Response Elements

}

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

CloudWatchLogsLogGroupArn (p. 17)

Speciﬁes the Amazon Resource Name (ARN) of the log group to which CloudTrail logs will be delivered.

Type: String

CloudWatchLogsRoleArn (p. 17)

Speciﬁes the role for the CloudWatch Logs endpoint to assume to write to a user's log group.

Type: String

IncludeGlobalServiceEvents (p. 17)

Speciﬁes whether the trail is publishing events from global services such as IAM to the log ﬁles.

Type: Boolean IsMultiRegionTrail (p. 17)

Speciﬁes whether the trail exists in one region or in all regions.

Type: Boolean

IsOrganizationTrail (p. 17)

Speciﬁes whether the trail is an organization trail.

Type: Boolean KmsKeyId (p. 17)

Speciﬁes the AWS KMS key ID that encrypts the logs delivered by CloudTrail. The value is a fully speciﬁed ARN to a AWS KMS key in the following format.

arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012 Type: String

LogFileValidationEnabled (p. 17)

Speciﬁes whether log ﬁle integrity validation is enabled.

Type: Boolean Name (p. 17)

Speciﬁes the name of the trail.

Type: String S3BucketName (p. 17)

Speciﬁes the name of the Amazon S3 bucket designated for publishing log ﬁles.

Type: String

Errors

S3KeyPreﬁx (p. 17)

Speciﬁes the Amazon S3 key preﬁx that comes after the name of the bucket you have designated for log ﬁle delivery. For more information, see Finding Your CloudTrail Log Files.

Type: String SnsTopicARN (p. 17)

Speciﬁes the ARN of the Amazon SNS topic that CloudTrail uses to send notiﬁcations when log ﬁles are delivered. The format of a topic ARN is:

arn:aws:sns:us-east-2:123456789012:MyTopic Type: String

SnsTopicName (p. 17)

This parameter has been deprecated.

This ﬁeld is no longer in use. Use CreateTrail:SnsTopicARN (p. 19).

Type: String TrailARN (p. 17)

Speciﬁes the ARN of the trail that was created. The format of a trail ARN is:

arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail Type: String

Errors

For information about the errors that are common to all actions, see Common Errors (p. 138).

CloudTrailAccessNotEnabledException

This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see Enabling Trusted Access with Other AWS Services and Prepare For Creating a Trail For Your Organization.

HTTP Status Code: 400

CloudTrailInvalidClientTokenIdException

This exception is thrown when a call results in the InvalidClientTokenId error code. This can occur when you are creating or updating a trail to send notiﬁcations to an Amazon SNS topic that is in a suspended AWS account.

HTTP Status Code: 400

CloudWatchLogsDeliveryUnavailableException

Cannot set a CloudWatch Logs delivery for this region.

HTTP Status Code: 400 ConﬂictException

This exception is thrown when the speciﬁed resource is not ready for an operation. This can occur when you try to run an operation on a trail before CloudTrail has time to fully load the trail. If this exception occurs, wait a few minutes, and then try the operation again.

Errors

HTTP Status Code: 400

InsuﬃcientDependencyServiceAccessPermissionException

This exception is thrown when the IAM user or role that is used to create the organization trail is lacking one or more required permissions for creating an organization trail in a required service. For more information, see Prepare For Creating a Trail For Your Organization.

HTTP Status Code: 400

InsuﬃcientEncryptionPolicyException

This exception is thrown when the policy on the S3 bucket or AWS KMS key is not suﬃcient.

HTTP Status Code: 400

InsuﬃcientS3BucketPolicyException

This exception is thrown when the policy on the S3 bucket is not suﬃcient.

HTTP Status Code: 400

InsuﬃcientSnsTopicPolicyException

This exception is thrown when the policy on the Amazon SNS topic is not suﬃcient.

HTTP Status Code: 400

InvalidCloudWatchLogsLogGroupArnException

This exception is thrown when the provided CloudWatch Logs log group is not valid.

HTTP Status Code: 400

InvalidCloudWatchLogsRoleArnException

This exception is thrown when the provided role is not valid.

HTTP Status Code: 400 InvalidKmsKeyIdException

This exception is thrown when the AWS KMS key ARN is not valid.

HTTP Status Code: 400

InvalidParameterCombinationException

This exception is thrown when the combination of parameters provided is not valid.

HTTP Status Code: 400 InvalidS3BucketNameException

This exception is thrown when the provided S3 bucket name is not valid.

HTTP Status Code: 400 InvalidS3PreﬁxException

This exception is thrown when the provided S3 preﬁx is not valid.

HTTP Status Code: 400 InvalidSnsTopicNameException

This exception is thrown when the provided SNS topic name is not valid.

Errors

HTTP Status Code: 400 InvalidTagParameterException

This exception is thrown when the speciﬁed tag key or values are not valid. It can also occur if there are duplicate tags or too many tags on the resource.

HTTP Status Code: 400 InvalidTrailNameException

This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:

• Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)

• Start with a letter or number, and end with a letter or number

• Be between 3 and 128 characters

• Have no adjacent periods, underscores or dashes. Names like my-_namespace and my--namespace are not valid.

• Not be in IP address format (for example, 192.168.5.4) HTTP Status Code: 400

KmsException

This exception is thrown when there is an issue with the speciﬁed AWS KMS key and the trail can’t be updated.

HTTP Status Code: 400 KmsKeyDisabledException

This error has been deprecated.

This exception is no longer in use.

HTTP Status Code: 400 KmsKeyNotFoundException

This exception is thrown when the AWS KMS key does not exist, when the S3 bucket and the AWS KMS key are not in the same region, or when the AWS KMS key associated with the Amazon SNS topic either does not exist or is not in the same region.

HTTP Status Code: 400

MaximumNumberOfTrailsExceededException

This exception is thrown when the maximum number of trails is reached.

HTTP Status Code: 400

NotOrganizationMasterAccountException

This exception is thrown when the AWS account making the request to create or update an organization trail is not the management account for an organization in AWS Organizations. For more information, see Prepare For Creating a Trail For Your Organization.

HTTP Status Code: 400 OperationNotPermittedException

This exception is thrown when the requested operation is not permitted.

HTTP Status Code: 400

See Also

OrganizationNotInAllFeaturesModeException

This exception is thrown when AWS Organizations is not conﬁgured to support all features. All features must be enabled in Organizations to support creating an organization trail. For more information, see Prepare For Creating a Trail For Your Organization.

HTTP Status Code: 400 OrganizationsNotInUseException

This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.

HTTP Status Code: 400 S3BucketDoesNotExistException

This exception is thrown when the speciﬁed S3 bucket does not exist.

HTTP Status Code: 400 TrailAlreadyExistsException

This exception is thrown when the speciﬁed trail already exists.

HTTP Status Code: 400 TrailNotProvidedException

This exception is no longer in use.

HTTP Status Code: 400 UnsupportedOperationException

This exception is thrown when the requested operation is not supported.

HTTP Status Code: 400

Request Syntax

{ "EventDataStore": "string"

}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters (p. 136).

The request accepts the following data in JSON format.

EventDataStore (p. 23)

The ARN (or the ID suﬃx of the ARN) of the event data store to delete.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 256.

Pattern: ^[a-zA-Z0-9._/\-:]+$

Required: Yes

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

For information about the errors that are common to all actions, see Common Errors (p. 138).

EventDataStoreARNInvalidException

The speciﬁed event data store ARN is not valid or does not map to an event data store in your account.

HTTP Status Code: 400

EventDataStoreNotFoundException

The speciﬁed event data store was not found.

See Also

HTTP Status Code: 400

EventDataStoreTerminationProtectedException

The event data store cannot be deleted because termination protection is enabled for it.

HTTP Status Code: 400

InsuﬃcientDependencyServiceAccessPermissionException

HTTP Status Code: 400 InvalidParameterException

The request includes a parameter that is not valid.

HTTP Status Code: 400

NotOrganizationMasterAccountException

HTTP Status Code: 400 OperationNotPermittedException

This exception is thrown when the requested operation is not permitted.

HTTP Status Code: 400 UnsupportedOperationException

This exception is thrown when the requested operation is not supported.

HTTP Status Code: 400

Request Syntax

{

"Name": "string"

}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters (p. 136).

The request accepts the following data in JSON format.

Name (p. 25)

Speciﬁes the name or the CloudTrail ARN of the trail to be deleted. The following is the format of a trail ARN. arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail

Type: String Required: Yes

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

For information about the errors that are common to all actions, see Common Errors (p. 138).

ConﬂictException

HTTP Status Code: 400

InsuﬃcientDependencyServiceAccessPermissionException

HTTP Status Code: 400 InvalidHomeRegionException

This exception is thrown when an operation is called on a trail from a region other than the region in which the trail was created.

See Also

HTTP Status Code: 400 InvalidTrailNameException

This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:

• Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)

• Start with a letter or number, and end with a letter or number

• Be between 3 and 128 characters

• Have no adjacent periods, underscores or dashes. Names like my-_namespace and my--namespace are not valid.

• Not be in IP address format (for example, 192.168.5.4) HTTP Status Code: 400

NotOrganizationMasterAccountException

HTTP Status Code: 400 OperationNotPermittedException

This exception is thrown when the requested operation is not permitted.

HTTP Status Code: 400 TrailNotFoundException

This exception is thrown when the trail with the given name is not found.

HTTP Status Code: 400 UnsupportedOperationException

This exception is thrown when the requested operation is not supported.

HTTP Status Code: 400

Request Syntax

{ "EventDataStore": "string", "QueryId": "string"

}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters (p. 136).

The request accepts the following data in JSON format.

EventDataStore (p. 27)

The ARN (or the ID suﬃx of the ARN) of an event data store on which the speciﬁed query was run.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 256.

Pattern: ^[a-zA-Z0-9._/\-:]+$

Required: Yes QueryId (p. 27)

The query ID.

Type: String

Length Constraints: Fixed length of 36.

Pattern: ^[a-f0-9\-]+$

Required: Yes

Response Syntax

{

"ErrorMessage": "string", "QueryId": "string", "QueryStatistics": { "CreationTime": number, "EventsMatched": number, "EventsScanned": number, "ExecutionTimeInMillis": number },

"QueryStatus": "string", "QueryString": "string"

Response Elements

}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ErrorMessage (p. 27)

The error message returned if a query failed.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 1000.

Pattern: .*

QueryId (p. 27)

The ID of the query.

Type: String

Length Constraints: Fixed length of 36.

Pattern: ^[a-f0-9\-]+$

QueryStatistics (p. 27)

Metadata about a query, including the number of events that were matched, the total number of events scanned, the query run time in milliseconds, and the query's creation time.

Type: QueryStatisticsForDescribeQuery (p. 128) object QueryStatus (p. 27)

The status of a query. Values for QueryStatus include QUEUED, RUNNING, FINISHED, FAILED, or CANCELLED

Type: String

Valid Values: QUEUED | RUNNING | FINISHED | FAILED | CANCELLED QueryString (p. 27)

The SQL code of a query.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 10000.

Pattern: (?s).*

Errors

For information about the errors that are common to all actions, see Common Errors (p. 138).

EventDataStoreARNInvalidException

The speciﬁed event data store ARN is not valid or does not map to an event data store in your account.

See Also

HTTP Status Code: 400

EventDataStoreNotFoundException

The speciﬁed event data store was not found.

HTTP Status Code: 400 InactiveEventDataStoreException

The event data store against which you ran your query is inactive.

HTTP Status Code: 400 InvalidParameterException

The request includes a parameter that is not valid.

HTTP Status Code: 400 OperationNotPermittedException

This exception is thrown when the requested operation is not permitted.

HTTP Status Code: 400 QueryIdNotFoundException

The query ID does not exist or does not map to a query.

HTTP Status Code: 400 UnsupportedOperationException

This exception is thrown when the requested operation is not supported.

HTTP Status Code: 400

Request Syntax

{ "includeShadowTrails": boolean, "trailNameList": [ "string" ] }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters (p. 136).

The request accepts the following data in JSON format.

includeShadowTrails (p. 30)

Speciﬁes whether to include shadow trails in the response. A shadow trail is the replication in a region of a trail that was created in a diﬀerent region, or in the case of an organization trail, the replication of an organization trail in member accounts. If you do not include shadow trails, organization trails in a member account and region replication trails will not be returned. The default is true.

Type: Boolean Required: No trailNameList (p. 30)

Speciﬁes a list of trail names, trail ARNs, or both, of the trails to describe. The format of a trail ARN is:

arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail

If an empty list is speciﬁed, information for the trail in the current region is returned.

• If an empty list is speciﬁed and IncludeShadowTrails is false, then information for all trails in the current region is returned.

• If an empty list is speciﬁed and IncludeShadowTrails is null or true, then information for all trails in the current region and any associated shadow trails in other regions is returned.

NoteIf one or more trail names are speciﬁed, information is returned only if the names match the names of trails belonging only to the current region. To return information about a trail in another region, you must specify its trail ARN.

Type: Array of strings Required: No

Response Syntax

{ "trailList": [

Response Elements

{

"CloudWatchLogsLogGroupArn": "string", "CloudWatchLogsRoleArn": "string", "HasCustomEventSelectors": boolean, "HasInsightSelectors": boolean, "HomeRegion": "string",

"IncludeGlobalServiceEvents": boolean, "IsMultiRegionTrail": boolean,

"IsOrganizationTrail": boolean, "KmsKeyId": "string",

"LogFileValidationEnabled": boolean, "Name": "string",

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

trailList (p. 30)

The list of trail objects. Trail objects with string values are only returned if values for the objects exist in a trail's conﬁguration. For example, SNSTopicName and SNSTopicARN are only returned in results if a trail is conﬁgured to send SNS notiﬁcations. Similarly, KMSKeyId only appears in results if a trail's log ﬁles are encrypted with AWS KMS customer managed keys.

Type: Array of Trail (p. 132) objects

Errors

For information about the errors that are common to all actions, see Common Errors (p. 138).

InvalidTrailNameException

This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:

• Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), or dashes (-)

• Start with a letter or number, and end with a letter or number

• Be between 3 and 128 characters

• Have no adjacent periods, underscores or dashes. Names like my-_namespace and my--namespace are not valid.

• Not be in IP address format (for example, 192.168.5.4) HTTP Status Code: 400

OperationNotPermittedException

This exception is thrown when the requested operation is not permitted.

HTTP Status Code: 400

See Also

UnsupportedOperationException

This exception is thrown when the requested operation is not supported.

HTTP Status Code: 400

Response Elements

Response Elements

Errors

See Also

DeleteEventDataStore

Request Syntax

Request Parameters

Response Elements

Errors

See Also

DeleteTrail

Request Syntax

Request Parameters

Response Elements

Errors

See Also

DescribeQuery

Request Syntax

Request Parameters

Response Syntax

Response Elements

Errors

See Also

DescribeTrails

Request Syntax

Request Parameters

Response Syntax

Errors

See Also