Policy: AWS > Turbot > Audit Trail > CloudTrail > Trail > CloudWatch Role

The name of an IAM role that CloudTrail will assume to write logs to CloudWatch logs.

If CloudWatch Log forwarding is enabled, you must also specify a role that CloudTrail can assume to write the logs. This role must have logs:CreateLogStream and logs:PutLogEvents for the CloudWatch Log Group, and must allow the CloudTrail Service (cloudtrail.amazonaws.com) the ability to assume the role

The role must already exist - the stack wont create it

Targets

This policy targets the following resource types:

AWS > Region

Primary Policy

This policy is used with the following primary policy:

AWS > Turbot > Audit Trail > CloudTrail > Trail

Policy Specification

Schema Type	`string`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/resourceLogging

Policy Type URI

tmod:@turbot/aws#/policy/types/trailCloudWatchRole

GraphQL

query policyType(id: "tmod:@turbot/aws#/policy/types/trailCloudWatchRole") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws#/policy/types/trailCloudWatchRole'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws#/policy/types/trailCloudWatchRole'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws#/policy/types/trailCloudWatchRole"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws#/policy/types/trailCloudWatchRole"