Interface AWSCloudTrail
- All Known Subinterfaces:
AWSCloudTrailAsync
- All Known Implementing Classes:
AbstractAWSCloudTrail
,AbstractAWSCloudTrailAsync
,AWSCloudTrailAsyncClient
,AWSCloudTrailClient
This is the CloudTrail API Reference. It provides descriptions of actions, data types, common parameters, and common errors for CloudTrail.
CloudTrail is a web service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. The recorded information includes the identity of the user, the start time of the AWS API call, the source IP address, the request parameters, and the response elements returned by the service.
As an alternative to the API, you can use one of the AWS SDKs, which consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to AWSCloudTrail. For example, the SDKs take care of cryptographically signing requests, managing errors, and retrying requests automatically. For information about the AWS SDKs, including how to download and install them, see the Tools for Amazon Web Services page.
See the CloudTrail User Guide for information about the data that is included with each AWS API call listed in the log files.
-
Method Summary
Modifier and TypeMethodDescriptionaddTags
(AddTagsRequest addTagsRequest) Adds one or more tags to a trail, up to a limit of 10.createTrail
(CreateTrailRequest createTrailRequest) Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket.deleteTrail
(DeleteTrailRequest deleteTrailRequest) Deletes a trail.Simplified method form for invoking the DescribeTrails operation.describeTrails
(DescribeTrailsRequest describeTrailsRequest) Retrieves settings for the trail associated with the current region for your account.Returns additional metadata for a previously executed successful request, typically used for debugging issues where a service isn't acting as expected.getTrailStatus
(GetTrailStatusRequest getTrailStatusRequest) Returns a JSON-formatted list of information about the specified trail.Simplified method form for invoking the ListPublicKeys operation.listPublicKeys
(ListPublicKeysRequest listPublicKeysRequest) Returns all public keys whose private keys were used to sign the digest files within the specified time range.listTags
(ListTagsRequest listTagsRequest) Lists the tags for the trail in the current region.Simplified method form for invoking the LookupEvents operation.lookupEvents
(LookupEventsRequest lookupEventsRequest) Looks up API activity events captured by CloudTrail that create, update, or delete resources in your account.removeTags
(RemoveTagsRequest removeTagsRequest) Removes the specified tags from a trail.void
setEndpoint
(String endpoint) Overrides the default endpoint for this client ("cloudtrail.us-east-1.amazonaws.com").void
An alternative tosetEndpoint(String)
, sets the regional endpoint for this client's service calls.void
shutdown()
Shuts down this client object, releasing any resources that might be held open.startLogging
(StartLoggingRequest startLoggingRequest) Starts the recording of AWS API calls and log file delivery for a trail.stopLogging
(StopLoggingRequest stopLoggingRequest) Suspends the recording of AWS API calls and log file delivery for the specified trail.updateTrail
(UpdateTrailRequest updateTrailRequest) Updates the settings that specify delivery of log files.
-
Method Details
-
setEndpoint
Overrides the default endpoint for this client ("cloudtrail.us-east-1.amazonaws.com"). Callers can use this method to control which AWS region they want to work with.Callers can pass in just the endpoint (ex: "cloudtrail.us-east-1.amazonaws.com") or a full URL, including the protocol (ex: "cloudtrail.us-east-1.amazonaws.com"). If the protocol is not specified here, the default protocol from this client's
ClientConfiguration
will be used, which by default is HTTPS.For more information on using AWS regions with the AWS SDK for Java, and a complete list of all available endpoints for all AWS services, see: http://developer.amazonwebservices.com/connect/entry.jspa?externalID= 3912
This method is not threadsafe. An endpoint should be configured when the client is created and before any service requests are made. Changing it afterwards creates inevitable race conditions for any service requests in transit or retrying.
- Parameters:
endpoint
- The endpoint (ex: "cloudtrail.us-east-1.amazonaws.com") or a full URL, including the protocol (ex: "cloudtrail.us-east-1.amazonaws.com") of the region specific AWS endpoint this client will communicate with.
-
setRegion
An alternative tosetEndpoint(String)
, sets the regional endpoint for this client's service calls. Callers can use this method to control which AWS region they want to work with.By default, all service endpoints in all regions use the https protocol. To use http instead, specify it in the
ClientConfiguration
supplied at construction.This method is not threadsafe. A region should be configured when the client is created and before any service requests are made. Changing it afterwards creates inevitable race conditions for any service requests in transit or retrying.
- Parameters:
region
- The region this client will communicate with. SeeRegion.getRegion(com.amazonaws.regions.Regions)
for accessing a given region. Must not be null and must be a region where the service is available.- See Also:
-
addTags
Adds one or more tags to a trail, up to a limit of 10. Tags must be unique per trail. Overwrites an existing tag's value when a new value is specified for an existing tag key. If you specify a key without a value, the tag will be created with the specified key and a value of null. You can tag a trail that applies to all regions only from the region in which the trail was created (that is, from its home region).
- Parameters:
addTagsRequest
- Specifies the tags to add to a trail.- Returns:
- Result of the AddTags operation returned by the service.
- Throws:
ResourceNotFoundException
- This exception is thrown when the specified resource is not found.CloudTrailARNInvalidException
- This exception is thrown when an operation is called with an invalid trail ARN. The format of a trail ARN is:arn:aws:cloudtrail:us-east-1:123456789012:trail/MyTrail
ResourceTypeNotSupportedException
- This exception is thrown when the specified resource type is not supported by CloudTrail.TagsLimitExceededException
- The number of tags per trail has exceeded the permitted amount. Currently, the limit is 10.InvalidTrailNameException
- This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:-
Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
-
Start with a letter or number, and end with a letter or number
-
Be between 3 and 128 characters
-
Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are invalid. -
Not be in IP address format (for example, 192.168.5.4)
-
InvalidTagParameterException
- This exception is thrown when the key or value specified for the tag does not match the regular expression^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$
.UnsupportedOperationException
- This exception is thrown when the requested operation is not supported.OperationNotPermittedException
- This exception is thrown when the requested operation is not permitted.
-
createTrail
Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket. A maximum of five trails can exist in a region, irrespective of the region in which they were created.
- Parameters:
createTrailRequest
- Specifies the settings for each trail.- Returns:
- Result of the CreateTrail operation returned by the service.
- Throws:
MaximumNumberOfTrailsExceededException
- This exception is thrown when the maximum number of trails is reached.TrailAlreadyExistsException
- This exception is thrown when the specified trail already exists.S3BucketDoesNotExistException
- This exception is thrown when the specified S3 bucket does not exist.InsufficientS3BucketPolicyException
- This exception is thrown when the policy on the S3 bucket is not sufficient.InsufficientSnsTopicPolicyException
- This exception is thrown when the policy on the SNS topic is not sufficient.InsufficientEncryptionPolicyException
- This exception is thrown when the policy on the S3 bucket or KMS key is not sufficient.InvalidS3BucketNameException
- This exception is thrown when the provided S3 bucket name is not valid.InvalidS3PrefixException
- This exception is thrown when the provided S3 prefix is not valid.InvalidSnsTopicNameException
- This exception is thrown when the provided SNS topic name is not valid.InvalidKmsKeyIdException
- This exception is thrown when the KMS key ARN is invalid.InvalidTrailNameException
- This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:-
Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
-
Start with a letter or number, and end with a letter or number
-
Be between 3 and 128 characters
-
Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are invalid. -
Not be in IP address format (for example, 192.168.5.4)
-
TrailNotProvidedException
- This exception is deprecated.InvalidParameterCombinationException
- This exception is thrown when the combination of parameters provided is not valid.KmsKeyNotFoundException
- This exception is thrown when the KMS key does not exist, or when the S3 bucket and the KMS key are not in the same region.KmsKeyDisabledException
- This exception is thrown when the KMS key is disabled.InvalidCloudWatchLogsLogGroupArnException
- This exception is thrown when the provided CloudWatch log group is not valid.InvalidCloudWatchLogsRoleArnException
- This exception is thrown when the provided role is not valid.CloudWatchLogsDeliveryUnavailableException
- Cannot set a CloudWatch Logs delivery for this region.UnsupportedOperationException
- This exception is thrown when the requested operation is not supported.OperationNotPermittedException
- This exception is thrown when the requested operation is not permitted.
-
deleteTrail
Deletes a trail. This operation must be called from the region in which the trail was created.
DeleteTrail
cannot be called on the shadow trails (replicated trails in other regions) of a trail that is enabled in all regions.- Parameters:
deleteTrailRequest
- The request that specifies the name of a trail to delete.- Returns:
- Result of the DeleteTrail operation returned by the service.
- Throws:
TrailNotFoundException
- This exception is thrown when the trail with the given name is not found.InvalidTrailNameException
- This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:-
Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
-
Start with a letter or number, and end with a letter or number
-
Be between 3 and 128 characters
-
Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are invalid. -
Not be in IP address format (for example, 192.168.5.4)
-
InvalidHomeRegionException
- This exception is thrown when an operation is called on a trail from a region other than the region in which the trail was created.
-
describeTrails
Retrieves settings for the trail associated with the current region for your account.
- Parameters:
describeTrailsRequest
- Returns information about the trail.- Returns:
- Result of the DescribeTrails operation returned by the service.
- Throws:
UnsupportedOperationException
- This exception is thrown when the requested operation is not supported.OperationNotPermittedException
- This exception is thrown when the requested operation is not permitted.
-
describeTrails
DescribeTrailsResult describeTrails()Simplified method form for invoking the DescribeTrails operation.- See Also:
-
getTrailStatus
Returns a JSON-formatted list of information about the specified trail. Fields include information on delivery errors, Amazon SNS and Amazon S3 errors, and start and stop logging times for each trail. This operation returns trail status from a single region. To return trail status from all regions, you must call the operation on each region.
- Parameters:
getTrailStatusRequest
- The name of a trail about which you want the current status.- Returns:
- Result of the GetTrailStatus operation returned by the service.
- Throws:
TrailNotFoundException
- This exception is thrown when the trail with the given name is not found.InvalidTrailNameException
- This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:-
Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
-
Start with a letter or number, and end with a letter or number
-
Be between 3 and 128 characters
-
Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are invalid. -
Not be in IP address format (for example, 192.168.5.4)
-
-
listPublicKeys
Returns all public keys whose private keys were used to sign the digest files within the specified time range. The public key is needed to validate digest files that were signed with its corresponding private key.
CloudTrail uses different private/public key pairs per region. Each digest file is signed with a private key unique to its region. Therefore, when you validate a digest file from a particular region, you must look in the same region for its corresponding public key.
- Parameters:
listPublicKeysRequest
- Requests the public keys for a specified time range.- Returns:
- Result of the ListPublicKeys operation returned by the service.
- Throws:
InvalidTimeRangeException
- Occurs if the timestamp values are invalid. Either the start time occurs after the end time or the time range is outside the range of possible values.UnsupportedOperationException
- This exception is thrown when the requested operation is not supported.OperationNotPermittedException
- This exception is thrown when the requested operation is not permitted.InvalidTokenException
- Reserved for future use.
-
listPublicKeys
ListPublicKeysResult listPublicKeys()Simplified method form for invoking the ListPublicKeys operation.- See Also:
-
listTags
Lists the tags for the trail in the current region.
- Parameters:
listTagsRequest
- Specifies a list of trail tags to return.- Returns:
- Result of the ListTags operation returned by the service.
- Throws:
ResourceNotFoundException
- This exception is thrown when the specified resource is not found.CloudTrailARNInvalidException
- This exception is thrown when an operation is called with an invalid trail ARN. The format of a trail ARN is:arn:aws:cloudtrail:us-east-1:123456789012:trail/MyTrail
ResourceTypeNotSupportedException
- This exception is thrown when the specified resource type is not supported by CloudTrail.InvalidTrailNameException
- This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:-
Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
-
Start with a letter or number, and end with a letter or number
-
Be between 3 and 128 characters
-
Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are invalid. -
Not be in IP address format (for example, 192.168.5.4)
-
UnsupportedOperationException
- This exception is thrown when the requested operation is not supported.OperationNotPermittedException
- This exception is thrown when the requested operation is not permitted.InvalidTokenException
- Reserved for future use.
-
lookupEvents
Looks up API activity events captured by CloudTrail that create, update, or delete resources in your account. Events for a region can be looked up for the times in which you had CloudTrail turned on in that region during the last seven days. Lookup supports five different attributes: time range (defined by a start time and end time), user name, event name, resource type, and resource name. All attributes are optional. The maximum number of attributes that can be specified in any one lookup request are time range and one other attribute. The default number of results returned is 10, with a maximum of 50 possible. The response includes a token that you can use to get the next page of results.
The rate of lookup requests is limited to one per second per account. If this limit is exceeded, a throttling error occurs.
Events that occurred during the selected time range will not be available for lookup if CloudTrail logging was not enabled when the events occurred.
- Parameters:
lookupEventsRequest
- Contains a request for LookupEvents.- Returns:
- Result of the LookupEvents operation returned by the service.
- Throws:
InvalidLookupAttributesException
- Occurs when an invalid lookup attribute is specified.InvalidTimeRangeException
- Occurs if the timestamp values are invalid. Either the start time occurs after the end time or the time range is outside the range of possible values.InvalidMaxResultsException
- This exception is thrown if the limit specified is invalid.InvalidNextTokenException
- Invalid token or token that was previously used in a request with different parameters. This exception is thrown if the token is invalid.
-
lookupEvents
LookupEventsResult lookupEvents()Simplified method form for invoking the LookupEvents operation.- See Also:
-
removeTags
Removes the specified tags from a trail.
- Parameters:
removeTagsRequest
- Specifies the tags to remove from a trail.- Returns:
- Result of the RemoveTags operation returned by the service.
- Throws:
ResourceNotFoundException
- This exception is thrown when the specified resource is not found.CloudTrailARNInvalidException
- This exception is thrown when an operation is called with an invalid trail ARN. The format of a trail ARN is:arn:aws:cloudtrail:us-east-1:123456789012:trail/MyTrail
ResourceTypeNotSupportedException
- This exception is thrown when the specified resource type is not supported by CloudTrail.InvalidTrailNameException
- This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:-
Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
-
Start with a letter or number, and end with a letter or number
-
Be between 3 and 128 characters
-
Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are invalid. -
Not be in IP address format (for example, 192.168.5.4)
-
InvalidTagParameterException
- This exception is thrown when the key or value specified for the tag does not match the regular expression^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$
.UnsupportedOperationException
- This exception is thrown when the requested operation is not supported.OperationNotPermittedException
- This exception is thrown when the requested operation is not permitted.
-
startLogging
Starts the recording of AWS API calls and log file delivery for a trail. For a trail that is enabled in all regions, this operation must be called from the region in which the trail was created. This operation cannot be called on the shadow trails (replicated trails in other regions) of a trail that is enabled in all regions.
- Parameters:
startLoggingRequest
- The request to CloudTrail to start logging AWS API calls for an account.- Returns:
- Result of the StartLogging operation returned by the service.
- Throws:
TrailNotFoundException
- This exception is thrown when the trail with the given name is not found.InvalidTrailNameException
- This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:-
Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
-
Start with a letter or number, and end with a letter or number
-
Be between 3 and 128 characters
-
Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are invalid. -
Not be in IP address format (for example, 192.168.5.4)
-
InvalidHomeRegionException
- This exception is thrown when an operation is called on a trail from a region other than the region in which the trail was created.
-
stopLogging
Suspends the recording of AWS API calls and log file delivery for the specified trail. Under most circumstances, there is no need to use this action. You can update a trail without stopping it first. This action is the only way to stop recording. For a trail enabled in all regions, this operation must be called from the region in which the trail was created, or an
InvalidHomeRegionException
will occur. This operation cannot be called on the shadow trails (replicated trails in other regions) of a trail enabled in all regions.- Parameters:
stopLoggingRequest
- Passes the request to CloudTrail to stop logging AWS API calls for the specified account.- Returns:
- Result of the StopLogging operation returned by the service.
- Throws:
TrailNotFoundException
- This exception is thrown when the trail with the given name is not found.InvalidTrailNameException
- This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:-
Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
-
Start with a letter or number, and end with a letter or number
-
Be between 3 and 128 characters
-
Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are invalid. -
Not be in IP address format (for example, 192.168.5.4)
-
InvalidHomeRegionException
- This exception is thrown when an operation is called on a trail from a region other than the region in which the trail was created.
-
updateTrail
Updates the settings that specify delivery of log files. Changes to a trail do not require stopping the CloudTrail service. Use this action to designate an existing bucket for log delivery. If the existing bucket has previously been a target for CloudTrail log files, an IAM policy exists for the bucket.
UpdateTrail
must be called from the region in which the trail was created; otherwise, anInvalidHomeRegionException
is thrown.- Parameters:
updateTrailRequest
- Specifies settings to update for the trail.- Returns:
- Result of the UpdateTrail operation returned by the service.
- Throws:
S3BucketDoesNotExistException
- This exception is thrown when the specified S3 bucket does not exist.InsufficientS3BucketPolicyException
- This exception is thrown when the policy on the S3 bucket is not sufficient.InsufficientSnsTopicPolicyException
- This exception is thrown when the policy on the SNS topic is not sufficient.InsufficientEncryptionPolicyException
- This exception is thrown when the policy on the S3 bucket or KMS key is not sufficient.TrailNotFoundException
- This exception is thrown when the trail with the given name is not found.InvalidS3BucketNameException
- This exception is thrown when the provided S3 bucket name is not valid.InvalidS3PrefixException
- This exception is thrown when the provided S3 prefix is not valid.InvalidSnsTopicNameException
- This exception is thrown when the provided SNS topic name is not valid.InvalidKmsKeyIdException
- This exception is thrown when the KMS key ARN is invalid.InvalidTrailNameException
- This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:-
Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)
-
Start with a letter or number, and end with a letter or number
-
Be between 3 and 128 characters
-
Have no adjacent periods, underscores or dashes. Names like
my-_namespace
andmy--namespace
are invalid. -
Not be in IP address format (for example, 192.168.5.4)
-
TrailNotProvidedException
- This exception is deprecated.InvalidParameterCombinationException
- This exception is thrown when the combination of parameters provided is not valid.InvalidHomeRegionException
- This exception is thrown when an operation is called on a trail from a region other than the region in which the trail was created.KmsKeyNotFoundException
- This exception is thrown when the KMS key does not exist, or when the S3 bucket and the KMS key are not in the same region.KmsKeyDisabledException
- This exception is thrown when the KMS key is disabled.InvalidCloudWatchLogsLogGroupArnException
- This exception is thrown when the provided CloudWatch log group is not valid.InvalidCloudWatchLogsRoleArnException
- This exception is thrown when the provided role is not valid.CloudWatchLogsDeliveryUnavailableException
- Cannot set a CloudWatch Logs delivery for this region.UnsupportedOperationException
- This exception is thrown when the requested operation is not supported.OperationNotPermittedException
- This exception is thrown when the requested operation is not permitted.
-
shutdown
void shutdown()Shuts down this client object, releasing any resources that might be held open. This is an optional method, and callers are not expected to call it, but can if they want to explicitly release any open resources. Once a client has been shutdown, it should not be used to make any more requests. -
getCachedResponseMetadata
Returns additional metadata for a previously executed successful request, typically used for debugging issues where a service isn't acting as expected. This data isn't considered part of the result data returned by an operation, so it's available through this separate, diagnostic interface.Response metadata is only cached for a limited period of time, so if you need to access this extra diagnostic information for an executed request, you should use this method to retrieve it as soon as possible after executing a request.
- Parameters:
request
- The originally executed request.- Returns:
- The response metadata for the specified request, or null if none is available.
-