Complete the code to create a CloudTrail trail that logs API activity.
resource "aws_cloudtrail" "example" { name = "example-trail" s3_bucket_name = [1] include_global_service_events = true }
The s3_bucket_name must be the name of an existing S3 bucket where CloudTrail stores logs. Here, cloudtrail-logs is the correct bucket name.
Complete the code to enable logging of management events in CloudTrail.
resource "aws_cloudtrail" "example" { name = "example-trail" s3_bucket_name = "cloudtrail-logs" include_global_service_events = true [1] { read_write_type = "All" } }
management_event_selector which do not exist.The event_selector block is used to specify which events CloudTrail should log, including management events.
Fix the error in the CloudTrail resource to properly enable multi-region logging.
resource "aws_cloudtrail" "example" { name = "example-trail" s3_bucket_name = "cloudtrail-logs" is_multi_region_trail = [1] include_global_service_events = true }
The is_multi_region_trail attribute expects a boolean value, not a string. So true without quotes is correct.
Fill both blanks to configure CloudTrail to log only write management events and exclude read events.
resource "aws_cloudtrail" "example" { name = "example-trail" s3_bucket_name = "cloudtrail-logs" event_selector { read_write_type = [1] include_management_events = [2] } }
Setting read_write_type to "WriteOnly" logs only write events. include_management_events must be true to include management events.
Fill all three blanks to create a CloudTrail trail with encryption enabled and SNS notifications for log file delivery.
resource "aws_cloudtrail" "example" { name = "example-trail" s3_bucket_name = "cloudtrail-logs" enable_log_file_validation = [1] kms_key_id = [2] sns_topic_name = [3] }
Enable log file validation with true. Provide the KMS key ARN for encryption. Set the SNS topic name for notifications.