feat(cloudtrail): selector for management event exclusions (#16546)

Closes: #16273

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts

@@ -334,6 +334,7 @@ export class Trail extends Resource {
         values: dataResourceValues,
       }],
       includeManagementEvents: options.includeManagementEvents,
+      excludeManagementEventSources: options.excludeManagementEventSources,
       readWriteType: options.readWriteType,
     });
   }
@@ -424,6 +425,28 @@ export interface AddEventSelectorOptions {
    * @default true
    */
   readonly includeManagementEvents?: boolean;
+
+  /**
+   * An optional list of service event sources from which you do not want management events to be logged on your trail.
+   *
+   * @default []
+   */
+  readonly excludeManagementEventSources?: ManagementEventSources[];
+}
+
+/**
+ * Types of management event sources that can be excluded
+ */
+export enum ManagementEventSources {
+  /**
+   * AWS Key Management Service (AWS KMS) events
+   */
+  KMS = 'kms.amazonaws.com',
+
+  /**
+   * Data API events
+   */
+  RDS_DATA_API = 'rdsdata.amazonaws.com',
 }
 
 /**
@@ -457,6 +480,7 @@ export enum DataResourceType {
 
 interface EventSelector {
   readonly includeManagementEvents?: boolean;
+  readonly excludeManagementEventSources?: string[];
   readonly readWriteType?: ReadWriteType;
   readonly dataResources?: EventSelectorData[];
 }

packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.test.ts

@@ -7,7 +7,7 @@ import { LogGroup, RetentionDays } from '@aws-cdk/aws-logs';
 import * as s3 from '@aws-cdk/aws-s3';
 import * as sns from '@aws-cdk/aws-sns';
 import { Stack } from '@aws-cdk/core';
-import { ReadWriteType, Trail } from '../lib';
+import { ManagementEventSources, ReadWriteType, Trail } from '../lib';
 
 const ExpectedBucketPolicyProperties = {
   PolicyDocument: {
@@ -446,6 +446,59 @@ describe('cloudtrail', () => {
         });
       });
 
+      test('exclude management events', () => {
+        const stack = getTestStack();
+        const bucket = new s3.Bucket(stack, 'testBucket', { bucketName: 'test-bucket' });
+        const cloudTrail = new Trail(stack, 'MyAmazingCloudTrail');
+        cloudTrail.addS3EventSelector([{ bucket }], {
+          excludeManagementEventSources: [
+            ManagementEventSources.KMS,
+            ManagementEventSources.RDS_DATA_API,
+          ],
+        });
+        cloudTrail.addS3EventSelector([{ bucket }], {
+          excludeManagementEventSources: [],
+        });
+
+        expect(stack).toHaveResourceLike('AWS::CloudTrail::Trail', {
+          EventSelectors: [
+            {
+              DataResources: [{
+                Type: 'AWS::S3::Object',
+                Values: [{
+                  'Fn::Join': [
+                    '',
+                    [
+                      { 'Fn::GetAtt': ['testBucketDF4D7D1A', 'Arn'] },
+                      '/',
+                    ],
+                  ],
+                }],
+              }],
+              ExcludeManagementEventSources: [
+                'kms.amazonaws.com',
+                'rdsdata.amazonaws.com',
+              ],
+            },
+            {
+              DataResources: [{
+                Type: 'AWS::S3::Object',
+                Values: [{
+                  'Fn::Join': [
+                    '',
+                    [
+                      { 'Fn::GetAtt': ['testBucketDF4D7D1A', 'Arn'] },
+                      '/',
+                    ],
+                  ],
+                }],
+              }],
+              ExcludeManagementEventSources: [],
+            },
+          ],
+        });
+      });
+
       test('for Lambda function data event', () => {
         const stack = getTestStack();
         const lambdaFunction = new lambda.Function(stack, 'LambdaFunction', {