Parameter |
Choices/Defaults |
Comments |
aws_access_key
|
|
AWS access key. If not set then the value of the AWS_ACCESS_KEY_ID, AWS_ACCESS_KEY or EC2_ACCESS_KEY environment variable is used.
aliases: ec2_access_key, access_key
|
aws_secret_key
|
|
AWS secret key. If not set then the value of the AWS_SECRET_ACCESS_KEY, AWS_SECRET_KEY, or EC2_SECRET_KEY environment variable is used.
aliases: ec2_secret_key, secret_key
|
cloudwatch_logs_log_group_arn
(added in 2.4) |
|
A full ARN specifying a valid CloudWatch log group to which CloudTrail logs will be delivered. The log group should already exist.
Required when cloudwatch_logs_role_arn
|
cloudwatch_logs_role_arn
(added in 2.4) |
|
Specifies a full ARN for an IAM role that assigns the proper permissions for CloudTrail to create and write to the log group.
Required when cloudwatch_logs_log_group_arn
|
ec2_url
|
|
Url to use to connect to EC2 or your Eucalyptus cloud (by default the module will use EC2 endpoints). Ignored for modules where region is required. Must be specified for all other modules if region is not used. If not set then the value of the EC2_URL environment variable, if any, is used.
|
enable_log_file_validation
(added in 2.4) |
|
Specifies whether log file integrity validation is enabled.
CloudTrail will create a hash for every log file delivered and produce a signed digest file that can be used to ensure log files have not been tampered.
aliases: log_file_validation_enabled
|
enable_logging
(added in 2.4) |
Default:
yes
|
Start or stop the CloudTrail logging. If stopped the trail will be paused and will not record events or deliver log files.
|
include_global_events
|
Default:
yes
|
Record API calls from global services such as IAM and STS.
aliases: include_global_service_events
|
is_multi_region_trail
(added in 2.4) |
Default:
no
|
Specify whether the trail belongs only to one region or exists in all regions.
|
kms_key_id
(added in 2.4) |
|
Specifies the KMS key ID to use to encrypt the logs delivered by CloudTrail. This also has the effect of enabling log file encryption.
The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
|
name
required |
|
Name for the CloudTrail.
Names are unique per-region unless the CloudTrail is a multi-region trail, in which case it is unique per-account.
|
profile
(added in 1.6) |
|
Uses a boto profile. Only works with boto >= 2.24.0.
|
region
|
|
aliases: aws_region, ec2_region
|
s3_bucket_name
(added in 2.4) |
|
An existing S3 bucket where CloudTrail will deliver log files.
This bucket should exist and have the proper policy.
Required when state=present
|
s3_key_prefix
|
|
S3 Key prefix for delivered log files. A trailing slash is not necessary and will be removed.
|
security_token
(added in 1.6) |
|
AWS STS security token. If not set then the value of the AWS_SECURITY_TOKEN or EC2_SECURITY_TOKEN environment variable is used.
aliases: access_token
|
sns_topic_name
(added in 2.4) |
|
SNS Topic name to send notifications to when a log file is delivered
|
state
required |
Choices:
- present
- absent
- enabled
- disabled
|
Add or remove CloudTrail configuration.
The following states have been preserved for backwards compatibility. state=enabled and state=disabled .
enabled=present and disabled=absent.
|
tags
(added in 2.4) |
Default:
{}
|
A hash/dictionary of tags to be applied to the CloudTrail resource.
Remove completely or specify an empty dictionary to remove all tags.
|
validate_certs
bool
(added in 1.5) |
|
When set to "no", SSL certificates will not be validated for boto versions >= 2.6.0.
|