1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package types 4 5import ( 6 "time" 7) 8 9// Advanced event selectors let you create fine-grained selectors for the following 10// AWS CloudTrail event record fields. They help you control costs by logging only 11// those events that are important to you. For more information about advanced 12// event selectors, see Logging data events for trails 13// (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) 14// in the AWS CloudTrail User Guide. 15// 16// * readOnly 17// 18// * eventSource 19// 20// * eventName 21// 22// * 23// eventCategory 24// 25// * resources.type 26// 27// * resources.ARN 28// 29// You cannot apply both event 30// selectors and advanced event selectors to a trail. 31type AdvancedEventSelector struct { 32 33 // Contains all selector statements in an advanced event selector. 34 // 35 // This member is required. 36 FieldSelectors []AdvancedFieldSelector 37 38 // An optional, descriptive name for an advanced event selector, such as "Log data 39 // events for only two S3 buckets". 40 Name *string 41} 42 43// A single selector statement in an advanced event selector. 44type AdvancedFieldSelector struct { 45 46 // A field in an event record on which to filter events to be logged. Supported 47 // fields include readOnly, eventCategory, eventSource (for management events), 48 // eventName, resources.type, and resources.ARN. 49 // 50 // * readOnly - Optional. Can be set 51 // to Equals a value of true or false. A value of false logs both read and write 52 // events. 53 // 54 // * eventSource - For filtering management events only. This can be set 55 // only to NotEqualskms.amazonaws.com. 56 // 57 // * eventName - Can use any operator. You can 58 // use it to filter in or filter out any data event logged to CloudTrail, such as 59 // PutBucket. You can have multiple values for this field, separated by commas. 60 // 61 // * 62 // eventCategory - This is required. It must be set to Equals, and the value must 63 // be Management or Data. 64 // 65 // * resources.type - This field is required. resources.type 66 // can only use the Equals operator, and the value can be one of the following: 67 // AWS::S3::Object or AWS::Lambda::Function. You can have only one resources.type 68 // field per selector. To log data events on more than one resource type, add 69 // another selector. 70 // 71 // * resources.ARN - You can use any operator with 72 // resources.ARN, but if you use Equals or NotEquals, the value must exactly match 73 // the ARN of a valid resource of the type you've specified in the template as the 74 // value of resources.type. For example, if resources.type equals AWS::S3::Object, 75 // the ARN must be in one of the following formats. The trailing slash is 76 // intentional; do not exclude it. 77 // 78 // * arn:partition:s3:::bucket_name/ 79 // 80 // * 81 // arn:partition:s3:::bucket_name/object_or_file_name/ 82 // 83 // When resources.type equals 84 // AWS::Lambda::Function, and the operator is set to Equals or NotEquals, the ARN 85 // must be in the following format: 86 // 87 // * 88 // arn:partition:lambda:region:account_ID:function:function_name 89 // 90 // This member is required. 91 Field *string 92 93 // An operator that includes events that match the last few characters of the event 94 // record field specified as the value of Field. 95 EndsWith []string 96 97 // An operator that includes events that match the exact value of the event record 98 // field specified as the value of Field. This is the only valid operator that you 99 // can use with the readOnly, eventCategory, and resources.type fields. 100 Equals []string 101 102 // An operator that excludes events that match the last few characters of the event 103 // record field specified as the value of Field. 104 NotEndsWith []string 105 106 // An operator that excludes events that match the exact value of the event record 107 // field specified as the value of Field. 108 NotEquals []string 109 110 // An operator that excludes events that match the first few characters of the 111 // event record field specified as the value of Field. 112 NotStartsWith []string 113 114 // An operator that includes events that match the first few characters of the 115 // event record field specified as the value of Field. 116 StartsWith []string 117} 118 119// The Amazon S3 buckets or AWS Lambda functions that you specify in your event 120// selectors for your trail to log data events. Data events provide information 121// about the resource operations performed on or within a resource itself. These 122// are also known as data plane operations. You can specify up to 250 data 123// resources for a trail. The total number of allowed data resources is 250. This 124// number can be distributed between 1 and 5 event selectors, but the total cannot 125// exceed 250 across all selectors. If you are using advanced event selectors, the 126// maximum total number of values for all conditions, across all advanced event 127// selectors for the trail, is 500. The following example demonstrates how logging 128// works when you configure logging of all data events for an S3 bucket named 129// bucket-1. In this example, the CloudTrail user specified an empty prefix, and 130// the option to log both Read and Write data events. 131// 132// * A user uploads an image 133// file to bucket-1. 134// 135// * The PutObject API operation is an Amazon S3 object-level 136// API. It is recorded as a data event in CloudTrail. Because the CloudTrail user 137// specified an S3 bucket with an empty prefix, events that occur on any object in 138// that bucket are logged. The trail processes and logs the event. 139// 140// * A user 141// uploads an object to an Amazon S3 bucket named arn:aws:s3:::bucket-2. 142// 143// * The 144// PutObject API operation occurred for an object in an S3 bucket that the 145// CloudTrail user didn't specify for the trail. The trail doesn’t log the 146// event. 147// 148// The following example demonstrates how logging works when you configure 149// logging of AWS Lambda data events for a Lambda function named MyLambdaFunction, 150// but not for all AWS Lambda functions. 151// 152// * A user runs a script that includes a 153// call to the MyLambdaFunction function and the MyOtherLambdaFunction function. 154// 155// * 156// The Invoke API operation on MyLambdaFunction is an AWS Lambda API. It is 157// recorded as a data event in CloudTrail. Because the CloudTrail user specified 158// logging data events for MyLambdaFunction, any invocations of that function are 159// logged. The trail processes and logs the event. 160// 161// * The Invoke API operation on 162// MyOtherLambdaFunction is an AWS Lambda API. Because the CloudTrail user did not 163// specify logging data events for all Lambda functions, the Invoke operation for 164// MyOtherLambdaFunction does not match the function specified for the trail. The 165// trail doesn’t log the event. 166type DataResource struct { 167 168 // The resource type in which you want to log data events. You can specify 169 // AWS::S3::Object or AWS::Lambda::Function resources. 170 Type *string 171 172 // An array of Amazon Resource Name (ARN) strings or partial ARN strings for the 173 // specified objects. 174 // 175 // * To log data events for all objects in all S3 buckets in 176 // your AWS account, specify the prefix as arn:aws:s3:::. This will also enable 177 // logging of data event activity performed by any user or role in your AWS 178 // account, even if that activity is performed on a bucket that belongs to another 179 // AWS account. 180 // 181 // * To log data events for all objects in an S3 bucket, specify the 182 // bucket and an empty object prefix such as arn:aws:s3:::bucket-1/. The trail logs 183 // data events for all objects in this S3 bucket. 184 // 185 // * To log data events for 186 // specific objects, specify the S3 bucket and object prefix such as 187 // arn:aws:s3:::bucket-1/example-images. The trail logs data events for objects in 188 // this S3 bucket that match the prefix. 189 // 190 // * To log data events for all functions in 191 // your AWS account, specify the prefix as arn:aws:lambda. This will also enable 192 // logging of Invoke activity performed by any user or role in your AWS account, 193 // even if that activity is performed on a function that belongs to another AWS 194 // account. 195 // 196 // * To log data events for a specific Lambda function, specify the 197 // function ARN. Lambda function ARNs are exact. For example, if you specify a 198 // function ARN arn:aws:lambda:us-west-2:111111111111:function:helloworld, data 199 // events will only be logged for 200 // arn:aws:lambda:us-west-2:111111111111:function:helloworld. They will not be 201 // logged for arn:aws:lambda:us-west-2:111111111111:function:helloworld2. 202 Values []string 203} 204 205// Contains information about an event that was returned by a lookup request. The 206// result includes a representation of a CloudTrail event. 207type Event struct { 208 209 // The AWS access key ID that was used to sign the request. If the request was made 210 // with temporary security credentials, this is the access key ID of the temporary 211 // credentials. 212 AccessKeyId *string 213 214 // A JSON string that contains a representation of the event returned. 215 CloudTrailEvent *string 216 217 // The CloudTrail ID of the event returned. 218 EventId *string 219 220 // The name of the event returned. 221 EventName *string 222 223 // The AWS service that the request was made to. 224 EventSource *string 225 226 // The date and time of the event returned. 227 EventTime *time.Time 228 229 // Information about whether the event is a write event or a read event. 230 ReadOnly *string 231 232 // A list of resources referenced by the event returned. 233 Resources []Resource 234 235 // A user name or role name of the requester that called the API in the event 236 // returned. 237 Username *string 238} 239 240// Use event selectors to further specify the management and data event settings 241// for your trail. By default, trails created without specific event selectors will 242// be configured to log all read and write management events, and no data events. 243// When an event occurs in your account, CloudTrail evaluates the event selector 244// for all trails. For each trail, if the event matches any event selector, the 245// trail processes and logs the event. If the event doesn't match any event 246// selector, the trail doesn't log the event. You can configure up to five event 247// selectors for a trail. You cannot apply both event selectors and advanced event 248// selectors to a trail. 249type EventSelector struct { 250 251 // CloudTrail supports data event logging for Amazon S3 objects and AWS Lambda 252 // functions. You can specify up to 250 resources for an individual event selector, 253 // but the total number of data resources cannot exceed 250 across all event 254 // selectors in a trail. This limit does not apply if you configure resource 255 // logging for all data events. For more information, see Data Events 256 // (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html#logging-data-events) 257 // and Limits in AWS CloudTrail 258 // (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) 259 // in the AWS CloudTrail User Guide. 260 DataResources []DataResource 261 262 // An optional list of service event sources from which you do not want management 263 // events to be logged on your trail. In this release, the list can be empty 264 // (disables the filter), or it can filter out AWS Key Management Service events by 265 // containing "kms.amazonaws.com". By default, ExcludeManagementEventSources is 266 // empty, and AWS KMS events are included in events that are logged to your trail. 267 ExcludeManagementEventSources []string 268 269 // Specify if you want your event selector to include management events for your 270 // trail. For more information, see Management Events 271 // (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html#logging-management-events) 272 // in the AWS CloudTrail User Guide. By default, the value is true. The first copy 273 // of management events is free. You are charged for additional copies of 274 // management events that you are logging on any subsequent trail in the same 275 // region. For more information about CloudTrail pricing, see AWS CloudTrail 276 // Pricing (http://aws.amazon.com/cloudtrail/pricing/). 277 IncludeManagementEvents *bool 278 279 // Specify if you want your trail to log read-only events, write-only events, or 280 // all. For example, the EC2 GetConsoleOutput is a read-only API operation and 281 // RunInstances is a write-only API operation. By default, the value is All. 282 ReadWriteType ReadWriteType 283} 284 285// A JSON string that contains a list of insight types that are logged on a trail. 286type InsightSelector struct { 287 288 // The type of insights to log on a trail. In this release, only ApiCallRateInsight 289 // is supported as an insight type. 290 InsightType InsightType 291} 292 293// Specifies an attribute and value that filter the events returned. 294type LookupAttribute struct { 295 296 // Specifies an attribute on which to filter the events returned. 297 // 298 // This member is required. 299 AttributeKey LookupAttributeKey 300 301 // Specifies a value for the specified AttributeKey. 302 // 303 // This member is required. 304 AttributeValue *string 305} 306 307// Contains information about a returned public key. 308type PublicKey struct { 309 310 // The fingerprint of the public key. 311 Fingerprint *string 312 313 // The ending time of validity of the public key. 314 ValidityEndTime *time.Time 315 316 // The starting time of validity of the public key. 317 ValidityStartTime *time.Time 318 319 // The DER encoded public key value in PKCS#1 format. 320 Value []byte 321} 322 323// Specifies the type and name of a resource referenced by an event. 324type Resource struct { 325 326 // The name of the resource referenced by the event returned. These are 327 // user-created names whose values will depend on the environment. For example, the 328 // resource name might be "auto-scaling-test-group" for an Auto Scaling Group or 329 // "i-1234567" for an EC2 Instance. 330 ResourceName *string 331 332 // The type of a resource referenced by the event returned. When the resource type 333 // cannot be determined, null is returned. Some examples of resource types are: 334 // Instance for EC2, Trail for CloudTrail, DBInstance for RDS, and AccessKey for 335 // IAM. To learn more about how to look up and filter events by the resource types 336 // supported for a service, see Filtering CloudTrail Events 337 // (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html#filtering-cloudtrail-events). 338 ResourceType *string 339} 340 341// A resource tag. 342type ResourceTag struct { 343 344 // Specifies the ARN of the resource. 345 ResourceId *string 346 347 // A list of tags. 348 TagsList []Tag 349} 350 351// A custom key-value pair associated with a resource such as a CloudTrail trail. 352type Tag struct { 353 354 // The key in a key-value pair. The key must be must be no longer than 128 Unicode 355 // characters. The key must be unique for the resource to which it applies. 356 // 357 // This member is required. 358 Key *string 359 360 // The value in a key-value pair of a tag. The value must be no longer than 256 361 // Unicode characters. 362 Value *string 363} 364 365// The settings for a trail. 366type Trail struct { 367 368 // Specifies an Amazon Resource Name (ARN), a unique identifier that represents the 369 // log group to which CloudTrail logs will be delivered. 370 CloudWatchLogsLogGroupArn *string 371 372 // Specifies the role for the CloudWatch Logs endpoint to assume to write to a 373 // user's log group. 374 CloudWatchLogsRoleArn *string 375 376 // Specifies if the trail has custom event selectors. 377 HasCustomEventSelectors *bool 378 379 // Specifies whether a trail has insight types specified in an InsightSelector 380 // list. 381 HasInsightSelectors *bool 382 383 // The region in which the trail was created. 384 HomeRegion *string 385 386 // Set to True to include AWS API calls from AWS global services such as IAM. 387 // Otherwise, False. 388 IncludeGlobalServiceEvents *bool 389 390 // Specifies whether the trail exists only in one region or exists in all regions. 391 IsMultiRegionTrail *bool 392 393 // Specifies whether the trail is an organization trail. 394 IsOrganizationTrail *bool 395 396 // Specifies the KMS key ID that encrypts the logs delivered by CloudTrail. The 397 // value is a fully specified ARN to a KMS key in the format: 398 // arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012 399 KmsKeyId *string 400 401 // Specifies whether log file validation is enabled. 402 LogFileValidationEnabled *bool 403 404 // Name of the trail set by calling CreateTrail. The maximum length is 128 405 // characters. 406 Name *string 407 408 // Name of the Amazon S3 bucket into which CloudTrail delivers your trail files. 409 // See Amazon S3 Bucket Naming Requirements 410 // (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create_trail_naming_policy.html). 411 S3BucketName *string 412 413 // Specifies the Amazon S3 key prefix that comes after the name of the bucket you 414 // have designated for log file delivery. For more information, see Finding Your 415 // CloudTrail Log Files 416 // (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html).The 417 // maximum length is 200 characters. 418 S3KeyPrefix *string 419 420 // Specifies the ARN of the Amazon SNS topic that CloudTrail uses to send 421 // notifications when log files are delivered. The format of a topic ARN is: 422 // arn:aws:sns:us-east-2:123456789012:MyTopic 423 SnsTopicARN *string 424 425 // This field is no longer in use. Use SnsTopicARN. 426 // 427 // Deprecated: This member has been deprecated. 428 SnsTopicName *string 429 430 // Specifies the ARN of the trail. The format of a trail ARN is: 431 // arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail 432 TrailARN *string 433} 434 435// Information about a CloudTrail trail, including the trail's name, home region, 436// and Amazon Resource Name (ARN). 437type TrailInfo struct { 438 439 // The AWS region in which a trail was created. 440 HomeRegion *string 441 442 // The name of a trail. 443 Name *string 444 445 // The ARN of a trail. 446 TrailARN *string 447} 448