Skip to content
Alchemy
GitHubXDiscord

ResourcePolicy

The ResourcePolicy resource lets you manage AWS CloudTrail ResourcePolicys that define access to your CloudTrail resources. Resource policies are important for controlling which AWS accounts or IAM roles can access your CloudTrail logs.

Minimal Example

Section titled “Minimal Example”

Create a basic resource policy that allows specific AWS accounts to access CloudTrail logs.

import AWS from "alchemy/aws/control";


const resourcePolicy = await AWS.CloudTrail.ResourcePolicy("basicResourcePolicy", {
  ResourceArn: "arn:aws:cloudtrail:us-east-1:123456789012:trail/MyTrail",
  ResourcePolicy: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: [
            "arn:aws:iam::111122223333:role/ExampleRole"
          ]
        },
        Action: "cloudtrail:LookupEvents",
        Resource: "*"
      }
    ]
  },
  adopt: false // Default is false; adopt existing resource if true
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure a resource policy that includes multiple principals and additional actions.

const advancedResourcePolicy = await AWS.CloudTrail.ResourcePolicy("advancedResourcePolicy", {
  ResourceArn: "arn:aws:cloudtrail:us-east-1:123456789012:trail/MyTrail",
  ResourcePolicy: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: [
            "arn:aws:iam::111122223333:role/ExampleRole",
            "arn:aws:iam::444455556666:user/AnotherUser"
          ]
        },
        Action: [
          "cloudtrail:LookupEvents",
          "cloudtrail:GetTrail"
        ],
        Resource: "*",
        Condition: {
          StringEquals: {
            "aws:SourceAccount": "123456789012"
          }
        }
      }
    ]
  }
});

Specific Use Case: Deny Access Based on Conditions

Section titled “Specific Use Case: Deny Access Based on Conditions”

Demonstrate how to deny access to specific actions based on certain conditions.

const denyAccessPolicy = await AWS.CloudTrail.ResourcePolicy("denyAccessPolicy", {
  ResourceArn: "arn:aws:cloudtrail:us-east-1:123456789012:trail/MyTrail",
  ResourcePolicy: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Deny",
        Principal: {
          AWS: "arn:aws:iam::999988887777:role/RestrictedRole"
        },
        Action: "cloudtrail:LookupEvents",
        Resource: "*",
        Condition: {
          StringEquals: {
            "aws:SourceIp": "203.0.113.0/24"
          }
        }
      }
    ]
  }
});