ReadonlycloudS3 bucket name where CloudTrail audit logs are stored. Accepts bucket names or SSM parameter references.
Use cases: Centralized audit log collection; Compliance log storage
AWS: CloudTrail S3 destination bucket
Validation: Required; must be existing S3 bucket name or SSM parameter path
ReadonlycloudKMS key ARN for encrypting CloudTrail logs written to S3. Accepts key ARNs or SSM parameter references.
Use cases: Audit log encryption; Data protection compliance
AWS: KMS key for CloudTrail log encryption
Validation: Required; must be valid KMS key ARN or SSM parameter path
Optional ReadonlyincludeIf true, management/control plane events will be included in trail. Otherwise, only S3 Data Events will be included.
CloudTrail audit trail configuration for S3 data event logging with KMS encryption. Logs are written to the specified S3 bucket encrypted with the specified KMS key. Optionally includes management/control plane events.
Use cases: Compliance auditing; S3 data access logging; Security monitoring; Regulatory compliance
AWS: CloudTrail trail with S3 data events, KMS encryption, and optional management events
Validation: cloudTrailAuditBucketName and cloudTrailAuditKmsKeyArn required