AWS CloudTrail

2023/11/09 - AWS CloudTrail - 2 updated api methods

Changes  The Insights in Lake feature lets customers enable CloudTrail Insights on a source CloudTrail Lake event data store and create a destination event data store to collect Insights events based on unusual management event activity in the source event data store.

GetInsightSelectors (updated) Link ¶
Changes (request, response)
Request
{'EventDataStore': 'string'}
Response
{'EventDataStoreArn': 'string', 'InsightsDestination': 'string'}

Describes the settings for the Insights event selectors that you configured for your trail or event data store. GetInsightSelectors shows if CloudTrail Insights event logging is enabled on the trail or event data store, and if it is, which Insights types are enabled. If you run GetInsightSelectors on a trail or event data store that does not have Insights events enabled, the operation throws the exception InsightNotEnabledException

Specify either the EventDataStore parameter to get Insights event selectors for an event data store, or the TrailName parameter to the get Insights event selectors for a trail. You cannot specify these parameters together.

For more information, see Logging CloudTrail Insights events in the CloudTrail User Guide.

See also: AWS API Documentation

Request Syntax

client.get_insight_selectors(
    TrailName='string',
    EventDataStore='string'
)
type TrailName:

string

param TrailName:

Specifies the name of the trail or trail ARN. If you specify a trail name, the string must meet the following requirements:

  • Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)

  • Start with a letter or number, and end with a letter or number

  • Be between 3 and 128 characters

  • Have no adjacent periods, underscores or dashes. Names like my-_namespace and my--namespace are not valid.

  • Not be in IP address format (for example, 192.168.5.4)

If you specify a trail ARN, it must be in the format:

arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail

You cannot use this parameter with the EventDataStore parameter.

type EventDataStore:

string

param EventDataStore:

Specifies the ARN (or ID suffix of the ARN) of the event data store for which you want to get Insights selectors.

You cannot use this parameter with the TrailName parameter.

rtype:

dict

returns:

Response Syntax

{
    'TrailARN': 'string',
    'InsightSelectors': [
        {
            'InsightType': 'ApiCallRateInsight'|'ApiErrorRateInsight'
        },
    ],
    'EventDataStoreArn': 'string',
    'InsightsDestination': 'string'
}

Response Structure

  • (dict) --

    • TrailARN (string) --

      The Amazon Resource Name (ARN) of a trail for which you want to get Insights selectors.

    • InsightSelectors (list) --

      A JSON string that contains the Insight types you want to log on a trail or event data store. ApiErrorRateInsight and ApiCallRateInsight are supported as Insights types.

      • (dict) --

        A JSON string that contains a list of Insights types that are logged on a trail or event data store.

        • InsightType (string) --

          The type of Insights events to log on a trail or event data store. ApiCallRateInsight and ApiErrorRateInsight are valid Insight types.

          The ApiCallRateInsight Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.

          The ApiErrorRateInsight Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.

    • EventDataStoreArn (string) --

      The ARN of the source event data store that enabled Insights events.

    • InsightsDestination (string) --

      The ARN of the destination event data store that logs Insights events.

PutInsightSelectors (updated) Link ¶
Changes (request, response)
Request
{'EventDataStore': 'string', 'InsightsDestination': 'string'}
Response
{'EventDataStoreArn': 'string', 'InsightsDestination': 'string'}

Lets you enable Insights event logging by specifying the Insights selectors that you want to enable on an existing trail or event data store. You also use PutInsightSelectors to turn off Insights event logging, by passing an empty list of Insights types. The valid Insights event types are ApiErrorRateInsight and ApiCallRateInsight.

To enable Insights on an event data store, you must specify the ARNs (or ID suffix of the ARNs) for the source event data store ( EventDataStore) and the destination event data store ( InsightsDestination). The source event data store logs management events and enables Insights. The destination event data store logs Insights events based upon the management event activity of the source event data store. The source and destination event data stores must belong to the same Amazon Web Services account.

To log Insights events for a trail, you must specify the name ( TrailName) of the CloudTrail trail for which you want to change or add Insights selectors.

To log CloudTrail Insights events on API call volume, the trail or event data store must log write management events. To log CloudTrail Insights events on API error rate, the trail or event data store must log read or write management events. You can call GetEventSelectors on a trail to check whether the trail logs management events. You can call GetEventDataStore on an event data store to check whether the event data store logs management events.

For more information, see Logging CloudTrail Insights events in the CloudTrail User Guide.

See also: AWS API Documentation

Request Syntax

client.put_insight_selectors(
    TrailName='string',
    InsightSelectors=[
        {
            'InsightType': 'ApiCallRateInsight'|'ApiErrorRateInsight'
        },
    ],
    EventDataStore='string',
    InsightsDestination='string'
)
type TrailName:

string

param TrailName:

The name of the CloudTrail trail for which you want to change or add Insights selectors.

You cannot use this parameter with the EventDataStore and InsightsDestination parameters.

type InsightSelectors:

list

param InsightSelectors:

[REQUIRED]

A JSON string that contains the Insights types you want to log on a trail or event data store. ApiCallRateInsight and ApiErrorRateInsight are valid Insight types.

The ApiCallRateInsight Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.

The ApiErrorRateInsight Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.

  • (dict) --

    A JSON string that contains a list of Insights types that are logged on a trail or event data store.

    • InsightType (string) --

      The type of Insights events to log on a trail or event data store. ApiCallRateInsight and ApiErrorRateInsight are valid Insight types.

      The ApiCallRateInsight Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.

      The ApiErrorRateInsight Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.

type EventDataStore:

string

param EventDataStore:

The ARN (or ID suffix of the ARN) of the source event data store for which you want to change or add Insights selectors. To enable Insights on an event data store, you must provide both the EventDataStore and InsightsDestination parameters.

You cannot use this parameter with the TrailName parameter.

type InsightsDestination:

string

param InsightsDestination:

The ARN (or ID suffix of the ARN) of the destination event data store that logs Insights events. To enable Insights on an event data store, you must provide both the EventDataStore and InsightsDestination parameters.

You cannot use this parameter with the TrailName parameter.

rtype:

dict

returns:

Response Syntax

{
    'TrailARN': 'string',
    'InsightSelectors': [
        {
            'InsightType': 'ApiCallRateInsight'|'ApiErrorRateInsight'
        },
    ],
    'EventDataStoreArn': 'string',
    'InsightsDestination': 'string'
}

Response Structure

  • (dict) --

    • TrailARN (string) --

      The Amazon Resource Name (ARN) of a trail for which you want to change or add Insights selectors.

    • InsightSelectors (list) --

      A JSON string that contains the Insights event types that you want to log on a trail or event data store. The valid Insights types are ApiErrorRateInsight and ApiCallRateInsight.

      • (dict) --

        A JSON string that contains a list of Insights types that are logged on a trail or event data store.

        • InsightType (string) --

          The type of Insights events to log on a trail or event data store. ApiCallRateInsight and ApiErrorRateInsight are valid Insight types.

          The ApiCallRateInsight Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume.

          The ApiErrorRateInsight Insights type analyzes management API calls that result in error codes. The error is shown if the API call is unsuccessful.

    • EventDataStoreArn (string) --

      The Amazon Resource Name (ARN) of the source event data store for which you want to change or add Insights selectors.

    • InsightsDestination (string) --

      The ARN of the destination event data store that logs Insights events.