CLOUDTRAIL

AddTags

valid {
    input.Body.ResourceId == STRING
    input.Body.TagsList[_].Key == STRING
    input.Body.TagsList[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CancelQuery

valid {
    input.Body.EventDataStore == STRING
    input.Body.QueryId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateChannel

enum_DestinationType := [ "EVENT_DATA_STORE", "AWS_SERVICE" ]

valid {
    input.Body.Name == STRING
    input.Body.Source == STRING
    input.Body.Destinations[_].Type == enum_DestinationType[_]
    input.Body.Destinations[_].Location == STRING
    input.Body.Tags[_].Key == STRING
    input.Body.Tags[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateEventDataStore

enum_BillingMode := [ "EXTENDABLE_RETENTION_PRICING", "FIXED_RETENTION_PRICING" ]

valid {
    input.Body.Name == STRING
    input.Body.AdvancedEventSelectors[_].Name == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].Field == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].Equals[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].StartsWith[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].EndsWith[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].NotEquals[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].NotStartsWith[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].NotEndsWith[_] == STRING
    input.Body.MultiRegionEnabled == BOOLEAN
    input.Body.OrganizationEnabled == BOOLEAN
    input.Body.RetentionPeriod == INTEGER
    input.Body.TerminationProtectionEnabled == BOOLEAN
    input.Body.TagsList[_].Key == STRING
    input.Body.TagsList[_].Value == STRING
    input.Body.KmsKeyId == STRING
    input.Body.StartIngestion == BOOLEAN
    input.Body.BillingMode == enum_BillingMode[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateTrail

valid {
    input.Body.Name == STRING
    input.Body.S3BucketName == STRING
    input.Body.S3KeyPrefix == STRING
    input.Body.SnsTopicName == STRING
    input.Body.IncludeGlobalServiceEvents == BOOLEAN
    input.Body.IsMultiRegionTrail == BOOLEAN
    input.Body.EnableLogFileValidation == BOOLEAN
    input.Body.CloudWatchLogsLogGroupArn == STRING
    input.Body.CloudWatchLogsRoleArn == STRING
    input.Body.KmsKeyId == STRING
    input.Body.IsOrganizationTrail == BOOLEAN
    input.Body.TagsList[_].Key == STRING
    input.Body.TagsList[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteChannel

valid {
    input.Body.Channel == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteEventDataStore

valid {
    input.Body.EventDataStore == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteResourcePolicy

valid {
    input.Body.ResourceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteTrail

valid {
    input.Body.Name == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeregisterOrganizationDelegatedAdmin

valid {
    input.Body.DelegatedAdminAccountId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeQuery

valid {
    input.Body.EventDataStore == STRING
    input.Body.QueryId == STRING
    input.Body.QueryAlias == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeTrails

valid {
    input.Body.trailNameList[_] == STRING
    input.Body.includeShadowTrails == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DisableFederation

valid {
    input.Body.EventDataStore == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

EnableFederation

valid {
    input.Body.EventDataStore == STRING
    input.Body.FederationRoleArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetChannel

valid {
    input.Body.Channel == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetEventDataStore

valid {
    input.Body.EventDataStore == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetEventSelectors

valid {
    input.Body.TrailName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetImport

valid {
    input.Body.ImportId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetInsightSelectors

valid {
    input.Body.TrailName == STRING
    input.Body.EventDataStore == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetQueryResults

valid {
    input.Body.EventDataStore == STRING
    input.Body.QueryId == STRING
    input.Body.NextToken == STRING
    input.Body.MaxQueryResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetResourcePolicy

valid {
    input.Body.ResourceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetTrail

valid {
    input.Body.Name == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetTrailStatus

valid {
    input.Body.Name == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListChannels

valid {
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListEventDataStores

valid {
    input.Body.NextToken == STRING
    input.Body.MaxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListImportFailures

valid {
    input.Body.ImportId == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListImports

enum_ImportStatus := [ "INITIALIZING", "IN_PROGRESS", "FAILED", "STOPPED", "COMPLETED" ]

valid {
    input.Body.MaxResults == INTEGER
    input.Body.Destination == STRING
    input.Body.ImportStatus == enum_ImportStatus[_]
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListInsightsMetricData

enum_InsightType := [ "ApiCallRateInsight", "ApiErrorRateInsight" ]
enum_InsightsMetricDataType := [ "FillWithZeros", "NonZeroData" ]

valid {
    input.Body.EventSource == STRING
    input.Body.EventName == STRING
    input.Body.InsightType == enum_InsightType[_]
    input.Body.ErrorCode == STRING
    input.Body.StartTime == TIMESTAMP
    input.Body.EndTime == TIMESTAMP
    input.Body.Period == INTEGER
    input.Body.DataType == enum_InsightsMetricDataType[_]
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListPublicKeys

valid {
    input.Body.StartTime == TIMESTAMP
    input.Body.EndTime == TIMESTAMP
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListQueries

enum_QueryStatus := [ "QUEUED", "RUNNING", "FINISHED", "FAILED", "CANCELLED", "TIMED_OUT" ]

valid {
    input.Body.EventDataStore == STRING
    input.Body.NextToken == STRING
    input.Body.MaxResults == INTEGER
    input.Body.StartTime == TIMESTAMP
    input.Body.EndTime == TIMESTAMP
    input.Body.QueryStatus == enum_QueryStatus[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListTags

valid {
    input.Body.ResourceIdList[_] == STRING
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListTrails

valid {
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

LookupEvents

enum_EventCategory := [ "insight" ]
enum_LookupAttributeKey := [ "EventId", "EventName", "ReadOnly", "Username", "ResourceType", "ResourceName", "EventSource", "AccessKeyId" ]

valid {
    input.Body.LookupAttributes[_].AttributeKey == enum_LookupAttributeKey[_]
    input.Body.LookupAttributes[_].AttributeValue == STRING
    input.Body.StartTime == TIMESTAMP
    input.Body.EndTime == TIMESTAMP
    input.Body.EventCategory == enum_EventCategory[_]
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutEventSelectors

enum_ReadWriteType := [ "ReadOnly", "WriteOnly", "All" ]

valid {
    input.Body.TrailName == STRING
    input.Body.EventSelectors[_].ReadWriteType == enum_ReadWriteType[_]
    input.Body.EventSelectors[_].IncludeManagementEvents == BOOLEAN
    input.Body.EventSelectors[_].DataResources[_].Type == STRING
    input.Body.EventSelectors[_].DataResources[_].Values[_] == STRING
    input.Body.EventSelectors[_].ExcludeManagementEventSources[_] == STRING
    input.Body.AdvancedEventSelectors[_].Name == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].Field == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].Equals[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].StartsWith[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].EndsWith[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].NotEquals[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].NotStartsWith[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].NotEndsWith[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutInsightSelectors

enum_InsightType := [ "ApiCallRateInsight", "ApiErrorRateInsight" ]

valid {
    input.Body.TrailName == STRING
    input.Body.InsightSelectors[_].InsightType == enum_InsightType[_]
    input.Body.EventDataStore == STRING
    input.Body.InsightsDestination == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutResourcePolicy

valid {
    input.Body.ResourceArn == STRING
    input.Body.ResourcePolicy == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RegisterOrganizationDelegatedAdmin

valid {
    input.Body.MemberAccountId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RemoveTags

valid {
    input.Body.ResourceId == STRING
    input.Body.TagsList[_].Key == STRING
    input.Body.TagsList[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RestoreEventDataStore

valid {
    input.Body.EventDataStore == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StartEventDataStoreIngestion

valid {
    input.Body.EventDataStore == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StartImport

valid {
    input.Body.Destinations[_] == STRING
    input.Body.ImportSource.S3.S3LocationUri == STRING
    input.Body.ImportSource.S3.S3BucketRegion == STRING
    input.Body.ImportSource.S3.S3BucketAccessRoleArn == STRING
    input.Body.StartEventTime == TIMESTAMP
    input.Body.EndEventTime == TIMESTAMP
    input.Body.ImportId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StartLogging

valid {
    input.Body.Name == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StartQuery

valid {
    input.Body.QueryStatement == STRING
    input.Body.DeliveryS3Uri == STRING
    input.Body.QueryAlias == STRING
    input.Body.QueryParameters[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StopEventDataStoreIngestion

valid {
    input.Body.EventDataStore == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StopImport

valid {
    input.Body.ImportId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StopLogging

valid {
    input.Body.Name == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateChannel

enum_DestinationType := [ "EVENT_DATA_STORE", "AWS_SERVICE" ]

valid {
    input.Body.Channel == STRING
    input.Body.Destinations[_].Type == enum_DestinationType[_]
    input.Body.Destinations[_].Location == STRING
    input.Body.Name == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateEventDataStore

enum_BillingMode := [ "EXTENDABLE_RETENTION_PRICING", "FIXED_RETENTION_PRICING" ]

valid {
    input.Body.EventDataStore == STRING
    input.Body.Name == STRING
    input.Body.AdvancedEventSelectors[_].Name == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].Field == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].Equals[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].StartsWith[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].EndsWith[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].NotEquals[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].NotStartsWith[_] == STRING
    input.Body.AdvancedEventSelectors[_].FieldSelectors[_].NotEndsWith[_] == STRING
    input.Body.MultiRegionEnabled == BOOLEAN
    input.Body.OrganizationEnabled == BOOLEAN
    input.Body.RetentionPeriod == INTEGER
    input.Body.TerminationProtectionEnabled == BOOLEAN
    input.Body.KmsKeyId == STRING
    input.Body.BillingMode == enum_BillingMode[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateTrail

valid {
    input.Body.Name == STRING
    input.Body.S3BucketName == STRING
    input.Body.S3KeyPrefix == STRING
    input.Body.SnsTopicName == STRING
    input.Body.IncludeGlobalServiceEvents == BOOLEAN
    input.Body.IsMultiRegionTrail == BOOLEAN
    input.Body.EnableLogFileValidation == BOOLEAN
    input.Body.CloudWatchLogsLogGroupArn == STRING
    input.Body.CloudWatchLogsRoleArn == STRING
    input.Body.KmsKeyId == STRING
    input.Body.IsOrganizationTrail == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}