To enable CloudTrail data events for gateway resources using the AWS CLI, you can run the
following command in a terminal:
aws cloudtrail put-event-selectors \
--trail-name brac-gateway-canary-trail-prod-us-east-1 \
--region us-east-1 \
--advanced-event-selectors '[
{
"Name": "GatewayDataEvents",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": ["Data"]
},
{
"Field": "resources.type",
"Equals": ["AWS::BedrockAgentCore::Gateway"]
}
]
}
]'
The following example demonstrates how to create a CloudTrail trail with AgentCore Gateway data events using the AWS CDK:
import { Construct } from 'constructs';
import { Trail, CfnTrail } from 'aws-cdk-lib/aws-cloudtrail';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { Effect, PolicyStatement, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
import { RemovalPolicy } from 'aws-cdk-lib';
export interface DataEventTrailProps {
/**
* Whether to enable multi-region trail
*/
isMultiRegionTrail?: boolean;
/**
* Whether to include global service events
*/
includeGlobalServiceEvents?: boolean;
/**
* AWS region
*/
region: string;
/**
* Environment account ID
*/
account: string;
}
/**
* Creates a CloudTrail trail configured to capture data events for Bedrock Agent Core Gateway
*/
export class BedrockAgentCoreDataEventTrail extends Construct {
/**
* The CloudTrail trail
*/
public readonly trail: Trail;
/**
* The S3 bucket for CloudTrail logs
*/
public readonly logsBucket: Bucket;
constructor(scope: Construct, id: string, props: DataEventTrailProps) {
super(scope, id);
// Create S3 bucket for CloudTrail logs
const bucketName = `brac-gateway-cloudtrail-logs-${props.account}-${props.region}`;
this.logsBucket = new Bucket(this, 'CloudTrailLogsBucket', {
bucketName,
removalPolicy: RemovalPolicy.RETAIN,
});
// Create trail name (suffixing region since regional trail)
const trailName = `brac-gateway-trail-${props.region}`;
// Add CloudTrail bucket policy
this.logsBucket.addToResourcePolicy(
new PolicyStatement({
sid: 'AWSCloudTrailAclCheck',
effect: Effect.ALLOW,
principals: [new ServicePrincipal('cloudtrail.amazonaws.com')],
actions: ['s3:GetBucketAcl'],
resources: [this.logsBucket.bucketArn],
conditions: {
StringEquals: {
'aws:SourceArn': `arn:aws:cloudtrail:${props.region}:${props.account}:trail/${trailName}`,
},
},
}),
);
this.logsBucket.addToResourcePolicy(
new PolicyStatement({
sid: 'AWSCloudTrailWrite',
effect: Effect.ALLOW,
principals: [new ServicePrincipal('cloudtrail.amazonaws.com')],
actions: ['s3:PutObject'],
resources: [this.logsBucket.arnForObjects(`AWSLogs/${props.account}/*`)],
conditions: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control',
'aws:SourceArn': `arn:aws:cloudtrail:${props.region}:${props.account}:trail/${trailName}`,
},
},
}),
);
// Create CloudTrail trail
this.trail = new Trail(this, 'GatewayDataEventTrail', {
trailName,
bucket: this.logsBucket,
isMultiRegionTrail: props.isMultiRegionTrail ?? false,
includeGlobalServiceEvents: props.includeGlobalServiceEvents ?? true,
enableFileValidation: true,
});
// Add advanced event selectors for Bedrock Agent Core Gateway data events
const cfnTrail = this.trail.node.defaultChild as CfnTrail;
// Define the advanced event selectors
const advancedEventSelectors = [
{
// Log Bedrock Agent Core Gateway Data Events only
fieldSelectors: [
{
field: 'eventCategory',
equalTo: ['Data'],
},
{
field: 'resources.type',
equalTo: ['AWS::BedrockAgentCore::Gateway'],
},
],
},
];
// Clear any existing event selectors and set advanced event selectors
cfnTrail.eventSelectors = undefined;
cfnTrail.advancedEventSelectors = advancedEventSelectors;
}
}
