Create an organization event data store Apply an account-level event data store to an organization Default resource policy for delegated administrators Additional resources

Understanding organization event data stores

If you have created an organization in AWS Organizations, you can create an organization event data store that logs all events for all AWS accounts in that organization. Organization event data stores can apply to all AWS Regions, or the current Region. You can't use an organization event data store to collect events from outside of AWS.

You can create an organization event data store by using either the management account or the delegated administrator account. When a delegated administrator creates an organization event data store, the organization event data store exists in the management account for the organization. This approach is because the management account maintains ownership of all organization resources.

The management account for an organization can update an account-level event data store to apply it to an organization.

When the organization event data store is specified as applying to an organization, it's automatically applied to all member accounts in the organization. Member accounts can't see the organization event data store, nor can they modify or delete it. By default, member accounts don't have access to the organization event data store, nor can they run queries on organization event data stores.

The following table shows the capabilities of the management account and delegated administrator accounts within the AWS Organizations organization.

Capabilities	Management account	Delegated administrator account
Register or remove delegated administrator accounts.	Yes	No
Create an organization event data store for AWS CloudTrail events or AWS Config configuration items.	Yes	Yes
Enable Insights on an organization event data store.	Yes	No
Update an organization event data store.	Yes	Yes¹
Start and stop event ingestion on an organization event data store.	Yes	Yes
Enable Lake query federation on an organization event data store.²	Yes	Yes
Disable Lake query federation on an organization event data store.	Yes	Yes
Delete an organization event data store.	Yes	Yes
Copy trail events to an event data store.	Yes	No
Run queries on organization event data stores.	Yes	Yes
View a managed dashboard for an organization event data store.	Yes	No
Enable the Highlights dashboard for organization event data stores.	Yes	No
Create a widget for a custom dashboard that queries an organization event data store.	Yes	No

¹Only the management account can convert an organization event data store to an account-level event data store, or convert an account-level event data store to an organization event data store. These actions are not allowed for the delegated administrator because organization event data stores only exist in the management account. When an organization event data store is converted to an account-level event data store, only the management account has access to the event data store. Likewise, only an account-level event data store in the management account can be converted to an organization event data store.

²Only a single delegated administrator account or the management account can enable federation on an organization event data store. Other delegated administrator accounts can query and share information using the Lake Formation data sharing feature. Any delegated administrator account as well as the organization's management account can disable federation.

Create an organization event data store

The management account or delegated administrator account for an organization can create an organization event data store to collect either CloudTrail events (management events, data events) or AWS Config configuration items.

Note

Only the organization's management account can copy trail events to an event data store.

CloudTrail console

To create an organization event data store using the console

Follow the steps in the create an event data store for CloudTrail events procedure to create an organization event data store for CloudTrail management or data events.

OR

Follow the steps in the create an event data store for AWS Config configuration items procedure to create an organization event data store for AWS Config configuration items.
On the Choose events page, choose Enable for all accounts in my organization.

AWS CLI

To create an organization event data store run the create-event-data-store command and include the --organization-enabled option.

The following example AWS CLI create-event-data-store command creates an organization event data store that collects all management events. Because CloudTrail logs management events by default, you don't need to specify advanced event selectors if your event data store is logging all management events and is not collecting any data events.


aws cloudtrail create-event-data-store --name org-management-eds --organization-enabled

The following is an example response.


{
    "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE6-d493-4914-9182-e52a7934b207",
    "Name": "org-management-eds",
    "Status": "CREATED",
    "AdvancedEventSelectors": [
        {
            "Name": "Default management events",
            "FieldSelectors": [
                {
                    "Field": "eventCategory",
                    "Equals": [
                        "Management"
                    ]
                }
            ]
        }
    ],
    "MultiRegionEnabled": true,
    "OrganizationEnabled": true,
    "BillingMode": "EXTENDABLE_RETENTION_PRICING",
    "RetentionPeriod": 366,
    "TerminationProtectionEnabled": true,
    "CreatedTimestamp": "2023-11-16T15:30:50.689000+00:00",
    "UpdatedTimestamp": "2023-11-16T15:30:50.851000+00:00"
}

The next example AWS CLI create-event-data-store command creates an organization event data store named config-items-org-eds that collects AWS Config configuration items. To collect configuration items, specify that the eventCategory field equals ConfigurationItem in the advanced event selectors.


aws cloudtrail create-event-data-store --name config-items-org-eds \
--organization-enabled \
--advanced-event-selectors '[
    {
        "Name": "Select AWS Config configuration items",
        "FieldSelectors": [
            { "Field": "eventCategory", "Equals": ["ConfigurationItem"] }
        ]
    }
]'

Apply an account-level event data store to an organization

The organization's management account can convert an account-level event data store to apply it to an organization.

Default resource policy for delegated administrators

CloudTrail automatically generates a resource policy named DelegatedAdminResourcePolicy for organization event data stores that lists the actions that the delegated administrator accounts are allowed to perform on organization event data stores. The permissions in DelegatedAdminResourcePolicy are derived from the delegated administrator permissions in AWS Organizations.

The purpose of DelegatedAdminResourcePolicy is to ensure that the delegated administrator accounts can manage the organization event data store on the behalf of the organization and are not unintentionally denied access to the organization event data store when a resource-based policy is attached to the organization event data store that allows or denies principals from performing an action on the organization event data store.

CloudTrail evaluates DelegatedAdminResourcePolicy in tandem with any resource-based policy provided for the organization event data store. The delegated administrator accounts would only be denied access if the provided resource-based policy included a statement that explicitly denied the delegated administrator accounts from performing an action on the organization event data store that the delegated administrator accounts would otherwise be able to perform.

This DelegatedAdminResourcePolicy policy is updated automatically when:

The management account converts an organization event data store to an account-level event data store, or converts an account-level event data store to an organization event data store.
There are organization changes. For example, the management account registers or removes a CloudTrail delegated administrator account.

You can view the up-to-date policy on the Delegated administrator resource policy section on the CloudTrail console, or by running the AWS CLI get-resource-policy command and passing the ARN of the organization event data store.

The following example runs the get-resource-policy command on an organization event data store.


aws cloudtrail get-resource-policy --resource-arn arn:aws:cloudtrail:us-east-1:888888888888:eventdatastore/example6-d493-4914-9182-e52a7934b207

The following example output shows both the provided resource-based policy and the DelegatedAdminResourcePolicy generated for the delegated administrator accounts 333333333333 and 111111111111.


{
  "ResourceArn": "arn:aws:cloudtrail:us-east-1:888888888888:eventdatastore/example6-d493-4914-9182-e52a7934b207",
  "ResourcePolicy": {
    "Version": "2012-10-17",
    "Statement": [{
      "Sid": "EdsPolicyA",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::666666666666:root"
      },
      "Action": [
        "cloudtrail:geteventdatastore",
        "cloudtrail:startquery",
        "cloudtrail:describequery",
        "cloudtrail:cancelquery",
        "cloudtrail:generatequery",
        "cloudtrail:generatequeryresultssummary"
      ],
      "Resource": "arn:aws:cloudtrail:us-east-1:888888888888:eventdatastore/example6-d493-4914-9182-e52a7934b207"
    }]
  },
  "DelegatedAdminResourcePolicy": {
    "Version": "2012-10-17",
    "Statement": [{
      "Sid": "Organization-EventDataStore-Auto-Generated-Delegated-Admin-Statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": ["333333333333", "111111111111"]
      },
      "Action": [
        "cloudtrail:AddTags",
        "cloudtrail:CancelQuery",
        "cloudtrail:CreateEventDataStore",
        "cloudtrail:DeleteEventDataStore",
        "cloudtrail:DescribeQuery",
        "cloudtrail:DisableFederation",
        "cloudtrail:EnableFederation",
        "cloudtrail:GenerateQuery",
        "cloudtrail:GenerateQueryResultsSummary",
        "cloudtrail:GetEventConfiguration",
        "cloudtrail:GetEventDataStore",
        "cloudtrail:GetInsightSelectors",
        "cloudtrail:GetQueryResults",
        "cloudtrail:ListEventDataStores",
        "cloudtrail:ListQueries",
        "cloudtrail:ListTags",
        "cloudtrail:RemoveTags",
        "cloudtrail:RestoreEventDataStore",
        "cloudtrail:UpdateEventDataStore",
        "cloudtrail:StartEventDataStoreIngestion",
        "cloudtrail:StartQuery",
        "cloudtrail:StopEventDataStoreIngestion",
        "cloudtrail:UpdateEventDataStore"
      ],
      "Resource": "arn:aws:cloudtrail:us-east-1:888888888888:eventdatastore/example6-d493-4914-9182-e52a7934b207"
    }]
  }
}

Additional resources

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managing CloudTrail Lake federation resources with AWS Lake Formation

Integrations