FsCDK
CloudTrailConfig Type
High-level CloudTrail builder following AWS security best practices. **Default Security Settings:** - IsMultiRegionTrail = true (captures events from all regions) - IncludeGlobalServiceEvents = true (includes IAM, STS, CloudFront events) - EnableFileValidation = true (enables log file integrity validation) - ManagementEvents = ReadWriteType.ALL (logs all management events) - SendToCloudWatchLogs = true (enables CloudWatch Logs integration) **Rationale:** CloudTrail provides audit logs of all AWS API calls, which is critical for: - Security incident investigation and forensics - Compliance requirements (HIPAA, PCI-DSS, SOC2, GDPR) - Detecting unauthorized access or privilege escalation - Meeting AWS Well-Architected Framework security pillar requirements Per "Security as Code" (O'Reilly): "Log all API calls with CloudTrail. This is non-negotiable for security monitoring." **Note on Costs:** The first trail recording management events is free. Additional trails or data events incur charges. CloudWatch Logs integration has additional costs but provides real-time monitoring capabilities.
Record fields
| Record Field | Description |
|
|
Full Usage:
ConstructId
Field type: string option
|
|
Full Usage:
EnableFileValidation
Field type: bool option
|
|
Full Usage:
IncludeGlobalServiceEvents
Field type: bool option
|
|
Full Usage:
IsMultiRegionTrail
Field type: bool option
|
|
Full Usage:
IsOrganizationTrail
Field type: bool option
|
|
|
|
|
|
Full Usage:
SendToCloudWatchLogs
Field type: bool option
|
|
Full Usage:
TrailName
Field type: string
|
|