Service: AWS CloudTrail
Short Name:
cloudtrail
ARN Format:
arn:aws:cloudtrail:${Region}:${Account}:${Resource}ARN Regex:
^arn:aws:cloudtrail:.+:[0-9]+:.+ReadOnlyAccess
…
AWSConfigRoleAction | Access | Reference | Description |
|---|---|---|---|
| cloudtrail:ListChannels | Docs | Grants permission to list the channels in the current account, and their source names | |
| cloudtrail:ListEventDataStores | Docs | Grants permission to list event data stores associated with the current region for your account | |
| cloudtrail:ListImports | Docs | Grants permission to return information on all imports, or a select set of imports by ImportStatus or Destination | |
| cloudtrail:ListQueries | Docs | Grants permission to list queries associated with an event data store | |
| cloudtrail:ListServiceLinkedChannels | Docs | Grants permission to list service-linked channels associated with the current region for a specified account | |
| cloudtrail:ListTrails | Docs | Grants permission to list trails associated with the current region for your account | |
| cloudtrail:DescribeQuery | Docs | Grants permission to list details for the query | |
| cloudtrail:DescribeTrails | Docs | Grants permission to list settings for the trails associated with the current region for your account | |
| cloudtrail:GetChannel | Docs | Grants permission to return information about a specific channel | |
| cloudtrail:GetEventDataStore | Docs | Grants permission to list settings for the event data store | |
| cloudtrail:GetEventDataStoreData | Docs | Grants permission to get data from an event data store by using the AWS Glue Data Catalog | |
| cloudtrail:GetEventSelectors | Docs | Grants permission to list settings for event selectors configured for a trail | |
| cloudtrail:GetImport | Docs | Grants permission to return information about a specific import | |
| cloudtrail:GetInsightSelectors | Docs | Grants permission to list CloudTrail Insights selectors that are configured for a trail or event data store | |
| cloudtrail:GetQueryResults | Docs | Grants permission to fetch results of a complete query | |
| cloudtrail:GetResourcePolicy | Docs | Grants permission to get the resource policy attached to the provided resource | |
| cloudtrail:GetServiceLinkedChannel | Docs | Grants permission to list settings for the service-linked channel | |
| cloudtrail:GetTrail | Docs | Grants permission to list settings for the trail | |
| cloudtrail:GetTrailStatus | Docs | Grants permission to retrieve a JSON-formatted list of information about the specified trail | |
| cloudtrail:ListImportFailures | Docs | Grants permission to return a list of failures for the specified import | |
| cloudtrail:ListPublicKeys | Docs | Grants permission to list the public keys whose private keys were used to sign trail digest files within a specified time range | |
| cloudtrail:ListTags | Docs | Grants permission to list the tags for trails, event data stores, or channels in the current region | |
| cloudtrail:LookupEvents | Docs | Grants permission to look up API activity events captured by CloudTrail that create, update, or delete resources in your account | |
| cloudtrail:AddTags | Docs | Grants permission to add one or more tags to a trail, event data store, or channel, up to a limit of 50 | |
| cloudtrail:RemoveTags | Docs | Grants permission to remove tags from a trail, event data store, or channel | |
| cloudtrail:CancelQuery | Docs | Grants permission to cancel a running query | |
| cloudtrail:CreateChannel | Docs | Grants permission to create a channel | |
| cloudtrail:CreateEventDataStore | Docs | Grants permission to create an event data store | |
| cloudtrail:CreateServiceLinkedChannel | Docs | Grants permission to create a service-linked channel that specifies the settings for delivery of log data to an AWS service | |
| cloudtrail:CreateTrail | Docs | Grants permission to create a trail that specifies the settings for delivery of log data to an Amazon S3 bucket | |
| cloudtrail:DeleteChannel | Docs | Grants permission to delete a channel | |
| cloudtrail:DeleteEventDataStore | Docs | Grants permission to delete an event data store | |
| cloudtrail:DeleteResourcePolicy | Docs | Grants permission to delete a resource policy from the provided resource | |
| cloudtrail:DeleteServiceLinkedChannel | Docs | Grants permission to delete a service-linked channel | |
| cloudtrail:DeleteTrail | Docs | Grants permission to delete a trail | |
| cloudtrail:DeregisterOrganizationDelegatedAdmin | Docs | Grants permission to deregister an AWS Organizations member account as a delegated administrator | |
| cloudtrail:DisableFederation | Docs | Grants permission to disable federation of event data store data by using the AWS Glue Data Catalog | |
| cloudtrail:EnableFederation | Docs | Grants permission to enable federation of event data store data by using the AWS Glue Data Catalog | |
| cloudtrail:PutEventSelectors | Docs | Grants permission to create and update event selectors for a trail | |
| cloudtrail:PutInsightSelectors | Docs | Grants permission to create and update CloudTrail Insights selectors for a trail or event data store | |
| cloudtrail:PutResourcePolicy | Docs | Grants permission to attach a resource policy to the provided resource | |
| cloudtrail:RegisterOrganizationDelegatedAdmin | Docs | Grants permission to register an AWS Organizations member account as a delegated administrator | |
| cloudtrail:RestoreEventDataStore | Docs | Grants permission to restore an event data store | |
| cloudtrail:StartEventDataStoreIngestion | Docs | Grants permission to start ingestion on an event data store | |
| cloudtrail:StartImport | Docs | Grants permission to start an import of logged trail events from a source S3 bucket to a destination event data store | |
| cloudtrail:StartLogging | Docs | Grants permission to start the recording of AWS API calls and log file delivery for a trail | |
| cloudtrail:StartQuery | Docs | Grants permission to start a new query on a specified event data store | |
| cloudtrail:StopEventDataStoreIngestion | Docs | Grants permission to stop ingestion on an event data store | |
| cloudtrail:StopImport | Docs | Grants permission to stop a specified import | |
| cloudtrail:StopLogging | Docs | Grants permission to stop the recording of AWS API calls and log file delivery for a trail | |
| cloudtrail:UpdateChannel | Docs | Grants permission to update a channel | |
| cloudtrail:UpdateEventDataStore | Docs | Grants permission to update an event data store | |
| cloudtrail:UpdateServiceLinkedChannel | Docs | Grants permission to update the settings that specify delivery of log files | |
| cloudtrail:UpdateTrail | Docs | Grants permission to update the settings that specify delivery of log files |
aws:RequestTag/${TagKey}aws:ResourceTag/${TagKey}aws:TagKeys