From 8e275e0a72f1f30a9f14019262d07d8a34c4502f Mon Sep 17 00:00:00 2001 From: awstools Date: Thu, 18 May 2023 18:16:40 +0000 Subject: [PATCH] feat(client-cloudtrail): Add ConflictException to PutEventSelectors, add (Channel/EDS)ARNInvalidException to Tag APIs. These exceptions provide customers with more specific error messages instead of internal errors. --- .../src/commands/AddTagsCommand.ts | 8 + .../commands/CreateEventDataStoreCommand.ts | 2 +- .../src/commands/CreateTrailCommand.ts | 2 +- .../commands/DeleteEventDataStoreCommand.ts | 2 +- .../src/commands/DeleteTrailCommand.ts | 2 +- ...gisterOrganizationDelegatedAdminCommand.ts | 2 +- .../src/commands/GetEventSelectorsCommand.ts | 4 +- .../src/commands/ListTagsCommand.ts | 8 + .../src/commands/PutEventSelectorsCommand.ts | 18 +- .../commands/PutInsightSelectorsCommand.ts | 5 + ...gisterOrganizationDelegatedAdminCommand.ts | 2 +- .../src/commands/RemoveTagsCommand.ts | 8 + .../commands/RestoreEventDataStoreCommand.ts | 2 +- .../src/commands/StartLoggingCommand.ts | 2 +- .../src/commands/StopLoggingCommand.ts | 2 +- .../commands/UpdateEventDataStoreCommand.ts | 5 +- .../src/commands/UpdateTrailCommand.ts | 2 +- .../client-cloudtrail/src/models/models_0.ts | 309 +++++++++++------- .../src/protocols/Aws_json1_1.ts | 21 ++ .../sdk-codegen/aws-models/cloudtrail.json | 281 ++++++++++------ 20 files changed, 443 insertions(+), 244 deletions(-) diff --git a/clients/client-cloudtrail/src/commands/AddTagsCommand.ts b/clients/client-cloudtrail/src/commands/AddTagsCommand.ts index 72a50a115c24..8606e47096a2 100644 --- a/clients/client-cloudtrail/src/commands/AddTagsCommand.ts +++ b/clients/client-cloudtrail/src/commands/AddTagsCommand.ts @@ -66,6 +66,10 @@ export interface AddTagsCommandOutput extends AddTagsResponse, __MetadataBearer * @see {@link AddTagsCommandOutput} for command's `response` shape. * @see {@link CloudTrailClientResolvedConfig | config} for CloudTrailClient's `config` shape. * + * @throws {@link ChannelARNInvalidException} (client fault) + *

This exception is thrown when the specified value of ChannelARN is not + * valid.

+ * * @throws {@link ChannelNotFoundException} (client fault) *

This exception is thrown when CloudTrail cannot find the specified channel.

* @@ -89,6 +93,10 @@ export interface AddTagsCommandOutput extends AddTagsResponse, __MetadataBearer * to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the * operation again.

* + * @throws {@link EventDataStoreARNInvalidException} (client fault) + *

The specified event data store ARN is not valid or does not map to an event data store + * in your account.

+ * * @throws {@link EventDataStoreNotFoundException} (client fault) *

The specified event data store was not found.

* diff --git a/clients/client-cloudtrail/src/commands/CreateEventDataStoreCommand.ts b/clients/client-cloudtrail/src/commands/CreateEventDataStoreCommand.ts index f32d59e55eff..640a607f1774 100644 --- a/clients/client-cloudtrail/src/commands/CreateEventDataStoreCommand.ts +++ b/clients/client-cloudtrail/src/commands/CreateEventDataStoreCommand.ts @@ -150,7 +150,7 @@ export interface CreateEventDataStoreCommandOutput extends CreateEventDataStoreR *

Your account has used the maximum number of event data stores.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/CreateTrailCommand.ts b/clients/client-cloudtrail/src/commands/CreateTrailCommand.ts index f7fb3d519a2c..dc51c88e7499 100644 --- a/clients/client-cloudtrail/src/commands/CreateTrailCommand.ts +++ b/clients/client-cloudtrail/src/commands/CreateTrailCommand.ts @@ -103,7 +103,7 @@ export interface CreateTrailCommandOutput extends CreateTrailResponse, __Metadat * operation again.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/DeleteEventDataStoreCommand.ts b/clients/client-cloudtrail/src/commands/DeleteEventDataStoreCommand.ts index 16205f5d2a16..b81ea0c099fb 100644 --- a/clients/client-cloudtrail/src/commands/DeleteEventDataStoreCommand.ts +++ b/clients/client-cloudtrail/src/commands/DeleteEventDataStoreCommand.ts @@ -86,7 +86,7 @@ export interface DeleteEventDataStoreCommandOutput extends DeleteEventDataStoreR *

The event data store is inactive.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/DeleteTrailCommand.ts b/clients/client-cloudtrail/src/commands/DeleteTrailCommand.ts index 7b90b0d71338..a27d59f8495d 100644 --- a/clients/client-cloudtrail/src/commands/DeleteTrailCommand.ts +++ b/clients/client-cloudtrail/src/commands/DeleteTrailCommand.ts @@ -77,7 +77,7 @@ export interface DeleteTrailCommandOutput extends DeleteTrailResponse, __Metadat * operation again.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/DeregisterOrganizationDelegatedAdminCommand.ts b/clients/client-cloudtrail/src/commands/DeregisterOrganizationDelegatedAdminCommand.ts index ab316232d8e1..2ab4a56cd7f7 100644 --- a/clients/client-cloudtrail/src/commands/DeregisterOrganizationDelegatedAdminCommand.ts +++ b/clients/client-cloudtrail/src/commands/DeregisterOrganizationDelegatedAdminCommand.ts @@ -80,7 +80,7 @@ export interface DeregisterOrganizationDelegatedAdminCommandOutput * operation again.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/GetEventSelectorsCommand.ts b/clients/client-cloudtrail/src/commands/GetEventSelectorsCommand.ts index 84e6d08faf06..f2606891726f 100644 --- a/clients/client-cloudtrail/src/commands/GetEventSelectorsCommand.ts +++ b/clients/client-cloudtrail/src/commands/GetEventSelectorsCommand.ts @@ -52,12 +52,12 @@ export interface GetEventSelectorsCommandOutput extends GetEventSelectorsRespons * diff --git a/clients/client-cloudtrail/src/commands/ListTagsCommand.ts b/clients/client-cloudtrail/src/commands/ListTagsCommand.ts index 2e5cd9d1104e..6e938354065c 100644 --- a/clients/client-cloudtrail/src/commands/ListTagsCommand.ts +++ b/clients/client-cloudtrail/src/commands/ListTagsCommand.ts @@ -70,6 +70,10 @@ export interface ListTagsCommandOutput extends ListTagsResponse, __MetadataBeare * @see {@link ListTagsCommandOutput} for command's `response` shape. * @see {@link CloudTrailClientResolvedConfig | config} for CloudTrailClient's `config` shape. * + * @throws {@link ChannelARNInvalidException} (client fault) + *

This exception is thrown when the specified value of ChannelARN is not + * valid.

+ * * @throws {@link CloudTrailARNInvalidException} (client fault) *

This exception is thrown when an operation is called with a trail ARN that is not valid. * The following is the format of a trail ARN.

@@ -84,6 +88,10 @@ export interface ListTagsCommandOutput extends ListTagsResponse, __MetadataBeare * arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890 *

* + * @throws {@link EventDataStoreARNInvalidException} (client fault) + *

The specified event data store ARN is not valid or does not map to an event data store + * in your account.

+ * * @throws {@link EventDataStoreNotFoundException} (client fault) *

The specified event data store was not found.

* diff --git a/clients/client-cloudtrail/src/commands/PutEventSelectorsCommand.ts b/clients/client-cloudtrail/src/commands/PutEventSelectorsCommand.ts index 947a0ceba9ac..36fd78749822 100644 --- a/clients/client-cloudtrail/src/commands/PutEventSelectorsCommand.ts +++ b/clients/client-cloudtrail/src/commands/PutEventSelectorsCommand.ts @@ -34,7 +34,9 @@ export interface PutEventSelectorsCommandOutput extends PutEventSelectorsRespons * @public *

Configures an event selector or advanced event selectors for your trail. Use event * selectors or advanced event selectors to specify management and data event settings for - * your trail. By default, trails created without specific event selectors are configured to + * your trail. If you want your trail to log Insights events, be sure the event selector + * enables logging of the Insights event types you want configured for your trail. For more information about logging Insights events, see Logging Insights events for trails in the CloudTrail User Guide. + * By default, trails created without specific event selectors are configured to * log all read and write management events, and no data events.

*

When an event occurs in your account, CloudTrail evaluates the event selectors or * advanced event selectors in all trails. For each trail, if the event matches any event @@ -66,15 +68,15 @@ export interface PutEventSelectorsCommandOutput extends PutEventSelectorsRespons * trail was created; otherwise, an InvalidHomeRegionException exception is * thrown.

*

You can configure up to five event selectors for each trail. For more information, see - * Logging management events for trails , Logging - * data events for trails , and Quotas in CloudTrail in the CloudTrail User + * Logging management events, Logging + * data events, and Quotas in CloudTrail in the CloudTrail User * Guide.

*

You can add advanced event selectors, and conditions for your advanced event selectors, * up to a maximum of 500 values for all conditions and selectors on a trail. You can use * either AdvancedEventSelectors or EventSelectors, but not both. If * you apply AdvancedEventSelectors to a trail, any existing * EventSelectors are overwritten. For more information about advanced event - * selectors, see Logging data events for trails in the CloudTrail User Guide.

+ * selectors, see Logging data events in the CloudTrail User Guide.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -198,8 +200,14 @@ export interface PutEventSelectorsCommandOutput extends PutEventSelectorsRespons * arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890 *

* + * @throws {@link ConflictException} (client fault) + *

This exception is thrown when the specified resource is not ready for an operation. This + * can occur when you try to run an operation on a resource before CloudTrail has time + * to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the + * operation again.

+ * * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/PutInsightSelectorsCommand.ts b/clients/client-cloudtrail/src/commands/PutInsightSelectorsCommand.ts index 387577f1ca6d..a21947700b75 100644 --- a/clients/client-cloudtrail/src/commands/PutInsightSelectorsCommand.ts +++ b/clients/client-cloudtrail/src/commands/PutInsightSelectorsCommand.ts @@ -37,6 +37,11 @@ export interface PutInsightSelectorsCommandOutput extends PutInsightSelectorsRes * off Insights event logging, by passing an empty list of insight types. The valid Insights * event types in this release are ApiErrorRateInsight and * ApiCallRateInsight.

+ *

To log CloudTrail Insights events on API call volume, the trail + * must log write management events. To log CloudTrail + * Insights events on API error rate, the trail must log read or + * write management events. You can call GetEventSelectors on a trail + * to check whether the trail logs management events.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-cloudtrail/src/commands/RegisterOrganizationDelegatedAdminCommand.ts b/clients/client-cloudtrail/src/commands/RegisterOrganizationDelegatedAdminCommand.ts index 41320b720667..21a1ca5f1df6 100644 --- a/clients/client-cloudtrail/src/commands/RegisterOrganizationDelegatedAdminCommand.ts +++ b/clients/client-cloudtrail/src/commands/RegisterOrganizationDelegatedAdminCommand.ts @@ -89,7 +89,7 @@ export interface RegisterOrganizationDelegatedAdminCommandOutput * administrators is reached.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/RemoveTagsCommand.ts b/clients/client-cloudtrail/src/commands/RemoveTagsCommand.ts index 86a57072be32..937ec41fc62a 100644 --- a/clients/client-cloudtrail/src/commands/RemoveTagsCommand.ts +++ b/clients/client-cloudtrail/src/commands/RemoveTagsCommand.ts @@ -60,6 +60,10 @@ export interface RemoveTagsCommandOutput extends RemoveTagsResponse, __MetadataB * @see {@link RemoveTagsCommandOutput} for command's `response` shape. * @see {@link CloudTrailClientResolvedConfig | config} for CloudTrailClient's `config` shape. * + * @throws {@link ChannelARNInvalidException} (client fault) + *

This exception is thrown when the specified value of ChannelARN is not + * valid.

+ * * @throws {@link ChannelNotFoundException} (client fault) *

This exception is thrown when CloudTrail cannot find the specified channel.

* @@ -77,6 +81,10 @@ export interface RemoveTagsCommandOutput extends RemoveTagsResponse, __MetadataB * arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890 *

* + * @throws {@link EventDataStoreARNInvalidException} (client fault) + *

The specified event data store ARN is not valid or does not map to an event data store + * in your account.

+ * * @throws {@link EventDataStoreNotFoundException} (client fault) *

The specified event data store was not found.

* diff --git a/clients/client-cloudtrail/src/commands/RestoreEventDataStoreCommand.ts b/clients/client-cloudtrail/src/commands/RestoreEventDataStoreCommand.ts index 7bf7b6c1a437..0c61a352e07e 100644 --- a/clients/client-cloudtrail/src/commands/RestoreEventDataStoreCommand.ts +++ b/clients/client-cloudtrail/src/commands/RestoreEventDataStoreCommand.ts @@ -108,7 +108,7 @@ export interface RestoreEventDataStoreCommandOutput extends RestoreEventDataStor *

The specified event data store was not found.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/StartLoggingCommand.ts b/clients/client-cloudtrail/src/commands/StartLoggingCommand.ts index 5d6e33da151d..b1717588d258 100644 --- a/clients/client-cloudtrail/src/commands/StartLoggingCommand.ts +++ b/clients/client-cloudtrail/src/commands/StartLoggingCommand.ts @@ -78,7 +78,7 @@ export interface StartLoggingCommandOutput extends StartLoggingResponse, __Metad * operation again.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/StopLoggingCommand.ts b/clients/client-cloudtrail/src/commands/StopLoggingCommand.ts index e140e171f006..de0ee6c838c3 100644 --- a/clients/client-cloudtrail/src/commands/StopLoggingCommand.ts +++ b/clients/client-cloudtrail/src/commands/StopLoggingCommand.ts @@ -81,7 +81,7 @@ export interface StopLoggingCommandOutput extends StopLoggingResponse, __Metadat * operation again.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/UpdateEventDataStoreCommand.ts b/clients/client-cloudtrail/src/commands/UpdateEventDataStoreCommand.ts index 2711538dc8bf..1166c64114a7 100644 --- a/clients/client-cloudtrail/src/commands/UpdateEventDataStoreCommand.ts +++ b/clients/client-cloudtrail/src/commands/UpdateEventDataStoreCommand.ts @@ -41,8 +41,7 @@ export interface UpdateEventDataStoreCommandOutput extends UpdateEventDataStoreR * includes or excludes management and data events in your event data store. For more * information about AdvancedEventSelectors, see PutEventSelectorsRequest$AdvancedEventSelectors.

*

For event data stores for Config configuration items, Audit Manager evidence, or non-Amazon Web Services events, - * AdvancedEventSelectors includes events of that type in your event data - * store.

+ * AdvancedEventSelectors includes events of that type in your event data store.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -151,7 +150,7 @@ export interface UpdateEventDataStoreCommandOutput extends UpdateEventDataStoreR *

The event data store is inactive.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/commands/UpdateTrailCommand.ts b/clients/client-cloudtrail/src/commands/UpdateTrailCommand.ts index 98c17c884992..184b56dba0ec 100644 --- a/clients/client-cloudtrail/src/commands/UpdateTrailCommand.ts +++ b/clients/client-cloudtrail/src/commands/UpdateTrailCommand.ts @@ -115,7 +115,7 @@ export interface UpdateTrailCommandOutput extends UpdateTrailResponse, __Metadat * operation again.

* * @throws {@link InsufficientDependencyServiceAccessPermissionException} (client fault) - *

This exception is thrown when the IAM user or role that is used to create + *

This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

* diff --git a/clients/client-cloudtrail/src/models/models_0.ts b/clients/client-cloudtrail/src/models/models_0.ts index b9a40b0d9bee..b3f0a5e6dd9d 100644 --- a/clients/client-cloudtrail/src/models/models_0.ts +++ b/clients/client-cloudtrail/src/models/models_0.ts @@ -157,6 +157,32 @@ export interface AddTagsRequest { */ export interface AddTagsResponse {} +/** + * @public + *

This exception is thrown when the specified value of ChannelARN is not + * valid.

+ */ +export class ChannelARNInvalidException extends __BaseException { + readonly name: "ChannelARNInvalidException" = "ChannelARNInvalidException"; + readonly $fault: "client" = "client"; + /** + *

Brief description of the exception returned by the request.

+ */ + Message?: string; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "ChannelARNInvalidException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, ChannelARNInvalidException.prototype); + this.Message = opts.Message; + } +} + /** * @public *

This exception is thrown when CloudTrail cannot find the specified channel.

@@ -246,6 +272,32 @@ export class ConflictException extends __BaseException { } } +/** + * @public + *

The specified event data store ARN is not valid or does not map to an event data store + * in your account.

+ */ +export class EventDataStoreARNInvalidException extends __BaseException { + readonly name: "EventDataStoreARNInvalidException" = "EventDataStoreARNInvalidException"; + readonly $fault: "client" = "client"; + /** + *

Brief description of the exception returned by the request.

+ */ + Message?: string; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "EventDataStoreARNInvalidException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, EventDataStoreARNInvalidException.prototype); + this.Message = opts.Message; + } +} + /** * @public *

The specified event data store was not found.

@@ -632,62 +684,62 @@ export interface AdvancedFieldSelector { *
    *
  • *

    - * AWS::CloudTrail::Channel + * AWS::DynamoDB::Table *

    *
    • *
  • *

    - * AWS::S3::Object + * AWS::Lambda::Function *

    *
    • *
  • *

    - * AWS::Lambda::Function + * AWS::S3::Object *

    *
    • *
  • *

    - * AWS::DynamoDB::Table + * AWS::CloudTrail::Channel *

    *
    • *
  • *

    - * AWS::S3Outposts::Object + * AWS::Cognito::IdentityPool *

    *
    • *
  • *

    - * AWS::ManagedBlockchain::Node + * AWS::DynamoDB::Stream *

    *
    • *
  • *

    - * AWS::S3ObjectLambda::AccessPoint + * AWS::EC2::Snapshot *

    *
    • *
  • *

    - * AWS::EC2::Snapshot + * AWS::FinSpace::Environment *

    *
    • *
  • *

    - * AWS::S3::AccessPoint + * AWS::Glue::Table *

    *
    • *
  • *

    - * AWS::DynamoDB::Stream + * AWS::GuardDuty::Detector *

    *
    • *
  • *

    - * AWS::Glue::Table + * AWS::KendraRanking::ExecutionPlan *

    *
    • *
  • *

    - * AWS::FinSpace::Environment + * AWS::ManagedBlockchain::Node *

    *
    • *
  • @@ -700,6 +752,21 @@ export interface AdvancedFieldSelector { * AWS::SageMaker::FeatureGroup *

    *
    • + *
  • + *

    + * AWS::S3::AccessPoint + *

    + *
    • + *
  • + *

    + * AWS::S3ObjectLambda::AccessPoint + *

    + *
    • + *
  • + *

    + * AWS::S3Outposts::Object + *

    + *
    • *
*

You can have only one resources.type field per selector. To log data * events on more than one resource type, add another selector.

@@ -730,20 +797,13 @@ export interface AdvancedFieldSelector { *

* * - *

When resources.type equals AWS::S3::AccessPoint, and the - * operator is set to Equals or NotEquals, the ARN must be in - * one of the following formats. To log events on all objects in an S3 access point, we - * recommend that you use only the access point ARN, don’t include the object path, and - * use the StartsWith or NotStartsWith operators.

+ *

When resources.type equals AWS::DynamoDB::Table, and the operator is + * set to Equals or NotEquals, the ARN must be in the + * following format:

*
    *
  • *

    - * arn::s3:::accesspoint/ - *

    - *
    • - *
  • - *

    - * arn::s3:::accesspoint//object/ + * arn::dynamodb:::table/ *

    *
    • *
@@ -757,94 +817,93 @@ export interface AdvancedFieldSelector { *

* * - *

When resources.type equals AWS::DynamoDB::Table, and the operator is + *

When resources.type equals AWS::CloudTrail::Channel, and the operator is * set to Equals or NotEquals, the ARN must be in the * following format:

*
    *
  • *

    - * arn::dynamodb:::table/ + * arn::cloudtrail:::channel/ *

    *
    • *
- *

When resources.type equals AWS::CloudTrail::Channel, and the operator is + *

When resources.type equals AWS::Cognito::IdentityPool, and the operator is * set to Equals or NotEquals, the ARN must be in the * following format:

*
    *
  • *

    - * arn::cloudtrail:::channel/ + * arn::cognito-identity:::identitypool/ *

    *
    • *
- *

When resources.type equals AWS::S3Outposts::Object, and + *

When resources.type equals AWS::DynamoDB::Stream, and * the operator is set to Equals or NotEquals, the ARN must be * in the following format:

*
    *
  • *

    - * arn::s3-outposts::: + * arn::dynamodb:::table//stream/ *

    *
    • *
- *

When resources.type equals AWS::ManagedBlockchain::Node, - * and the operator is set to Equals or NotEquals, the ARN - * must be in the following format:

+ *

When resources.type equals AWS::EC2::Snapshot, and the + * operator is set to Equals or NotEquals, the ARN must be in + * the following format:

*
    *
  • *

    - * arn::managedblockchain:::nodes/ + * arn::ec2:::snapshot/ *

    *
    • *
- *

When resources.type equals - * AWS::S3ObjectLambda::AccessPoint, and the operator is set to - * Equals or NotEquals, the ARN must be in the following - * format:

+ *

When resources.type equals AWS::FinSpace::Environment, + * and the operator is set to Equals or NotEquals, the ARN + * must be in the following format:

*
    *
  • *

    - * arn::s3-object-lambda:::accesspoint/ + * arn::finspace:::environment/ *

    *
    • *
- *

When resources.type equals AWS::EC2::Snapshot, and the + *

When resources.type equals AWS::Glue::Table, and the * operator is set to Equals or NotEquals, the ARN must be in * the following format:

*
    *
  • *

    - * arn::ec2:::snapshot/ + * arn::glue:::table// *

    *
    • *
- *

When resources.type equals AWS::DynamoDB::Stream, and - * the operator is set to Equals or NotEquals, the ARN must be - * in the following format:

+ *

When resources.type equals AWS::GuardDuty::Detector, and the + * operator is set to Equals or NotEquals, the ARN must be in + * the following format:

*
    *
  • *

    - * arn::dynamodb:::table//stream/ + * arn::guardduty:::detector/ *

    *
    • *
- *

When resources.type equals AWS::Glue::Table, and the + *

When resources.type equals AWS::KendraRanking::ExecutionPlan, and the * operator is set to Equals or NotEquals, the ARN must be in * the following format:

*
    *
  • *

    - * arn::glue:::table// + * arn::kendra-ranking:::rescore-execution-plan/ *

    *
    • *
- *

When resources.type equals AWS::FinSpace::Environment, + *

When resources.type equals AWS::ManagedBlockchain::Node, * and the operator is set to Equals or NotEquals, the ARN * must be in the following format:

*
    *
  • *

    - * arn::finspace:::environment/ + * arn::managedblockchain:::nodes/ *

    *
    • *
@@ -866,6 +925,44 @@ export interface AdvancedFieldSelector { *

* * + *

When resources.type equals AWS::S3::AccessPoint, and the + * operator is set to Equals or NotEquals, the ARN must be in + * one of the following formats. To log events on all objects in an S3 access point, we + * recommend that you use only the access point ARN, don’t include the object path, and + * use the StartsWith or NotStartsWith operators.

+ *
    + *
  • + *

    + * arn::s3:::accesspoint/ + *

    + *
    • + *
  • + *

    + * arn::s3:::accesspoint//object/ + *

    + *
    • + *
+ *

When resources.type equals + * AWS::S3ObjectLambda::AccessPoint, and the operator is set to + * Equals or NotEquals, the ARN must be in the following + * format:

+ *
    + *
  • + *

    + * arn::s3-object-lambda:::accesspoint/ + *

    + *
    • + *
+ *

When resources.type equals AWS::S3Outposts::Object, and + * the operator is set to Equals or NotEquals, the ARN must be + * in the following format:

+ *
    + *
  • + *

    + * arn::s3-outposts::: + *

    + *
    • + *
* * */ @@ -914,7 +1011,7 @@ export interface AdvancedFieldSelector { * @public *

Advanced event selectors let you create fine-grained selectors for the following CloudTrail event record fields. They help you control costs by logging only those * events that are important to you. For more information about advanced event selectors, see - * Logging data events for trails in the CloudTrail User Guide.

+ * Logging data events in the CloudTrail User Guide.

*
    *
  • *

    @@ -1015,32 +1112,6 @@ export interface CancelQueryResponse { QueryStatus: QueryStatus | string | undefined; } -/** - * @public - *

    The specified event data store ARN is not valid or does not map to an event data store - * in your account.

    - */ -export class EventDataStoreARNInvalidException extends __BaseException { - readonly name: "EventDataStoreARNInvalidException" = "EventDataStoreARNInvalidException"; - readonly $fault: "client" = "client"; - /** - *

    Brief description of the exception returned by the request.

    - */ - Message?: string; - /** - * @internal - */ - constructor(opts: __ExceptionOptionType) { - super({ - name: "EventDataStoreARNInvalidException", - $fault: "client", - ...opts, - }); - Object.setPrototypeOf(this, EventDataStoreARNInvalidException.prototype); - this.Message = opts.Message; - } -} - /** * @public *

    The specified query cannot be canceled because it is in the FINISHED, @@ -1190,32 +1261,6 @@ export class ChannelAlreadyExistsException extends __BaseException { } } -/** - * @public - *

    This exception is thrown when the specified value of ChannelARN is not - * valid.

    - */ -export class ChannelARNInvalidException extends __BaseException { - readonly name: "ChannelARNInvalidException" = "ChannelARNInvalidException"; - readonly $fault: "client" = "client"; - /** - *

    Brief description of the exception returned by the request.

    - */ - Message?: string; - /** - * @internal - */ - constructor(opts: __ExceptionOptionType) { - super({ - name: "ChannelARNInvalidException", - $fault: "client", - ...opts, - }); - Object.setPrototypeOf(this, ChannelARNInvalidException.prototype); - this.Message = opts.Message; - } -} - /** * @public *

    This exception is thrown when the specified event data store cannot yet be deleted because it @@ -1671,7 +1716,7 @@ export class EventDataStoreMaxLimitExceededException extends __BaseException { /** * @public - *

    This exception is thrown when the IAM user or role that is used to create + *

    This exception is thrown when the IAM identity that is used to create * the organization resource lacks one or more required permissions for creating an * organization resource in a required service.

    */ @@ -2935,8 +2980,9 @@ export interface DescribeTrailsRequest { *
* *

If one or more trail names are specified, information is returned only if the names - * match the names of trails belonging only to the current region and current account. To return information - * about a trail in another region, you must specify its trail ARN.

+ * match the names of trails belonging only to the current region and current account. To + * return information about a trail in another region, you must specify its trail + * ARN.

* */ trailNameList?: string[]; @@ -3361,7 +3407,7 @@ export interface DataResource { *
    *
  • *

    - * AWS::S3::Object + * AWS::DynamoDB::Table *

    *
    • *
  • @@ -3371,7 +3417,7 @@ export interface DataResource { *
    • *
  • *

    - * AWS::DynamoDB::Table + * AWS::S3::Object *

    *
    • *
@@ -3387,42 +3433,42 @@ export interface DataResource { * *
  • *

    - * AWS::S3Outposts::Object + * AWS::Cognito::IdentityPool *

    *
    • *
  • *

    - * AWS::ManagedBlockchain::Node + * AWS::DynamoDB::Stream *

    *
    • *
  • *

    - * AWS::S3ObjectLambda::AccessPoint + * AWS::EC2::Snapshot *

    *
    • *
  • *

    - * AWS::EC2::Snapshot + * AWS::FinSpace::Environment *

    *
    • *
  • *

    - * AWS::S3::AccessPoint + * AWS::Glue::Table *

    *
    • *
  • *

    - * AWS::DynamoDB::Stream + * AWS::GuardDuty::Detector *

    *
    • *
  • *

    - * AWS::Glue::Table + * AWS::KendraRanking::ExecutionPlan *

    *
    • *
  • *

    - * AWS::FinSpace::Environment + * AWS::ManagedBlockchain::Node *

    *
    • *
  • @@ -3435,6 +3481,21 @@ export interface DataResource { * AWS::SageMaker::FeatureGroup *

    *
    • + *
  • + *

    + * AWS::S3::AccessPoint + *

    + *
    • + *
  • + *

    + * AWS::S3ObjectLambda::AccessPoint + *

    + *
    • + *
  • + *

    + * AWS::S3Outposts::Object + *

    + *
    • * */ Type?: string; @@ -3804,12 +3865,17 @@ export type InsightType = (typeof InsightType)[keyof typeof InsightType]; /** * @public - *

    A JSON string that contains a list of insight types that are logged on a trail.

    + *

    A JSON string that contains a list of Insights types that are logged on a trail.

    */ export interface InsightSelector { /** - *

    The type of insights to log on a trail. ApiCallRateInsight and - * ApiErrorRateInsight are valid insight types.

    + *

    The type of Insights events to log on a trail. ApiCallRateInsight and + * ApiErrorRateInsight are valid Insight types.

    + *

    The ApiCallRateInsight Insights type analyzes write-only + * management API calls that are aggregated per minute against a baseline API call volume.

    + *

    The ApiErrorRateInsight Insights type analyzes management + * API calls that result in error codes. The error is shown if the API call is + * unsuccessful.

    */ InsightType?: InsightType | string; } @@ -5131,7 +5197,7 @@ export interface PutEventSelectorsRequest { * AdvancedEventSelectors or EventSelectors, but not both. If you * apply AdvancedEventSelectors to a trail, any existing * EventSelectors are overwritten. For more information about advanced event - * selectors, see Logging data events for trails in the CloudTrail User Guide.

    + * selectors, see Logging data events in the CloudTrail User Guide.

    */ AdvancedEventSelectors?: AdvancedEventSelector[]; } @@ -5200,8 +5266,13 @@ export interface PutInsightSelectorsRequest { /** *

    A JSON string that contains the insight types you want to log on a trail. - * ApiCallRateInsight and ApiErrorRateInsight are valid insight + * ApiCallRateInsight and ApiErrorRateInsight are valid Insight * types.

    + *

    The ApiCallRateInsight Insights type analyzes write-only + * management API calls that are aggregated per minute against a baseline API call volume.

    + *

    The ApiErrorRateInsight Insights type analyzes management + * API calls that result in error codes. The error is shown if the API call is + * unsuccessful.

    */ InsightSelectors: InsightSelector[] | undefined; } diff --git a/clients/client-cloudtrail/src/protocols/Aws_json1_1.ts b/clients/client-cloudtrail/src/protocols/Aws_json1_1.ts index f4950aab242f..950609fbccf7 100644 --- a/clients/client-cloudtrail/src/protocols/Aws_json1_1.ts +++ b/clients/client-cloudtrail/src/protocols/Aws_json1_1.ts @@ -856,6 +856,9 @@ const de_AddTagsCommandError = async ( }; const errorCode = loadRestJsonErrorCode(output, parsedOutput.body); switch (errorCode) { + case "ChannelARNInvalidException": + case "com.amazonaws.cloudtrail#ChannelARNInvalidException": + throw await de_ChannelARNInvalidExceptionRes(parsedOutput, context); case "ChannelNotFoundException": case "com.amazonaws.cloudtrail#ChannelNotFoundException": throw await de_ChannelNotFoundExceptionRes(parsedOutput, context); @@ -865,6 +868,9 @@ const de_AddTagsCommandError = async ( case "ConflictException": case "com.amazonaws.cloudtrail#ConflictException": throw await de_ConflictExceptionRes(parsedOutput, context); + case "EventDataStoreARNInvalidException": + case "com.amazonaws.cloudtrail#EventDataStoreARNInvalidException": + throw await de_EventDataStoreARNInvalidExceptionRes(parsedOutput, context); case "EventDataStoreNotFoundException": case "com.amazonaws.cloudtrail#EventDataStoreNotFoundException": throw await de_EventDataStoreNotFoundExceptionRes(parsedOutput, context); @@ -2692,9 +2698,15 @@ const de_ListTagsCommandError = async ( }; const errorCode = loadRestJsonErrorCode(output, parsedOutput.body); switch (errorCode) { + case "ChannelARNInvalidException": + case "com.amazonaws.cloudtrail#ChannelARNInvalidException": + throw await de_ChannelARNInvalidExceptionRes(parsedOutput, context); case "CloudTrailARNInvalidException": case "com.amazonaws.cloudtrail#CloudTrailARNInvalidException": throw await de_CloudTrailARNInvalidExceptionRes(parsedOutput, context); + case "EventDataStoreARNInvalidException": + case "com.amazonaws.cloudtrail#EventDataStoreARNInvalidException": + throw await de_EventDataStoreARNInvalidExceptionRes(parsedOutput, context); case "EventDataStoreNotFoundException": case "com.amazonaws.cloudtrail#EventDataStoreNotFoundException": throw await de_EventDataStoreNotFoundExceptionRes(parsedOutput, context); @@ -2881,6 +2893,9 @@ const de_PutEventSelectorsCommandError = async ( case "CloudTrailARNInvalidException": case "com.amazonaws.cloudtrail#CloudTrailARNInvalidException": throw await de_CloudTrailARNInvalidExceptionRes(parsedOutput, context); + case "ConflictException": + case "com.amazonaws.cloudtrail#ConflictException": + throw await de_ConflictExceptionRes(parsedOutput, context); case "InsufficientDependencyServiceAccessPermissionException": case "com.amazonaws.cloudtrail#InsufficientDependencyServiceAccessPermissionException": throw await de_InsufficientDependencyServiceAccessPermissionExceptionRes(parsedOutput, context); @@ -3176,12 +3191,18 @@ const de_RemoveTagsCommandError = async ( }; const errorCode = loadRestJsonErrorCode(output, parsedOutput.body); switch (errorCode) { + case "ChannelARNInvalidException": + case "com.amazonaws.cloudtrail#ChannelARNInvalidException": + throw await de_ChannelARNInvalidExceptionRes(parsedOutput, context); case "ChannelNotFoundException": case "com.amazonaws.cloudtrail#ChannelNotFoundException": throw await de_ChannelNotFoundExceptionRes(parsedOutput, context); case "CloudTrailARNInvalidException": case "com.amazonaws.cloudtrail#CloudTrailARNInvalidException": throw await de_CloudTrailARNInvalidExceptionRes(parsedOutput, context); + case "EventDataStoreARNInvalidException": + case "com.amazonaws.cloudtrail#EventDataStoreARNInvalidException": + throw await de_EventDataStoreARNInvalidExceptionRes(parsedOutput, context); case "EventDataStoreNotFoundException": case "com.amazonaws.cloudtrail#EventDataStoreNotFoundException": throw await de_EventDataStoreNotFoundExceptionRes(parsedOutput, context); diff --git a/codegen/sdk-codegen/aws-models/cloudtrail.json b/codegen/sdk-codegen/aws-models/cloudtrail.json index b0d872688832..5f7f0dd094b9 100644 --- a/codegen/sdk-codegen/aws-models/cloudtrail.json +++ b/codegen/sdk-codegen/aws-models/cloudtrail.json @@ -128,6 +128,9 @@ "target": "com.amazonaws.cloudtrail#AddTagsResponse" }, "errors": [ + { + "target": "com.amazonaws.cloudtrail#ChannelARNInvalidException" + }, { "target": "com.amazonaws.cloudtrail#ChannelNotFoundException" }, @@ -137,6 +140,9 @@ { "target": "com.amazonaws.cloudtrail#ConflictException" }, + { + "target": "com.amazonaws.cloudtrail#EventDataStoreARNInvalidException" + }, { "target": "com.amazonaws.cloudtrail#EventDataStoreNotFoundException" }, @@ -225,7 +231,7 @@ } }, "traits": { - "smithy.api#documentation": "

    Advanced event selectors let you create fine-grained selectors for the following CloudTrail event record fields. They help you control costs by logging only those\n events that are important to you. For more information about advanced event selectors, see\n Logging data events for trails in the CloudTrail User Guide.

    \n
      \n
    • \n

      \n readOnly\n

      \n
      • \n
    • \n

      \n eventSource\n

      \n
      • \n
    • \n

      \n eventName\n

      \n
      • \n
    • \n

      \n eventCategory\n

      \n
      • \n
    • \n

      \n resources.type\n

      \n
      • \n
    • \n

      \n resources.ARN\n

      \n
      • \n
    \n

    You cannot apply both event selectors and advanced event selectors to a trail.

    " + "smithy.api#documentation": "

    Advanced event selectors let you create fine-grained selectors for the following CloudTrail event record fields. They help you control costs by logging only those\n events that are important to you. For more information about advanced event selectors, see\n Logging data events in the CloudTrail User Guide.

    \n
      \n
    • \n

      \n readOnly\n

      \n
      • \n
    • \n

      \n eventSource\n

      \n
      • \n
    • \n

      \n eventName\n

      \n
      • \n
    • \n

      \n eventCategory\n

      \n
      • \n
    • \n

      \n resources.type\n

      \n
      • \n
    • \n

      \n resources.ARN\n

      \n
      • \n
    \n

    You cannot apply both event selectors and advanced event selectors to a trail.

    " } }, "com.amazonaws.cloudtrail#AdvancedEventSelectors": { @@ -240,7 +246,7 @@ "Field": { "target": "com.amazonaws.cloudtrail#SelectorField", "traits": { - "smithy.api#documentation": "

    A field in a CloudTrail event record on which to filter events to be logged. For\n event data stores for Config configuration items, Audit Manager evidence, or non-Amazon Web Services events, the field is used only for\n selecting events as filtering is not supported.

    \n

    For CloudTrail event records, supported fields include readOnly,\n eventCategory, eventSource (for management events),\n eventName, resources.type, and resources.ARN.

    \n

    For event data stores for Config configuration items, Audit Manager evidence, or non-Amazon Web Services events, the only supported field is\n eventCategory.

    \n
      \n
    • \n

      \n \n readOnly\n - Optional. Can be set to\n Equals a value of true or false. If you do\n not add this field, CloudTrail logs both read and\n write events. A value of true logs only\n read events. A value of false logs only\n write events.

      \n
      • \n
    • \n

      \n \n eventSource\n - For filtering\n management events only. This can be set only to NotEquals\n kms.amazonaws.com.

      \n
      • \n
    • \n

      \n \n eventName\n - Can use any operator.\n You can use it to filter in or filter out any data event logged to CloudTrail,\n such as PutBucket or GetSnapshotBlock. You can have\n multiple values for this field, separated by commas.

      \n
      • \n
    • \n

      \n \n eventCategory\n - This is required and\n must be set to Equals. \n

      \n
        \n
      • \n

        \n For CloudTrail event records, the value\n must be Management or Data. \n

        \n
        • \n
      • \n

        \n For Config\n configuration items, the value must be ConfigurationItem.\n

        \n
        • \n
      • \n

        \n For Audit Manager evidence, the value must be Evidence.\n

        \n
        • \n
      • \n

        \n For non-Amazon Web Services events, the value must be ActivityAuditLog.\n

        \n
        • \n
      \n
      • \n
    • \n

      \n \n resources.type\n - This field is\n required for CloudTrail data events. resources.type can only\n use the Equals operator, and the value can be one of the\n following:

      \n
        \n
      • \n

        \n AWS::CloudTrail::Channel\n

        \n
        • \n
      • \n

        \n AWS::S3::Object\n

        \n
        • \n
      • \n

        \n AWS::Lambda::Function\n

        \n
        • \n
      • \n

        \n AWS::DynamoDB::Table\n

        \n
        • \n
      • \n

        \n AWS::S3Outposts::Object\n

        \n
        • \n
      • \n

        \n AWS::ManagedBlockchain::Node\n

        \n
        • \n
      • \n

        \n AWS::S3ObjectLambda::AccessPoint\n

        \n
        • \n
      • \n

        \n AWS::EC2::Snapshot\n

        \n
        • \n
      • \n

        \n AWS::S3::AccessPoint\n

        \n
        • \n
      • \n

        \n AWS::DynamoDB::Stream\n

        \n
        • \n
      • \n

        \n AWS::Glue::Table\n

        \n
        • \n
      • \n

        \n AWS::FinSpace::Environment\n

        \n
        • \n
      • \n

        \n AWS::SageMaker::ExperimentTrialComponent\n

        \n
        • \n
      • \n

        \n AWS::SageMaker::FeatureGroup\n

        \n
        • \n
      \n

      You can have only one resources.type field per selector. To log data\n events on more than one resource type, add another selector.

      \n
      • \n
    • \n

      \n \n resources.ARN\n - You can use any\n operator with resources.ARN, but if you use Equals or\n NotEquals, the value must exactly match the ARN of a valid resource\n of the type you've specified in the template as the value of resources.type. For\n example, if resources.type equals AWS::S3::Object, the ARN must be in\n one of the following formats. To log all data events for all objects in a specific S3\n bucket, use the StartsWith operator, and include only the bucket ARN as\n the matching value.

      \n

      The trailing slash is intentional; do not exclude it. Replace the text between\n less than and greater than symbols (<>) with resource-specific information.

      \n
        \n
      • \n

        \n arn::s3:::/\n

        \n
        • \n
      • \n

        \n arn::s3::://\n

        \n
        • \n
      \n

      When resources.type equals AWS::S3::AccessPoint, and the\n operator is set to Equals or NotEquals, the ARN must be in\n one of the following formats. To log events on all objects in an S3 access point, we\n recommend that you use only the access point ARN, don’t include the object path, and\n use the StartsWith or NotStartsWith operators.

      \n
        \n
      • \n

        \n arn::s3:::accesspoint/\n

        \n
        • \n
      • \n

        \n arn::s3:::accesspoint//object/\n

        \n
        • \n
      \n

      When resources.type equals AWS::Lambda::Function, and the operator is\n set to Equals or NotEquals, the ARN must be in the\n following format:

      \n
        \n
      • \n

        \n arn::lambda:::function:\n

        \n
        • \n
      \n

      When resources.type equals AWS::DynamoDB::Table, and the operator is\n set to Equals or NotEquals, the ARN must be in the\n following format:

      \n
        \n
      • \n

        \n arn::dynamodb:::table/\n

        \n
        • \n
      \n

      When resources.type equals AWS::CloudTrail::Channel, and the operator is\n set to Equals or NotEquals, the ARN must be in the\n following format:

      \n
        \n
      • \n

        \n arn::cloudtrail:::channel/\n

        \n
        • \n
      \n

      When resources.type equals AWS::S3Outposts::Object, and\n the operator is set to Equals or NotEquals, the ARN must be\n in the following format:

      \n
        \n
      • \n

        \n arn::s3-outposts:::\n

        \n
        • \n
      \n

      When resources.type equals AWS::ManagedBlockchain::Node,\n and the operator is set to Equals or NotEquals, the ARN\n must be in the following format:

      \n
        \n
      • \n

        \n arn::managedblockchain:::nodes/\n

        \n
        • \n
      \n

      When resources.type equals\n AWS::S3ObjectLambda::AccessPoint, and the operator is set to\n Equals or NotEquals, the ARN must be in the following\n format:

      \n
        \n
      • \n

        \n arn::s3-object-lambda:::accesspoint/\n

        \n
        • \n
      \n

      When resources.type equals AWS::EC2::Snapshot, and the\n operator is set to Equals or NotEquals, the ARN must be in\n the following format:

      \n
        \n
      • \n

        \n arn::ec2:::snapshot/\n

        \n
        • \n
      \n

      When resources.type equals AWS::DynamoDB::Stream, and\n the operator is set to Equals or NotEquals, the ARN must be\n in the following format:

      \n
        \n
      • \n

        \n arn::dynamodb:::table//stream/\n

        \n
        • \n
      \n

      When resources.type equals AWS::Glue::Table, and the\n operator is set to Equals or NotEquals, the ARN must be in\n the following format:

      \n
        \n
      • \n

        \n arn::glue:::table//\n

        \n
        • \n
      \n

      When resources.type equals AWS::FinSpace::Environment,\n and the operator is set to Equals or NotEquals, the ARN\n must be in the following format:

      \n
        \n
      • \n

        \n arn::finspace:::environment/\n

        \n
        • \n
      \n

      When resources.type equals AWS::SageMaker::ExperimentTrialComponent, and the operator is set to\n Equals or NotEquals, the ARN must be in the following format:

      \n
        \n
      • \n

        \n arn::sagemaker:::experiment-trial-component/\n

        \n
        • \n
      \n

      When resources.type equals AWS::SageMaker::FeatureGroup, and the operator is set to\n Equals or NotEquals, the ARN must be in the following format:

      \n
        \n
      • \n

        \n arn::sagemaker:::feature-group/\n

        \n
        • \n
      \n
      • \n
    ", + "smithy.api#documentation": "

    A field in a CloudTrail event record on which to filter events to be logged. For\n event data stores for Config configuration items, Audit Manager evidence, or non-Amazon Web Services events, the field is used only for\n selecting events as filtering is not supported.

    \n

    For CloudTrail event records, supported fields include readOnly,\n eventCategory, eventSource (for management events),\n eventName, resources.type, and resources.ARN.

    \n

    For event data stores for Config configuration items, Audit Manager evidence, or non-Amazon Web Services events, the only supported field is\n eventCategory.

    \n
      \n
    • \n

      \n \n readOnly\n - Optional. Can be set to\n Equals a value of true or false. If you do\n not add this field, CloudTrail logs both read and\n write events. A value of true logs only\n read events. A value of false logs only\n write events.

      \n
      • \n
    • \n

      \n \n eventSource\n - For filtering\n management events only. This can be set only to NotEquals\n kms.amazonaws.com.

      \n
      • \n
    • \n

      \n \n eventName\n - Can use any operator.\n You can use it to filter in or filter out any data event logged to CloudTrail,\n such as PutBucket or GetSnapshotBlock. You can have\n multiple values for this field, separated by commas.

      \n
      • \n
    • \n

      \n \n eventCategory\n - This is required and\n must be set to Equals. \n

      \n
        \n
      • \n

        \n For CloudTrail event records, the value\n must be Management or Data. \n

        \n
        • \n
      • \n

        \n For Config\n configuration items, the value must be ConfigurationItem.\n

        \n
        • \n
      • \n

        \n For Audit Manager evidence, the value must be Evidence.\n

        \n
        • \n
      • \n

        \n For non-Amazon Web Services events, the value must be ActivityAuditLog.\n

        \n
        • \n
      \n
      • \n
    • \n

      \n \n resources.type\n - This field is\n required for CloudTrail data events. resources.type can only\n use the Equals operator, and the value can be one of the\n following:

      \n
        \n
      • \n

        \n AWS::DynamoDB::Table\n

        \n
        • \n
      • \n

        \n AWS::Lambda::Function\n

        \n
        • \n
      • \n

        \n AWS::S3::Object\n

        \n
        • \n
      • \n

        \n AWS::CloudTrail::Channel\n

        \n
        • \n
      • \n

        \n AWS::Cognito::IdentityPool\n

        \n
        • \n
      • \n

        \n AWS::DynamoDB::Stream\n

        \n
        • \n
      • \n

        \n AWS::EC2::Snapshot\n

        \n
        • \n
      • \n

        \n AWS::FinSpace::Environment\n

        \n
        • \n
      • \n

        \n AWS::Glue::Table\n

        \n
        • \n
      • \n

        \n AWS::GuardDuty::Detector\n

        \n
        • \n
      • \n

        \n AWS::KendraRanking::ExecutionPlan\n

        \n
        • \n
      • \n

        \n AWS::ManagedBlockchain::Node\n

        \n
        • \n
      • \n

        \n AWS::SageMaker::ExperimentTrialComponent\n

        \n
        • \n
      • \n

        \n AWS::SageMaker::FeatureGroup\n

        \n
        • \n
      • \n

        \n AWS::S3::AccessPoint\n

        \n
        • \n
      • \n

        \n AWS::S3ObjectLambda::AccessPoint\n

        \n
        • \n
      • \n

        \n AWS::S3Outposts::Object\n

        \n
        • \n
      \n

      You can have only one resources.type field per selector. To log data\n events on more than one resource type, add another selector.

      \n
      • \n
    • \n

      \n \n resources.ARN\n - You can use any\n operator with resources.ARN, but if you use Equals or\n NotEquals, the value must exactly match the ARN of a valid resource\n of the type you've specified in the template as the value of resources.type. For\n example, if resources.type equals AWS::S3::Object, the ARN must be in\n one of the following formats. To log all data events for all objects in a specific S3\n bucket, use the StartsWith operator, and include only the bucket ARN as\n the matching value.

      \n

      The trailing slash is intentional; do not exclude it. Replace the text between\n less than and greater than symbols (<>) with resource-specific information.

      \n
        \n
      • \n

        \n arn::s3:::/\n

        \n
        • \n
      • \n

        \n arn::s3::://\n

        \n
        • \n
      \n

      When resources.type equals AWS::DynamoDB::Table, and the operator is\n set to Equals or NotEquals, the ARN must be in the\n following format:

      \n
        \n
      • \n

        \n arn::dynamodb:::table/\n

        \n
        • \n
      \n

      When resources.type equals AWS::Lambda::Function, and the operator is\n set to Equals or NotEquals, the ARN must be in the\n following format:

      \n
        \n
      • \n

        \n arn::lambda:::function:\n

        \n
        • \n
      \n

      When resources.type equals AWS::CloudTrail::Channel, and the operator is\n set to Equals or NotEquals, the ARN must be in the\n following format:

      \n
        \n
      • \n

        \n arn::cloudtrail:::channel/\n

        \n
        • \n
      \n

      When resources.type equals AWS::Cognito::IdentityPool, and the operator is\n set to Equals or NotEquals, the ARN must be in the\n following format:

      \n
        \n
      • \n

        \n arn::cognito-identity:::identitypool/\n

        \n
        • \n
      \n

      When resources.type equals AWS::DynamoDB::Stream, and\n the operator is set to Equals or NotEquals, the ARN must be\n in the following format:

      \n
        \n
      • \n

        \n arn::dynamodb:::table//stream/\n

        \n
        • \n
      \n

      When resources.type equals AWS::EC2::Snapshot, and the\n operator is set to Equals or NotEquals, the ARN must be in\n the following format:

      \n
        \n
      • \n

        \n arn::ec2:::snapshot/\n

        \n
        • \n
      \n

      When resources.type equals AWS::FinSpace::Environment,\n and the operator is set to Equals or NotEquals, the ARN\n must be in the following format:

      \n
        \n
      • \n

        \n arn::finspace:::environment/\n

        \n
        • \n
      \n

      When resources.type equals AWS::Glue::Table, and the\n operator is set to Equals or NotEquals, the ARN must be in\n the following format:

      \n
        \n
      • \n

        \n arn::glue:::table//\n

        \n
        • \n
      \n

      When resources.type equals AWS::GuardDuty::Detector, and the\n operator is set to Equals or NotEquals, the ARN must be in\n the following format:

      \n
        \n
      • \n

        \n arn::guardduty:::detector/\n

        \n
        • \n
      \n

      When resources.type equals AWS::KendraRanking::ExecutionPlan, and the\n operator is set to Equals or NotEquals, the ARN must be in\n the following format:

      \n
        \n
      • \n

        \n arn::kendra-ranking:::rescore-execution-plan/\n

        \n
        • \n
      \n

      When resources.type equals AWS::ManagedBlockchain::Node,\n and the operator is set to Equals or NotEquals, the ARN\n must be in the following format:

      \n
        \n
      • \n

        \n arn::managedblockchain:::nodes/\n

        \n
        • \n
      \n

      When resources.type equals AWS::SageMaker::ExperimentTrialComponent, and the operator is set to\n Equals or NotEquals, the ARN must be in the following format:

      \n
        \n
      • \n

        \n arn::sagemaker:::experiment-trial-component/\n

        \n
        • \n
      \n

      When resources.type equals AWS::SageMaker::FeatureGroup, and the operator is set to\n Equals or NotEquals, the ARN must be in the following format:

      \n
        \n
      • \n

        \n arn::sagemaker:::feature-group/\n

        \n
        • \n
      \n

      When resources.type equals AWS::S3::AccessPoint, and the\n operator is set to Equals or NotEquals, the ARN must be in\n one of the following formats. To log events on all objects in an S3 access point, we\n recommend that you use only the access point ARN, don’t include the object path, and\n use the StartsWith or NotStartsWith operators.

      \n
        \n
      • \n

        \n arn::s3:::accesspoint/\n

        \n
        • \n
      • \n

        \n arn::s3:::accesspoint//object/\n

        \n
        • \n
      \n

      When resources.type equals\n AWS::S3ObjectLambda::AccessPoint, and the operator is set to\n Equals or NotEquals, the ARN must be in the following\n format:

      \n
        \n
      • \n

        \n arn::s3-object-lambda:::accesspoint/\n

        \n
        • \n
      \n

      When resources.type equals AWS::S3Outposts::Object, and\n the operator is set to Equals or NotEquals, the ARN must be\n in the following format:

      \n
        \n
      • \n

        \n arn::s3-outposts:::\n

        \n
        • \n
      \n
      • \n
    ", "smithy.api#required": {} } }, @@ -1172,8 +1178,8 @@ }, "params": { "Region": "af-south-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1185,8 +1191,8 @@ }, "params": { "Region": "ap-east-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1198,8 +1204,8 @@ }, "params": { "Region": "ap-northeast-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1211,8 +1217,8 @@ }, "params": { "Region": "ap-northeast-2", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1224,8 +1230,8 @@ }, "params": { "Region": "ap-northeast-3", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1237,8 +1243,8 @@ }, "params": { "Region": "ap-south-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1250,8 +1256,8 @@ }, "params": { "Region": "ap-southeast-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1263,8 +1269,8 @@ }, "params": { "Region": "ap-southeast-2", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1276,8 +1282,8 @@ }, "params": { "Region": "ap-southeast-3", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1289,8 +1295,8 @@ }, "params": { "Region": "ca-central-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1302,8 +1308,8 @@ }, "params": { "Region": "eu-central-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1315,8 +1321,8 @@ }, "params": { "Region": "eu-north-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1328,8 +1334,8 @@ }, "params": { "Region": "eu-south-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1341,8 +1347,8 @@ }, "params": { "Region": "eu-west-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1354,8 +1360,8 @@ }, "params": { "Region": "eu-west-2", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1367,8 +1373,8 @@ }, "params": { "Region": "eu-west-3", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1380,8 +1386,8 @@ }, "params": { "Region": "me-south-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1393,8 +1399,8 @@ }, "params": { "Region": "sa-east-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1406,8 +1412,8 @@ }, "params": { "Region": "us-east-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1419,8 +1425,8 @@ }, "params": { "Region": "us-east-1", - "UseDualStack": false, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": false } }, { @@ -1432,8 +1438,8 @@ }, "params": { "Region": "us-east-2", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1445,8 +1451,8 @@ }, "params": { "Region": "us-east-2", - "UseDualStack": false, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": false } }, { @@ -1458,8 +1464,8 @@ }, "params": { "Region": "us-west-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1471,8 +1477,8 @@ }, "params": { "Region": "us-west-1", - "UseDualStack": false, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": false } }, { @@ -1484,8 +1490,8 @@ }, "params": { "Region": "us-west-2", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1497,8 +1503,8 @@ }, "params": { "Region": "us-west-2", - "UseDualStack": false, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": false } }, { @@ -1510,8 +1516,8 @@ }, "params": { "Region": "us-east-1", - "UseDualStack": true, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": true } }, { @@ -1523,8 +1529,8 @@ }, "params": { "Region": "us-east-1", - "UseDualStack": true, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": true } }, { @@ -1536,8 +1542,8 @@ }, "params": { "Region": "cn-north-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1549,8 +1555,8 @@ }, "params": { "Region": "cn-northwest-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1562,8 +1568,8 @@ }, "params": { "Region": "cn-north-1", - "UseDualStack": true, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": true } }, { @@ -1575,8 +1581,8 @@ }, "params": { "Region": "cn-north-1", - "UseDualStack": false, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": false } }, { @@ -1588,8 +1594,8 @@ }, "params": { "Region": "cn-north-1", - "UseDualStack": true, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": true } }, { @@ -1601,8 +1607,8 @@ }, "params": { "Region": "us-gov-east-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1614,8 +1620,8 @@ }, "params": { "Region": "us-gov-east-1", - "UseDualStack": false, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": false } }, { @@ -1627,8 +1633,8 @@ }, "params": { "Region": "us-gov-west-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1640,8 +1646,8 @@ }, "params": { "Region": "us-gov-west-1", - "UseDualStack": false, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": false } }, { @@ -1653,8 +1659,8 @@ }, "params": { "Region": "us-gov-east-1", - "UseDualStack": true, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": true } }, { @@ -1666,8 +1672,8 @@ }, "params": { "Region": "us-gov-east-1", - "UseDualStack": true, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": true } }, { @@ -1679,8 +1685,8 @@ }, "params": { "Region": "us-iso-east-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false } }, { @@ -1692,8 +1698,19 @@ }, "params": { "Region": "us-iso-west-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { @@ -1705,8 +1722,19 @@ }, "params": { "Region": "us-iso-east-1", - "UseDualStack": false, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": false + } + }, + { + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { @@ -1718,8 +1746,19 @@ }, "params": { "Region": "us-isob-east-1", - "UseDualStack": false, - "UseFIPS": false + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { @@ -1731,8 +1770,19 @@ }, "params": { "Region": "us-isob-east-1", - "UseDualStack": false, - "UseFIPS": true + "UseFIPS": true, + "UseDualStack": false + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { @@ -1744,8 +1794,8 @@ }, "params": { "Region": "us-east-1", - "UseDualStack": false, "UseFIPS": false, + "UseDualStack": false, "Endpoint": "https://example.com" } }, @@ -1757,8 +1807,8 @@ } }, "params": { - "UseDualStack": false, "UseFIPS": false, + "UseDualStack": false, "Endpoint": "https://example.com" } }, @@ -1769,8 +1819,8 @@ }, "params": { "Region": "us-east-1", - "UseDualStack": false, "UseFIPS": true, + "UseDualStack": false, "Endpoint": "https://example.com" } }, @@ -1781,10 +1831,16 @@ }, "params": { "Region": "us-east-1", - "UseDualStack": true, "UseFIPS": false, + "UseDualStack": true, "Endpoint": "https://example.com" } + }, + { + "documentation": "Missing region", + "expect": { + "error": "Invalid Configuration: Missing Region" + } } ], "version": "1.0" @@ -2429,7 +2485,7 @@ "Type": { "target": "com.amazonaws.cloudtrail#String", "traits": { - "smithy.api#documentation": "

    The resource type in which you want to log data events. You can specify the following\n basic event selector resource types:

    \n
      \n
    • \n

      \n AWS::S3::Object\n

      \n
      • \n
    • \n

      \n AWS::Lambda::Function\n

      \n
      • \n
    • \n

      \n AWS::DynamoDB::Table\n

      \n
      • \n
    \n

    The following resource types are also available through advanced\n event selectors. Basic event selector resource types are valid in advanced event selectors,\n but advanced event selector resource types are not valid in basic event selectors. For more\n information, see AdvancedFieldSelector$Field.

    \n
      \n
    • \n

      \n AWS::CloudTrail::Channel\n

      \n
      • \n
    • \n

      \n AWS::S3Outposts::Object\n

      \n
      • \n
    • \n

      \n AWS::ManagedBlockchain::Node\n

      \n
      • \n
    • \n

      \n AWS::S3ObjectLambda::AccessPoint\n

      \n
      • \n
    • \n

      \n AWS::EC2::Snapshot\n

      \n
      • \n
    • \n

      \n AWS::S3::AccessPoint\n

      \n
      • \n
    • \n

      \n AWS::DynamoDB::Stream\n

      \n
      • \n
    • \n

      \n AWS::Glue::Table\n

      \n
      • \n
    • \n

      \n AWS::FinSpace::Environment\n

      \n
      • \n
    • \n

      \n AWS::SageMaker::ExperimentTrialComponent\n

      \n
      • \n
    • \n

      \n AWS::SageMaker::FeatureGroup\n

      \n
      • \n
    " + "smithy.api#documentation": "

    The resource type in which you want to log data events. You can specify the following\n basic event selector resource types:

    \n
      \n
    • \n

      \n AWS::DynamoDB::Table\n

      \n
      • \n
    • \n

      \n AWS::Lambda::Function\n

      \n
      • \n
    • \n

      \n AWS::S3::Object\n

      \n
      • \n
    \n

    The following resource types are also available through advanced\n event selectors. Basic event selector resource types are valid in advanced event selectors,\n but advanced event selector resource types are not valid in basic event selectors. For more\n information, see AdvancedFieldSelector$Field.

    \n
      \n
    • \n

      \n AWS::CloudTrail::Channel\n

      \n
      • \n
    • \n

      \n AWS::Cognito::IdentityPool\n

      \n
      • \n
    • \n

      \n AWS::DynamoDB::Stream\n

      \n
      • \n
    • \n

      \n AWS::EC2::Snapshot\n

      \n
      • \n
    • \n

      \n AWS::FinSpace::Environment\n

      \n
      • \n
    • \n

      \n AWS::Glue::Table\n

      \n
      • \n
    • \n

      \n AWS::GuardDuty::Detector\n

      \n
      • \n
    • \n

      \n AWS::KendraRanking::ExecutionPlan\n

      \n
      • \n
    • \n

      \n AWS::ManagedBlockchain::Node\n

      \n
      • \n
    • \n

      \n AWS::SageMaker::ExperimentTrialComponent\n

      \n
      • \n
    • \n

      \n AWS::SageMaker::FeatureGroup\n

      \n
      • \n
    • \n

      \n AWS::S3::AccessPoint\n

      \n
      • \n
    • \n

      \n AWS::S3ObjectLambda::AccessPoint\n

      \n
      • \n
    • \n

      \n AWS::S3Outposts::Object\n

      \n
      • \n
    " } }, "Values": { @@ -3009,7 +3065,7 @@ "trailNameList": { "target": "com.amazonaws.cloudtrail#TrailNameList", "traits": { - "smithy.api#documentation": "

    Specifies a list of trail names, trail ARNs, or both, of the trails to describe. The\n format of a trail ARN is:

    \n

    \n arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail\n

    \n

    If an empty list is specified, information for the trail in the current region is\n returned.

    \n
      \n
    • \n

      If an empty list is specified and IncludeShadowTrails is false, then\n information for all trails in the current region is returned.

      \n
      • \n
    • \n

      If an empty list is specified and IncludeShadowTrails is null or true, then\n information for all trails in the current region and any associated shadow trails in\n other regions is returned.

      \n
      • \n
    \n \n

    If one or more trail names are specified, information is returned only if the names\n match the names of trails belonging only to the current region and current account. To return information\n about a trail in another region, you must specify its trail ARN.

    \n     " + "smithy.api#documentation": "

    Specifies a list of trail names, trail ARNs, or both, of the trails to describe. The\n format of a trail ARN is:

    \n

    \n arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail\n

    \n

    If an empty list is specified, information for the trail in the current region is\n returned.

    \n
      \n
    • \n

      If an empty list is specified and IncludeShadowTrails is false, then\n information for all trails in the current region is returned.

      \n
      • \n
    • \n

      If an empty list is specified and IncludeShadowTrails is null or true, then\n information for all trails in the current region and any associated shadow trails in\n other regions is returned.

      \n
      • \n
    \n \n

    If one or more trail names are specified, information is returned only if the names\n match the names of trails belonging only to the current region and current account. To\n return information about a trail in another region, you must specify its trail\n ARN.

    \n     " } }, "includeShadowTrails": { @@ -3731,7 +3787,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Describes the settings for the event selectors that you configured for your trail. The\n information returned for your event selectors includes the following:

    \n
      \n
    • \n

      If your event selector includes read-only events, write-only events, or all\n events. This applies to both management events and data events.

      \n
      • \n
    • \n

      If your event selector includes management events.

      \n
      • \n
    • \n

      If your event selector includes data events, the resources on which you are\n logging data events.

      \n
      • \n
    \n

    For more information about logging management and data events, see the following topics\n in the CloudTrail User Guide:

    \n ", + "smithy.api#documentation": "

    Describes the settings for the event selectors that you configured for your trail. The\n information returned for your event selectors includes the following:

    \n
      \n
    • \n

      If your event selector includes read-only events, write-only events, or all\n events. This applies to both management events and data events.

      \n
      • \n
    • \n

      If your event selector includes management events.

      \n
      • \n
    • \n

      If your event selector includes data events, the resources on which you are\n logging data events.

      \n
      • \n
    \n

    For more information about logging management and data events, see the following topics\n in the CloudTrail User Guide:

    \n ", "smithy.api#idempotent": {} } }, @@ -4691,12 +4747,12 @@ "InsightType": { "target": "com.amazonaws.cloudtrail#InsightType", "traits": { - "smithy.api#documentation": "

    The type of insights to log on a trail. ApiCallRateInsight and\n ApiErrorRateInsight are valid insight types.

    " + "smithy.api#documentation": "

    The type of Insights events to log on a trail. ApiCallRateInsight and\n ApiErrorRateInsight are valid Insight types.

    \n

    The ApiCallRateInsight Insights type analyzes write-only\n management API calls that are aggregated per minute against a baseline API call volume.

    \n

    The ApiErrorRateInsight Insights type analyzes management\n API calls that result in error codes. The error is shown if the API call is\n unsuccessful.

    " } } }, "traits": { - "smithy.api#documentation": "

    A JSON string that contains a list of insight types that are logged on a trail.

    " + "smithy.api#documentation": "

    A JSON string that contains a list of Insights types that are logged on a trail.

    " } }, "com.amazonaws.cloudtrail#InsightSelectors": { @@ -4737,7 +4793,7 @@ "code": "InsufficientDependencyServiceAccessPermission", "httpResponseCode": 400 }, - "smithy.api#documentation": "

    This exception is thrown when the IAM user or role that is used to create\n the organization resource lacks one or more required permissions for creating an\n organization resource in a required service.

    ", + "smithy.api#documentation": "

    This exception is thrown when the IAM identity that is used to create\n the organization resource lacks one or more required permissions for creating an\n organization resource in a required service.

    ", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -5947,9 +6003,15 @@ "target": "com.amazonaws.cloudtrail#ListTagsResponse" }, "errors": [ + { + "target": "com.amazonaws.cloudtrail#ChannelARNInvalidException" + }, { "target": "com.amazonaws.cloudtrail#CloudTrailARNInvalidException" }, + { + "target": "com.amazonaws.cloudtrail#EventDataStoreARNInvalidException" + }, { "target": "com.amazonaws.cloudtrail#EventDataStoreNotFoundException" }, @@ -6564,6 +6626,9 @@ { "target": "com.amazonaws.cloudtrail#CloudTrailARNInvalidException" }, + { + "target": "com.amazonaws.cloudtrail#ConflictException" + }, { "target": "com.amazonaws.cloudtrail#InsufficientDependencyServiceAccessPermissionException" }, @@ -6593,7 +6658,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Configures an event selector or advanced event selectors for your trail. Use event\n selectors or advanced event selectors to specify management and data event settings for\n your trail. By default, trails created without specific event selectors are configured to\n log all read and write management events, and no data events.

    \n

    When an event occurs in your account, CloudTrail evaluates the event selectors or\n advanced event selectors in all trails. For each trail, if the event matches any event\n selector, the trail processes and logs the event. If the event doesn't match any event\n selector, the trail doesn't log the event.

    \n

    Example

    \n
      \n
    1. \n

      You create an event selector for a trail and specify that you want write-only\n events.

      \n
      2. \n
    2. \n

      The EC2 GetConsoleOutput and RunInstances API operations\n occur in your account.

      \n
      3. \n
    3. \n

      CloudTrail evaluates whether the events match your event selectors.

      \n
      4. \n
    4. \n

      The RunInstances is a write-only event and it matches your event\n selector. The trail logs the event.

      \n
      5. \n
    5. \n

      The GetConsoleOutput is a read-only event that doesn't match your\n event selector. The trail doesn't log the event.

      \n
      6. \n
    \n

    The PutEventSelectors operation must be called from the region in which the\n trail was created; otherwise, an InvalidHomeRegionException exception is\n thrown.

    \n

    You can configure up to five event selectors for each trail. For more information, see\n Logging management events for trails , Logging\n data events for trails , and Quotas in CloudTrail in the CloudTrail User\n Guide.

    \n

    You can add advanced event selectors, and conditions for your advanced event selectors,\n up to a maximum of 500 values for all conditions and selectors on a trail. You can use\n either AdvancedEventSelectors or EventSelectors, but not both. If\n you apply AdvancedEventSelectors to a trail, any existing\n EventSelectors are overwritten. For more information about advanced event\n selectors, see Logging data events for trails in the CloudTrail User Guide.

    ", + "smithy.api#documentation": "

    Configures an event selector or advanced event selectors for your trail. Use event\n selectors or advanced event selectors to specify management and data event settings for\n your trail. If you want your trail to log Insights events, be sure the event selector \n enables logging of the Insights event types you want configured for your trail. For more information about logging Insights events, see Logging Insights events for trails in the CloudTrail User Guide.\n By default, trails created without specific event selectors are configured to\n log all read and write management events, and no data events.

    \n

    When an event occurs in your account, CloudTrail evaluates the event selectors or\n advanced event selectors in all trails. For each trail, if the event matches any event\n selector, the trail processes and logs the event. If the event doesn't match any event\n selector, the trail doesn't log the event.

    \n

    Example

    \n
      \n
    1. \n

      You create an event selector for a trail and specify that you want write-only\n events.

      \n
      2. \n
    2. \n

      The EC2 GetConsoleOutput and RunInstances API operations\n occur in your account.

      \n
      3. \n
    3. \n

      CloudTrail evaluates whether the events match your event selectors.

      \n
      4. \n
    4. \n

      The RunInstances is a write-only event and it matches your event\n selector. The trail logs the event.

      \n
      5. \n
    5. \n

      The GetConsoleOutput is a read-only event that doesn't match your\n event selector. The trail doesn't log the event.

      \n
      6. \n
    \n

    The PutEventSelectors operation must be called from the region in which the\n trail was created; otherwise, an InvalidHomeRegionException exception is\n thrown.

    \n

    You can configure up to five event selectors for each trail. For more information, see\n Logging management events, Logging\n data events, and Quotas in CloudTrail in the CloudTrail User\n Guide.

    \n

    You can add advanced event selectors, and conditions for your advanced event selectors,\n up to a maximum of 500 values for all conditions and selectors on a trail. You can use\n either AdvancedEventSelectors or EventSelectors, but not both. If\n you apply AdvancedEventSelectors to a trail, any existing\n EventSelectors are overwritten. For more information about advanced event\n selectors, see Logging data events in the CloudTrail User Guide.

    ", "smithy.api#idempotent": {} } }, @@ -6616,7 +6681,7 @@ "AdvancedEventSelectors": { "target": "com.amazonaws.cloudtrail#AdvancedEventSelectors", "traits": { - "smithy.api#documentation": "

    Specifies the settings for advanced event selectors. You can add advanced event\n selectors, and conditions for your advanced event selectors, up to a maximum of 500 values\n for all conditions and selectors on a trail. You can use either\n AdvancedEventSelectors or EventSelectors, but not both. If you\n apply AdvancedEventSelectors to a trail, any existing\n EventSelectors are overwritten. For more information about advanced event\n selectors, see Logging data events for trails in the CloudTrail User Guide.

    " + "smithy.api#documentation": "

    Specifies the settings for advanced event selectors. You can add advanced event\n selectors, and conditions for your advanced event selectors, up to a maximum of 500 values\n for all conditions and selectors on a trail. You can use either\n AdvancedEventSelectors or EventSelectors, but not both. If you\n apply AdvancedEventSelectors to a trail, any existing\n EventSelectors are overwritten. For more information about advanced event\n selectors, see Logging data events in the CloudTrail User Guide.

    " } } }, @@ -6700,7 +6765,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Lets you enable Insights event logging by specifying the Insights selectors that you\n want to enable on an existing trail. You also use PutInsightSelectors to turn\n off Insights event logging, by passing an empty list of insight types. The valid Insights\n event types in this release are ApiErrorRateInsight and\n ApiCallRateInsight.

    ", + "smithy.api#documentation": "

    Lets you enable Insights event logging by specifying the Insights selectors that you\n want to enable on an existing trail. You also use PutInsightSelectors to turn\n off Insights event logging, by passing an empty list of insight types. The valid Insights\n event types in this release are ApiErrorRateInsight and\n ApiCallRateInsight.

    \n

    To log CloudTrail Insights events on API call volume, the trail\n must log write management events. To log CloudTrail\n Insights events on API error rate, the trail must log read or\n write management events. You can call GetEventSelectors on a trail \n to check whether the trail logs management events.

    ", "smithy.api#idempotent": {} } }, @@ -6717,7 +6782,7 @@ "InsightSelectors": { "target": "com.amazonaws.cloudtrail#InsightSelectors", "traits": { - "smithy.api#documentation": "

    A JSON string that contains the insight types you want to log on a trail.\n ApiCallRateInsight and ApiErrorRateInsight are valid insight\n types.

    ", + "smithy.api#documentation": "

    A JSON string that contains the insight types you want to log on a trail.\n ApiCallRateInsight and ApiErrorRateInsight are valid Insight\n types.

    \n

    The ApiCallRateInsight Insights type analyzes write-only\n management API calls that are aggregated per minute against a baseline API call volume.

    \n

    The ApiErrorRateInsight Insights type analyzes management\n API calls that result in error codes. The error is shown if the API call is\n unsuccessful.

    ", "smithy.api#required": {} } } @@ -7125,12 +7190,18 @@ "target": "com.amazonaws.cloudtrail#RemoveTagsResponse" }, "errors": [ + { + "target": "com.amazonaws.cloudtrail#ChannelARNInvalidException" + }, { "target": "com.amazonaws.cloudtrail#ChannelNotFoundException" }, { "target": "com.amazonaws.cloudtrail#CloudTrailARNInvalidException" }, + { + "target": "com.amazonaws.cloudtrail#EventDataStoreARNInvalidException" + }, { "target": "com.amazonaws.cloudtrail#EventDataStoreNotFoundException" }, @@ -8591,7 +8662,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates an event data store. The required EventDataStore value is an ARN or\n the ID portion of the ARN. Other parameters are optional, but at least one optional\n parameter must be specified, or CloudTrail throws an error.\n RetentionPeriod is in days, and valid values are integers between 90 and\n 2557. By default, TerminationProtection is enabled.

    \n

    For event data stores for CloudTrail events, AdvancedEventSelectors\n includes or excludes management and data events in your event data store. For more\n information about AdvancedEventSelectors, see PutEventSelectorsRequest$AdvancedEventSelectors.

    \n

    For event data stores for Config configuration items, Audit Manager evidence, or non-Amazon Web Services events,\n AdvancedEventSelectors includes events of that type in your event data\n store.

    ", + "smithy.api#documentation": "

    Updates an event data store. The required EventDataStore value is an ARN or\n the ID portion of the ARN. Other parameters are optional, but at least one optional\n parameter must be specified, or CloudTrail throws an error.\n RetentionPeriod is in days, and valid values are integers between 90 and\n 2557. By default, TerminationProtection is enabled.

    \n

    For event data stores for CloudTrail events, AdvancedEventSelectors\n includes or excludes management and data events in your event data store. For more\n information about AdvancedEventSelectors, see PutEventSelectorsRequest$AdvancedEventSelectors.

    \n

    For event data stores for Config configuration items, Audit Manager evidence, or non-Amazon Web Services events,\n AdvancedEventSelectors includes events of that type in your event data store.

    ", "smithy.api#idempotent": {} } },