feat(client-cloudtrail): AWS CloudTrail now supports Insights for data events, expanding beyond management events to automatically detect unusual activity on data plane operations.

Author: awstools

clients/client-cloudtrail/README.md

@@ -482,6 +482,14 @@ ListImports
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cloudtrail/command/ListImportsCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cloudtrail/Interface/ListImportsCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cloudtrail/Interface/ListImportsCommandOutput/)
 
+</details>
+<details>
+<summary>
+ListInsightsData
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cloudtrail/command/ListInsightsDataCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cloudtrail/Interface/ListInsightsDataCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cloudtrail/Interface/ListInsightsDataCommandOutput/)
+
 </details>
 <details>
 <summary>

clients/client-cloudtrail/src/CloudTrail.ts

@@ -136,6 +136,11 @@ import {
   ListImportFailuresCommandOutput,
 } from "./commands/ListImportFailuresCommand";
 import { ListImportsCommand, ListImportsCommandInput, ListImportsCommandOutput } from "./commands/ListImportsCommand";
+import {
+  ListInsightsDataCommand,
+  ListInsightsDataCommandInput,
+  ListInsightsDataCommandOutput,
+} from "./commands/ListInsightsDataCommand";
 import {
   ListInsightsMetricDataCommand,
   ListInsightsMetricDataCommandInput,
@@ -265,6 +270,7 @@ const commands = {
   ListEventDataStoresCommand,
   ListImportFailuresCommand,
   ListImportsCommand,
+  ListInsightsDataCommand,
   ListInsightsMetricDataCommand,
   ListPublicKeysCommand,
   ListQueriesCommand,
@@ -761,6 +767,23 @@ export interface CloudTrail {
     cb: (err: any, data?: ListImportsCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link ListInsightsDataCommand}
+   */
+  listInsightsData(
+    args: ListInsightsDataCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<ListInsightsDataCommandOutput>;
+  listInsightsData(
+    args: ListInsightsDataCommandInput,
+    cb: (err: any, data?: ListInsightsDataCommandOutput) => void
+  ): void;
+  listInsightsData(
+    args: ListInsightsDataCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: ListInsightsDataCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link ListInsightsMetricDataCommand}
    */

clients/client-cloudtrail/src/CloudTrailClient.ts

@@ -111,6 +111,7 @@ import {
 } from "./commands/ListEventDataStoresCommand";
 import { ListImportFailuresCommandInput, ListImportFailuresCommandOutput } from "./commands/ListImportFailuresCommand";
 import { ListImportsCommandInput, ListImportsCommandOutput } from "./commands/ListImportsCommand";
+import { ListInsightsDataCommandInput, ListInsightsDataCommandOutput } from "./commands/ListInsightsDataCommand";
 import {
   ListInsightsMetricDataCommandInput,
   ListInsightsMetricDataCommandOutput,
@@ -215,6 +216,7 @@ export type ServiceInputTypes =
   | ListEventDataStoresCommandInput
   | ListImportFailuresCommandInput
   | ListImportsCommandInput
+  | ListInsightsDataCommandInput
   | ListInsightsMetricDataCommandInput
   | ListPublicKeysCommandInput
   | ListQueriesCommandInput
@@ -279,6 +281,7 @@ export type ServiceOutputTypes =
   | ListEventDataStoresCommandOutput
   | ListImportFailuresCommandOutput
   | ListImportsCommandOutput
+  | ListInsightsDataCommandOutput
   | ListInsightsMetricDataCommandOutput
   | ListPublicKeysCommandOutput
   | ListQueriesCommandOutput

clients/client-cloudtrail/src/commands/CreateEventDataStoreCommand.ts

@@ -233,6 +233,11 @@ export interface CreateEventDataStoreCommandOutput extends CreateEventDataStoreR
  *          that is not a member of an organization. To make this request, sign in using the
  *          credentials of an account that belongs to an organization.</p>
  *
+ * @throws {@link ThrottlingException} (client fault)
+ *  <p>
+ *          This exception is thrown when the request rate exceeds the limit.
+ *       </p>
+ *
  * @throws {@link UnsupportedOperationException} (client fault)
  *  <p>This exception is thrown when the requested operation is not supported.</p>
  *

clients/client-cloudtrail/src/commands/DeleteTrailCommand.ts

@@ -30,6 +30,18 @@ export interface DeleteTrailCommandOutput extends DeleteTrailResponse, __Metadat
  * <p>Deletes a trail. This operation must be called from the Region in which the trail was
  *          created. <code>DeleteTrail</code> cannot be called on the shadow trails (replicated trails
  *          in other Regions) of a trail that is enabled in all Regions.</p>
+ *          <important>
+ *             <p>
+ *          While deleting a CloudTrail trail is an irreversible action, CloudTrail does not
+ *          delete log files in the Amazon S3 bucket for that trail, the Amazon S3 bucket itself, or the
+ *          CloudWatchlog group to which the trail delivers events. Deleting a multi-Region trail
+ *          will stop logging of events in all Amazon Web Services Regions enabled in your Amazon Web Services account. Deleting a
+ *          single-Region trail will stop logging of events in that Region only. It will not stop
+ *          logging of events in other Regions even if the trails in those other Regions have
+ *          identical names to the deleted trail.
+ *       </p>
+ *             <p>For information about account closure and deletion of CloudTrail trails, see <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-account-closure.html">https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-account-closure.html</a>.</p>
+ *          </important>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

clients/client-cloudtrail/src/commands/GetInsightSelectorsCommand.ts

@@ -28,8 +28,8 @@ export interface GetInsightSelectorsCommandOutput extends GetInsightSelectorsRes
 
 /**
  * <p>Describes the settings for the Insights event selectors that you configured for your
- *          trail or event data store. <code>GetInsightSelectors</code> shows if CloudTrail Insights event logging
- *          is enabled on the trail or event data store, and if it is, which Insights types are enabled. If you run
+ *          trail or event data store. <code>GetInsightSelectors</code> shows if CloudTrail Insights logging is enabled
+ *          and which Insights types are configured with corresponding event categories. If you run
  *             <code>GetInsightSelectors</code> on a trail or event data store that does not have Insights events enabled,
  *          the operation throws the exception <code>InsightNotEnabledException</code>
  *          </p>
@@ -55,6 +55,9 @@ export interface GetInsightSelectorsCommandOutput extends GetInsightSelectorsRes
  * //   InsightSelectors: [ // InsightSelectors
  * //     { // InsightSelector
  * //       InsightType: "ApiCallRateInsight" || "ApiErrorRateInsight",
+ * //       EventCategories: [ // SourceEventCategories
+ * //         "Management" || "Data",
+ * //       ],
  * //     },
  * //   ],
  * //   EventDataStoreArn: "STRING_VALUE",

clients/client-cloudtrail/src/commands/ListInsightsDataCommand.ts

@@ -0,0 +1,141 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import { CloudTrailClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../CloudTrailClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import { ListInsightsDataRequest, ListInsightsDataResponse } from "../models/models_0";
+import { ListInsightsData } from "../schemas/schemas_0";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link ListInsightsDataCommand}.
+ */
+export interface ListInsightsDataCommandInput extends ListInsightsDataRequest {}
+/**
+ * @public
+ *
+ * The output of {@link ListInsightsDataCommand}.
+ */
+export interface ListInsightsDataCommandOutput extends ListInsightsDataResponse, __MetadataBearer {}
+
+/**
+ * <p>Returns Insights events generated on a trail that logs data events. You can list Insights events that occurred in a Region within the last 90 days.</p>
+ *          <p>ListInsightsData supports the following Dimensions for Insights events:</p>
+ *          <ul>
+ *             <li>
+ *                <p>Event ID</p>
+ *             </li>
+ *             <li>
+ *                <p>Event name</p>
+ *             </li>
+ *             <li>
+ *                <p>Event source</p>
+ *             </li>
+ *          </ul>
+ *          <p>All dimensions are optional. The default number of results returned is 50, with a
+ *          maximum of 50 possible. The response includes a token that you can use to get the next page
+ *          of results.</p>
+ *          <p>The rate of ListInsightsData requests is limited to two per second, per account, per Region. If
+ *             this limit is exceeded, a throttling error occurs.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CloudTrailClient, ListInsightsDataCommand } from "@aws-sdk/client-cloudtrail"; // ES Modules import
+ * // const { CloudTrailClient, ListInsightsDataCommand } = require("@aws-sdk/client-cloudtrail"); // CommonJS import
+ * // import type { CloudTrailClientConfig } from "@aws-sdk/client-cloudtrail";
+ * const config = {}; // type is CloudTrailClientConfig
+ * const client = new CloudTrailClient(config);
+ * const input = { // ListInsightsDataRequest
+ *   InsightSource: "STRING_VALUE", // required
+ *   DataType: "InsightsEvents", // required
+ *   Dimensions: { // ListInsightsDataDimensions
+ *     "<keys>": "STRING_VALUE",
+ *   },
+ *   StartTime: new Date("TIMESTAMP"),
+ *   EndTime: new Date("TIMESTAMP"),
+ *   MaxResults: Number("int"),
+ *   NextToken: "STRING_VALUE",
+ * };
+ * const command = new ListInsightsDataCommand(input);
+ * const response = await client.send(command);
+ * // { // ListInsightsDataResponse
+ * //   Events: [ // EventsList
+ * //     { // Event
+ * //       EventId: "STRING_VALUE",
+ * //       EventName: "STRING_VALUE",
+ * //       ReadOnly: "STRING_VALUE",
+ * //       AccessKeyId: "STRING_VALUE",
+ * //       EventTime: new Date("TIMESTAMP"),
+ * //       EventSource: "STRING_VALUE",
+ * //       Username: "STRING_VALUE",
+ * //       Resources: [ // ResourceList
+ * //         { // Resource
+ * //           ResourceType: "STRING_VALUE",
+ * //           ResourceName: "STRING_VALUE",
+ * //         },
+ * //       ],
+ * //       CloudTrailEvent: "STRING_VALUE",
+ * //     },
+ * //   ],
+ * //   NextToken: "STRING_VALUE",
+ * // };
+ *
+ * ```
+ *
+ * @param ListInsightsDataCommandInput - {@link ListInsightsDataCommandInput}
+ * @returns {@link ListInsightsDataCommandOutput}
+ * @see {@link ListInsightsDataCommandInput} for command's `input` shape.
+ * @see {@link ListInsightsDataCommandOutput} for command's `response` shape.
+ * @see {@link CloudTrailClientResolvedConfig | config} for CloudTrailClient's `config` shape.
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>The request includes a parameter that is not valid.</p>
+ *
+ * @throws {@link OperationNotPermittedException} (client fault)
+ *  <p>This exception is thrown when the requested operation is not permitted.</p>
+ *
+ * @throws {@link UnsupportedOperationException} (client fault)
+ *  <p>This exception is thrown when the requested operation is not supported.</p>
+ *
+ * @throws {@link CloudTrailServiceException}
+ * <p>Base exception class for all service exceptions from CloudTrail service.</p>
+ *
+ *
+ * @public
+ */
+export class ListInsightsDataCommand extends $Command
+  .classBuilder<
+    ListInsightsDataCommandInput,
+    ListInsightsDataCommandOutput,
+    CloudTrailClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CloudTrailClientResolvedConfig, o: any) {
+    return [getEndpointPlugin(config, Command.getEndpointParameterInstructions())];
+  })
+  .s("CloudTrail_20131101", "ListInsightsData", {})
+  .n("CloudTrailClient", "ListInsightsDataCommand")
+  .sc(ListInsightsData)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: ListInsightsDataRequest;
+      output: ListInsightsDataResponse;
+    };
+    sdk: {
+      input: ListInsightsDataCommandInput;
+      output: ListInsightsDataCommandOutput;
+    };
+  };
+}

clients/client-cloudtrail/src/commands/ListInsightsMetricDataCommand.ts

@@ -42,8 +42,17 @@ export interface ListInsightsMetricDataCommandOutput extends ListInsightsMetricD
  *                <p>Data points with a period of 3600 seconds (1 hour) are available for 90 days.</p>
  *             </li>
  *          </ul>
- *          <p>Access to the <code>ListInsightsMetricData</code> API operation is linked to the <code>cloudtrail:LookupEvents</code> action. To use this operation,
+ *          <p>To use <code>ListInsightsMetricData</code> operation, you must have the following permissions:</p>
+ *          <ul>
+ *             <li>
+ *                <p>If <code>ListInsightsMetricData</code> is invoked with <code>TrailName</code> parameter, access to the <code>ListInsightsMetricData</code> API operation is linked to the <code>cloudtrail:LookupEvents</code> action and <code>cloudtrail:ListInsightsData</code>. To use this operation,
+ *          you must have permissions to perform the <code>cloudtrail:LookupEvents</code> and <code>cloudtrail:ListInsightsData</code> action on the specific trail.</p>
+ *             </li>
+ *             <li>
+ *                <p>If <code>ListInsightsMetricData</code> is invoked without <code>TrailName</code> parameter, access to the <code>ListInsightsMetricData</code> API operation is linked to the <code>cloudtrail:LookupEvents</code> action only. To use this operation,
  *          you must have permissions to perform the <code>cloudtrail:LookupEvents</code> action.</p>
+ *             </li>
+ *          </ul>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -53,6 +62,7 @@ export interface ListInsightsMetricDataCommandOutput extends ListInsightsMetricD
  * const config = {}; // type is CloudTrailClientConfig
  * const client = new CloudTrailClient(config);
  * const input = { // ListInsightsMetricDataRequest
+ *   TrailName: "STRING_VALUE",
  *   EventSource: "STRING_VALUE", // required
  *   EventName: "STRING_VALUE", // required
  *   InsightType: "ApiCallRateInsight" || "ApiErrorRateInsight", // required
@@ -67,6 +77,7 @@ export interface ListInsightsMetricDataCommandOutput extends ListInsightsMetricD
  * const command = new ListInsightsMetricDataCommand(input);
  * const response = await client.send(command);
  * // { // ListInsightsMetricDataResponse
+ * //   TrailARN: "STRING_VALUE",
  * //   EventSource: "STRING_VALUE",
  * //   EventName: "STRING_VALUE",
  * //   InsightType: "ApiCallRateInsight" || "ApiErrorRateInsight",
@@ -91,6 +102,29 @@ export interface ListInsightsMetricDataCommandOutput extends ListInsightsMetricD
  * @throws {@link InvalidParameterException} (client fault)
  *  <p>The request includes a parameter that is not valid.</p>
  *
+ * @throws {@link InvalidTrailNameException} (client fault)
+ *  <p>This exception is thrown when the provided trail name is not valid. Trail names must
+ *          meet the following requirements:</p>
+ *          <ul>
+ *             <li>
+ *                <p>Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores
+ *                (_), or dashes (-)</p>
+ *             </li>
+ *             <li>
+ *                <p>Start with a letter or number, and end with a letter or number</p>
+ *             </li>
+ *             <li>
+ *                <p>Be between 3 and 128 characters</p>
+ *             </li>
+ *             <li>
+ *                <p>Have no adjacent periods, underscores or dashes. Names like
+ *                   <code>my-_namespace</code> and <code>my--namespace</code> are not valid.</p>
+ *             </li>
+ *             <li>
+ *                <p>Not be in IP address format (for example, 192.168.5.4)</p>
+ *             </li>
+ *          </ul>
+ *
  * @throws {@link OperationNotPermittedException} (client fault)
  *  <p>This exception is thrown when the requested operation is not permitted.</p>
  *

clients/client-cloudtrail/src/commands/PutInsightSelectorsCommand.ts

@@ -27,15 +27,33 @@ export interface PutInsightSelectorsCommandInput extends PutInsightSelectorsRequ
 export interface PutInsightSelectorsCommandOutput extends PutInsightSelectorsResponse, __MetadataBearer {}
 
 /**
- * <p>Lets you enable Insights event logging by specifying the Insights selectors that you
+ * <p>Lets you enable Insights event logging on specific event categories by specifying the Insights selectors that you
  *          want to enable on an existing trail or event data store. You also use <code>PutInsightSelectors</code> to turn
  *          off Insights event logging, by passing an empty list of Insights types. The valid Insights
  *          event types are <code>ApiErrorRateInsight</code> and
- *             <code>ApiCallRateInsight</code>.</p>
+ *             <code>ApiCallRateInsight</code>, and valid EventCategories are <code>Management</code> and <code>Data</code>.</p>
+ *          <note>
+ *             <p>
+ *             Insights on data events are not supported on event data stores. For event data stores, you can only enable Insights on management events.
+ *          </p>
+ *          </note>
  *          <p>To enable Insights on an event data store, you must specify the ARNs (or ID suffix of the ARNs) for the source event data store (<code>EventDataStore</code>) and the destination event data store (<code>InsightsDestination</code>). The source event data store logs management events and enables Insights.
  *          The destination event data store logs Insights events based upon the management event activity of the source event data store. The source and destination event data stores must belong to the same Amazon Web Services account.</p>
  *          <p>To log Insights events for a trail, you must specify the name (<code>TrailName</code>) of the CloudTrail trail for which you want to change or add Insights
  *          selectors.</p>
+ *          <ul>
+ *             <li>
+ *                <p>
+ *                For Management events Insights: To log CloudTrail Insights on the API call rate, the trail or event data store must log <code>write</code> management events.
+ *                To log CloudTrail Insights on the API error rate, the trail or event data store must log <code>read</code> or <code>write</code> management events.
+ *             </p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                For Data events Insights: To log CloudTrail Insights on the API call rate or API error rate, the trail must log <code>read</code> or <code>write</code> data events. Data events Insights are not supported on event data store.
+ *             </p>
+ *             </li>
+ *          </ul>
  *          <p>To log CloudTrail Insights events on API call volume, the trail or event data store
  *          must log <code>write</code> management events. To log CloudTrail
  *          Insights events on API error rate, the trail or event data store must log <code>read</code> or
@@ -56,6 +74,9 @@ export interface PutInsightSelectorsCommandOutput extends PutInsightSelectorsRes
  *   InsightSelectors: [ // InsightSelectors // required
  *     { // InsightSelector
  *       InsightType: "ApiCallRateInsight" || "ApiErrorRateInsight",
+ *       EventCategories: [ // SourceEventCategories
+ *         "Management" || "Data",
+ *       ],
  *     },
  *   ],
  *   EventDataStore: "STRING_VALUE",
@@ -68,6 +89,9 @@ export interface PutInsightSelectorsCommandOutput extends PutInsightSelectorsRes
  * //   InsightSelectors: [ // InsightSelectors
  * //     { // InsightSelector
  * //       InsightType: "ApiCallRateInsight" || "ApiErrorRateInsight",
+ * //       EventCategories: [ // SourceEventCategories
+ * //         "Management" || "Data",
+ * //       ],
  * //     },
  * //   ],
  * //   EventDataStoreArn: "STRING_VALUE",