Skip to content
Alchemy
GitHubXDiscord

Trail

The Trail resource allows you to manage AWS CloudTrail Trails for logging and monitoring account activity across your AWS infrastructure.

Minimal Example

Section titled “Minimal Example”

Create a basic CloudTrail trail with required properties and a couple of common optional settings.

import AWS from "alchemy/aws/control";


const basicTrail = await AWS.CloudTrail.Trail("basicTrail", {
  S3BucketName: "my-cloudtrail-logs-bucket",
  IsLogging: true,
  IncludeGlobalServiceEvents: true
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure a CloudTrail trail with advanced settings including event selectors and KMS key for encryption.

const advancedTrail = await AWS.CloudTrail.Trail("advancedTrail", {
  S3BucketName: "my-cloudtrail-logs-bucket",
  IsLogging: true,
  KMSKeyId: "arn:aws:kms:us-west-2:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234",
  EventSelectors: [
    {
      ReadWriteType: "All",
      IncludeManagementEvents: true,
      DataResources: [
        {
          Type: "AWS::S3::Object",
          Values: ["arn:aws:s3:::my-sensitive-bucket/"]
        }
      ]
    }
  ],
  SnsTopicName: "myCloudTrailSnsTopic",
  CloudWatchLogsRoleArn: "arn:aws:iam::123456789012:role/CloudWatchLogsRole"
});

Multi-Region Trail

Section titled “Multi-Region Trail”

Create a CloudTrail trail that logs events across multiple regions.

const multiRegionTrail = await AWS.CloudTrail.Trail("multiRegionTrail", {
  S3BucketName: "my-multi-region-cloudtrail-logs-bucket",
  IsLogging: true,
  IsMultiRegionTrail: true,
  EnableLogFileValidation: true
});

Organization Trail

Section titled “Organization Trail”

Set up an organization trail to log API calls across all accounts in an AWS Organization.

const organizationTrail = await AWS.CloudTrail.Trail("organizationTrail", {
  S3BucketName: "my-org-cloudtrail-logs-bucket",
  IsLogging: true,
  IsOrganizationTrail: true,
  SnsTopicName: "orgCloudTrailSnsTopic"
});