Values.CreateImportTaskResponseSourceStarts an import from a data source to CloudWatch Log and creates a managed log group as the destination for the imported data. Currently, CloudTrail Event Data Store is the only supported data source. The import task must satisfy the following constraints: The specified source must be in an ACTIVE state. The API caller must have permissions to access the data in the provided source and to perform iam:PassRole on the provided import role which has the same permissions, as described below. The provided IAM role must trust the "cloudtrail.amazonaws.com" principal and have the following permissions: cloudtrail:GetEventDataStoreData logs:CreateLogGroup logs:CreateLogStream logs:PutResourcePolicy (If source has an associated Amazon Web Services KMS Key) kms:Decrypt (If source has an associated Amazon Web Services KMS Key) kms:GenerateDataKey Example IAM policy for provided import role: [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/apiCallerCredentials", "Condition": { "StringLike": { "iam:AssociatedResourceARN": "arn:aws:logs:us-east-1:123456789012:log-group:aws/cloudtrail/f1d45bff-d0e3-4868-b5d9-2eb678aa32fb:*" } } }, { "Effect": "Allow", "Action": [ "cloudtrail:GetEventDataStoreData" ], "Resource": [ "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/f1d45bff-d0e3-4868-b5d9-2eb678aa32fb" ] }, { "Effect": "Allow", "Action": [ "logs:CreateImportTask", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutResourcePolicy" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/cloudtrail/*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" ] } ] If the import source has a customer managed key, the "cloudtrail.amazonaws.com" principal needs permissions to perform kms:Decrypt and kms:GenerateDataKey. There can be no more than 3 active imports per account at a given time. The startEventTime must be less than or equal to endEventTime. The data being imported must be within the specified source's retention period.
type nonrec t = {importId : ImportId.t option;A unique identifier for the import task.
*)importDestinationArn : Arn.t option;The ARN of the CloudWatch Logs log group created as the destination for the imported events.
*)creationTime : Timestamp.t option;The timestamp when the import task was created, expressed as the number of milliseconds after Jan 1, 1970 00:00:00 UTC.
*)}type nonrec error = [ | `AccessDeniedException of AccessDeniedException.t| `ConflictException of ConflictException.t| `InvalidOperationException of InvalidOperationException.t| `InvalidParameterException of InvalidParameterException.t| `ResourceNotFoundException of ResourceNotFoundException.t| `ThrottlingException of ThrottlingException.t| `ValidationException of ValidationException.t| `Unknown_operation_error of string * string option ]val error_of_json :
string ->
Yojson.Safe.t ->
[> `AccessDeniedException of unit
| `ConflictException of unit
| `InvalidOperationException of unit
| `InvalidParameterException of unit
| `ResourceNotFoundException of unit
| `ThrottlingException of unit
| `Unknown_operation_error of string * string option
| `ValidationException of unit ]val error_of_xml :
string ->
Awso.Xml.t ->
[> `AccessDeniedException of unit
| `ConflictException of unit
| `InvalidOperationException of unit
| `InvalidParameterException of unit
| `ResourceNotFoundException of unit
| `ThrottlingException of unit
| `Unknown_operation_error of string * string option
| `ValidationException of unit ]val to_value :
t ->
[> `Structure of
(string * [> `Long of Timestamp.t | `String of ImportId.t ]) list ]