { + "smithy.api#documentation": "The data type of the partition key. For example, bigint
or string
.
Contains information about a partition key for an event data store.
" + } + }, + "com.amazonaws.cloudtrail#PartitionKeyList": { + "type": "list", + "member": { + "target": "com.amazonaws.cloudtrail#PartitionKey" + }, + "traits": { + "smithy.api#length": { + "min": 0, + "max": 2 + } + } + }, + "com.amazonaws.cloudtrail#PartitionKeyName": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 255 + }, + "smithy.api#pattern": "^[\\u0020-\\uD7FF\\uE000-\\uFFFD\\uD800\\uDC00-\\uDBFF\\uDFFF\\t]*$" + } + }, + "com.amazonaws.cloudtrail#PartitionKeyType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 255 + }, + "smithy.api#pattern": "^[\\u0020-\\uD7FF\\uE000-\\uFFFD\\uD800\\uDC00-\\uDBFF\\uDFFF\\t]*$" + } + }, "com.amazonaws.cloudtrail#PublicKey": { "type": "structure", "members": { @@ -7293,7 +7353,7 @@ } ], "traits": { - "smithy.api#documentation": "Configures an event selector or advanced event selectors for your trail. Use event\n selectors or advanced event selectors to specify management and data event settings for\n your trail. If you want your trail to log Insights events, be sure the event selector \n enables logging of the Insights event types you want configured for your trail. For more information about logging Insights events, see Logging Insights events for trails in the CloudTrail User Guide.\n By default, trails created without specific event selectors are configured to\n log all read and write management events, and no data events.
\nWhen an event occurs in your account, CloudTrail evaluates the event selectors or\n advanced event selectors in all trails. For each trail, if the event matches any event\n selector, the trail processes and logs the event. If the event doesn't match any event\n selector, the trail doesn't log the event.
\nExample
\nYou create an event selector for a trail and specify that you want write-only\n events.
\nThe EC2 GetConsoleOutput
and RunInstances
API operations\n occur in your account.
CloudTrail evaluates whether the events match your event selectors.
\nThe RunInstances
is a write-only event and it matches your event\n selector. The trail logs the event.
The GetConsoleOutput
is a read-only event that doesn't match your\n event selector. The trail doesn't log the event.
The PutEventSelectors
operation must be called from the Region in which the\n trail was created; otherwise, an InvalidHomeRegionException
exception is\n thrown.
You can configure up to five event selectors for each trail. For more information, see\n Logging management events, Logging\n data events, and Quotas in CloudTrail in the CloudTrail User\n Guide.
\nYou can add advanced event selectors, and conditions for your advanced event selectors,\n up to a maximum of 500 values for all conditions and selectors on a trail. You can use\n either AdvancedEventSelectors
or EventSelectors
, but not both. If\n you apply AdvancedEventSelectors
to a trail, any existing\n EventSelectors
are overwritten. For more information about advanced event\n selectors, see Logging data events in the CloudTrail User Guide.
Configures an event selector or advanced event selectors for your trail. Use event\n selectors or advanced event selectors to specify management and data event settings for\n your trail. If you want your trail to log Insights events, be sure the event selector \n enables logging of the Insights event types you want configured for your trail. For more information about logging Insights events, see Logging Insights events in the CloudTrail User Guide.\n By default, trails created without specific event selectors are configured to\n log all read and write management events, and no data events.
\nWhen an event occurs in your account, CloudTrail evaluates the event selectors or\n advanced event selectors in all trails. For each trail, if the event matches any event\n selector, the trail processes and logs the event. If the event doesn't match any event\n selector, the trail doesn't log the event.
\nExample
\nYou create an event selector for a trail and specify that you want write-only\n events.
\nThe EC2 GetConsoleOutput
and RunInstances
API operations\n occur in your account.
CloudTrail evaluates whether the events match your event selectors.
\nThe RunInstances
is a write-only event and it matches your event\n selector. The trail logs the event.
The GetConsoleOutput
is a read-only event that doesn't match your\n event selector. The trail doesn't log the event.
The PutEventSelectors
operation must be called from the Region in which the\n trail was created; otherwise, an InvalidHomeRegionException
exception is\n thrown.
You can configure up to five event selectors for each trail. For more information, see\n Logging management events, Logging\n data events, and Quotas in CloudTrail in the CloudTrail User\n Guide.
\nYou can add advanced event selectors, and conditions for your advanced event selectors,\n up to a maximum of 500 values for all conditions and selectors on a trail. You can use\n either AdvancedEventSelectors
or EventSelectors
, but not both. If\n you apply AdvancedEventSelectors
to a trail, any existing\n EventSelectors
are overwritten. For more information about advanced event\n selectors, see Logging data events in the CloudTrail User Guide.
Starts an import of logged trail events from a source S3 bucket to a destination event\n data store. By default, CloudTrail only imports events contained in the S3 bucket's\n CloudTrail
prefix and the prefixes inside the CloudTrail
prefix, and does not check prefixes for other Amazon Web Services\n services. If you want to import CloudTrail events contained in another prefix, you\n must include the prefix in the S3LocationUri
. For more considerations about\n importing trail events, see Considerations.
When you start a new import, the Destinations
and\n ImportSource
parameters are required. Before starting a new import, disable\n any access control lists (ACLs) attached to the source S3 bucket. For more information\n about disabling ACLs, see Controlling ownership of\n objects and disabling ACLs for your bucket.
When you retry an import, the ImportID
parameter is required.
If the destination event data store is for an organization, you must use the\n management account to import trail events. You cannot use the delegated administrator\n account for the organization.
\n Starts an import of logged trail events from a source S3 bucket to a destination event\n data store. By default, CloudTrail only imports events contained in the S3 bucket's\n CloudTrail
prefix and the prefixes inside the CloudTrail
prefix, and does not check prefixes for other Amazon Web Services\n services. If you want to import CloudTrail events contained in another prefix, you\n must include the prefix in the S3LocationUri
. For more considerations about\n importing trail events, see Considerations for copying trail events in the CloudTrail User Guide.
When you start a new import, the Destinations
and\n ImportSource
parameters are required. Before starting a new import, disable\n any access control lists (ACLs) attached to the source S3 bucket. For more information\n about disabling ACLs, see Controlling ownership of\n objects and disabling ACLs for your bucket.
When you retry an import, the ImportID
parameter is required.
If the destination event data store is for an organization, you must use the\n management account to import trail events. You cannot use the delegated administrator\n account for the organization.
\nName of the Amazon S3 bucket into which CloudTrail delivers your trail\n files. See Amazon S3\n Bucket Naming Requirements.
" + "smithy.api#documentation": "Name of the Amazon S3 bucket into which CloudTrail delivers your trail\n files. See Amazon S3\n Bucket naming rules.
" } }, "S3KeyPrefix": { "target": "com.amazonaws.cloudtrail#String", "traits": { - "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200\n characters.
" + "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200\n characters.
" } }, "SnsTopicName": { @@ -9834,13 +9894,13 @@ "S3BucketName": { "target": "com.amazonaws.cloudtrail#String", "traits": { - "smithy.api#documentation": "Specifies the name of the Amazon S3 bucket designated for publishing log files.\n See Amazon S3\n Bucket Naming Requirements.
" + "smithy.api#documentation": "Specifies the name of the Amazon S3 bucket designated for publishing log files.\n See Amazon S3\n Bucket naming rules.
" } }, "S3KeyPrefix": { "target": "com.amazonaws.cloudtrail#String", "traits": { - "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200\n characters.
" + "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your CloudTrail Log Files. The maximum length is 200\n characters.
" } }, "SnsTopicName": { @@ -9915,7 +9975,7 @@ "S3KeyPrefix": { "target": "com.amazonaws.cloudtrail#String", "traits": { - "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your IAM Log Files.
" + "smithy.api#documentation": "Specifies the Amazon S3 key prefix that comes after the name of the bucket you\n have designated for log file delivery. For more information, see Finding Your IAM Log Files.
" } }, "SnsTopicName": {