class Aws::CloudWatchLogs::Types::PutAccountPolicyRequest
@see docs.aws.amazon.com/goto/WebAPI/logs-2014-03-28/PutAccountPolicyRequest AWS API Documentation
@return [String]<br>: docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions-recursion-prevention.html<br><br><br><br>loops. For more information, see [Log recursion prevention].
‘SUBSCRIPTION_FILTER_POLICY` is useful to help prevent infinite
Using the `selectionCriteria` parameter with
length is determined by using its UTF-8 bytes.
The `selectionCriteria` string can be up to 25KB in length. The
only supported `selectionCriteria` filter is `LogGroupNamePrefix`
If `policyType` is `FIELD_INDEX_POLICY` or `TRANSFORMER_POLICY`, the
`selectionCriteria` filter is `LogGroupName NOT IN []`
If `policyType` is `SUBSCRIPTION_FILTER_POLICY`, the only supported
`TRANSFORMER_POLICY`for `policyType`.
`SUBSCRIPTION_FILTER_POLICY`, `FIELD_INDEX_POLICY` or
Specifing `selectionCriteria` is valid only when you specify
in the account.
Use this parameter to apply the new policy to a subset of log groups
@!attribute [rw] selection_criteria
@return [String]
used.
in the account. If you omit this parameter, the default of `ALL` is
specifies that the data protection policy applies to all log groups
Currently the only valid value for this parameter is `ALL`, which
@!attribute [rw] scope
@return [String]
The type of policy that you’re creating or updating.
@!attribute [rw] policy_type
@return [String]<br>: docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-Processors<br>[2]: docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDestination.html<br>[1]: docs.aws.amazon.com/AmazonCloudWatch/latest/logs/mask-sensitive-log-data-types.html<br><br><br><br>] }“‘
`”policyDocument“: ”{ “Fields”: [ “RequestId”, “TransactionId”
two indexes, `RequestId` and `TransactionId`.
The following is an example of an index policy document that creates
It must contain at least one field index.
^
* Fields The array of field indexes to create.
JSON block:
A field index filter policy can include the following attribute in a
**Field index policy**
available processors, see [ Processors that you can use].
processors and their configurations. For more information about
A transformer policy must include one JSON block with the array of
**Transformer policy**
Kinesis Data Streams data stream.
This property is only applicable when the destination is an
the grouping can be set to `Random` for a more even distribution.
destination. By default, log data is grouped by log stream, but
* Distribution The method used to distribute log data to the
stream of log events.
* FilterPattern A filter pattern for subscribing to a filtered
with a logical destination for cross-account delivery.
stream. You don’t need to provide the ARN when you are working
permissions to deliver ingested log events to the destination
* RoleArn The ARN of an IAM role that grants CloudWatch Logs
Streams and Firehose are supported as logical destinations.<br>[2], for cross-account delivery. Kinesis Data
* A logical destination in a different account created with
policy, for same-account delivery.
* A Lambda function in the same account as the subscription
policy, for same-account delivery.
* An Firehose data stream in the same account as the subscription
subscription policy, for same-account delivery.
* An Kinesis Data Streams data stream in the same account as the
events to. Supported destinations are:
* DestinationArn The ARN of the destination to deliver log
a JSON block:
A subscription filter policy can include the following attributes in
**Subscription filter policy**
characters long.
The JSON specified in ‘policyDocument` can be up to 30,720
to CloudWatch.
as a dimension when CloudWatch Logs reports audit findings metrics
different than the operation’s ‘policyName` parameter, and is used
include `Name`, `Description`, and `Version` fields. The `Name` is
In addition to the two JSON blocks, the `policyDocument` can also
The contents of the two `DataIdentifer` arrays must match exactly.
on this page.
For an example data protection policy, see the Examples section
{}` object. The ` “MaskConfig”: {}` object must be empty.
actually masks the data, and it must contain the ` “MaskConfig”:
The `Operation` property with the `Deidentify` action is what
in the first block of the policy.
`DataIdentifer` array must exactly match the `DataIdentifer` array
`Operation` property with an `Deidentify` action. The
* The second block must include both a `DataIdentifer` array and an
groups, Firehose streams, and S3 buckets, they must already exist.
send audit findings to. If you specify destinations such as log
`FindingsDestination` object to list one or more destinations to
`FindingsDestination` object. You can optionally use that
find the sensitive data terms. This `Audit` action must contain a
The `Operation` property with an `Audit` action is required to
that you can mask].
more information about the available options, see [Types of data
array lists the types of sensitive data that you want to mask. For
`Operation` property with an `Audit` action. The `DataIdentifer`
* The first block must include both a `DataIdentifer` array and an
A data protection policy must include two JSON blocks:
**Data protection policy**
Specify the policy, in JSON.
@!attribute [rw] policy_document
@return [String]
A name for the policy. This must be unique within the account.
@!attribute [rw] policy_name