Skip to main content

event_data_stores

Creates, updates, deletes or gets an event_data_store resource or lists event_data_stores in a region

Overview

Nameevent_data_stores
TypeResource
DescriptionA storage lake of event data against which you can run complex SQL-based queries. An event data store can include events that you have logged on your account from the last 7 to 2557 or 3653 days (about seven or ten years) depending on the selected BillingMode.
Idawscc.cloudtrail.event_data_stores

Fields

NameDatatypeDescription
advanced_event_selectorsarrayThe advanced event selectors that were used to select events for the data store.
created_timestampstringThe timestamp of the event data store's creation.
event_data_store_arnstringThe ARN of the event data store.
federation_enabledbooleanIndicates whether federation is enabled on an event data store.
federation_role_arnstringThe ARN of the role used for event data store federation.
multi_region_enabledbooleanIndicates whether the event data store includes events from all regions, or only from the region in which it was created.
namestringThe name of the event data store.
organization_enabledbooleanIndicates that an event data store is collecting logged events for an organization.
billing_modestringThe mode that the event data store will use to charge for event storage.
retention_periodintegerThe retention period, in days.
statusstringThe status of an event data store. Values are STARTING_INGESTION, ENABLED, STOPPING_INGESTION, STOPPED_INGESTION and PENDING_DELETION.
termination_protection_enabledbooleanIndicates whether the event data store is protected from termination.
kms_key_idstringSpecifies the KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by 'alias/', a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
tagsarray
insight_selectorsarrayLets you enable Insights event logging by specifying the Insights selectors that you want to enable on an existing event data store. Both InsightSelectors and InsightsDestination need to have a value in order to enable Insights events on an event data store.
insights_destinationstringSpecifies the ARN of the event data store that will collect Insights events. Both InsightSelectors and InsightsDestination need to have a value in order to enable Insights events on an event data store
max_event_sizestringSpecifies the maximum size allowed for the event. Valid values are Standard and Large. If you add ContextKeySelectors, this value must be set to Large.
context_key_selectorsarrayAn array that enriches event records in an existing event data store by including additional information specified in individual ContexKeySelector entries. If you add ContextKeySelectors, you must set MaxEventSize to Large.
ingestion_enabledbooleanIndicates whether the event data store is ingesting events.
regionstringAWS region.

For more information, see AWS::CloudTrail::EventDataStore.

Methods

NameResourceAccessible byRequired Params
create_resourceevent_data_storesINSERT, region
delete_resourceevent_data_storesDELETEIdentifier, region
update_resourceevent_data_storesUPDATEIdentifier, PatchDocument, region
list_resourcesevent_data_stores_list_onlySELECTregion
get_resourceevent_data_storesSELECTIdentifier, region

SELECT examples

Gets all properties from an individual event_data_store.

SELECT
  region,
  advanced_event_selectors,
  created_timestamp,
  event_data_store_arn,
  federation_enabled,
  federation_role_arn,
  multi_region_enabled,
  name,
  organization_enabled,
  billing_mode,
  retention_period,
  status,
  termination_protection_enabled,
  updated_timestamp,
  kms_key_id,
  tags,
  insight_selectors,
  insights_destination,
  max_event_size,
  context_key_selectors,
  ingestion_enabled
FROM awscc.cloudtrail.event_data_stores
WHERE
  region = 'us-east-1' AND
  Identifier = '{{ event_data_store_arn }}';

INSERT example

Use the following StackQL query and manifest file to create a new event_data_store resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.cloudtrail.event_data_stores (
  ,
  region
)
SELECT
  '{{  }}',
  '{{ region }}';

UPDATE example

Use the following StackQL query and manifest file to update a event_data_store resource, using stack-deploy.

/*+ update */
UPDATE awscc.cloudtrail.event_data_stores
SET PatchDocument = string('{{ {
    "AdvancedEventSelectors": advanced_event_selectors,
    "FederationEnabled": federation_enabled,
    "FederationRoleArn": federation_role_arn,
    "MultiRegionEnabled": multi_region_enabled,
    "Name": name,
    "OrganizationEnabled": organization_enabled,
    "BillingMode": billing_mode,
    "RetentionPeriod": retention_period,
    "TerminationProtectionEnabled": termination_protection_enabled,
    "KmsKeyId": kms_key_id,
    "Tags": tags,
    "InsightSelectors": insight_selectors,
    "InsightsDestination": insights_destination,
    "MaxEventSize": max_event_size,
    "ContextKeySelectors": context_key_selectors,
    "IngestionEnabled": ingestion_enabled
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ event_data_store_arn }}';

DELETE example

/*+ delete */
DELETE FROM awscc.cloudtrail.event_data_stores
WHERE
  Identifier = '{{ event_data_store_arn }}' AND
  region = 'us-east-1';

Permissions

To operate on the event_data_stores resource, the following permissions are required:

CloudTrail:CreateEventDataStore,
CloudTrail:AddTags,
CloudTrail:PutInsightSelectors,
CloudTrail:EnableFederation,
CloudTrail:GetEventDataStore,
CloudTrail:PutEventConfiguration,
iam:PassRole,
iam:GetRole,
iam:CreateServiceLinkedRole,
organizations:DescribeOrganization,
organizations:ListAWSServiceAccessForOrganization,
kms:GenerateDataKey,
kms:Decrypt,
glue:CreateDatabase,
glue:CreateTable,
glue:PassConnection,
lakeformation:RegisterResource