# Getting started with AWS CloudTrail tutorials
<a name="cloudtrail-tutorial"></a>

If you're new to AWS CloudTrail, these tutorials can help you learn how to use its features. To use CloudTrail features, you need to have adequate permissions. This page describes the managed policies available for CloudTrail and provides information about how you can grant permissions.

**Topics**
+ [

## Grant permissions to use CloudTrail
](#tutorial-grant-permissions)
+ [

# View event history
](tutorial-event-history.md)
+ [

# Create a trail to log management events
](tutorial-trail.md)
+ [

# Create an event data store for S3 data events
](tutorial-lake-S3.md)

## Grant permissions to use CloudTrail
<a name="tutorial-grant-permissions"></a>

To create, update, and manage CloudTrail resources like trails, event data stores, and channels, you need to grant permissions to use CloudTrail. This section provides information about the managed policies available for CloudTrail.

**Note**  
The permissions you grant to users to perform CloudTrail administration tasks aren't the same as the permissions that CloudTrail requires to deliver log files to Amazon S3 buckets or send notifications to Amazon SNS topics. For more information about those permissions, see [Amazon S3 bucket policy for CloudTrail](create-s3-bucket-policy-for-cloudtrail.md).  
If you configure integration with Amazon CloudWatch Logs, CloudTrail also requires a role that it can assume to deliver events to an Amazon CloudWatch Logs log group. You must create the role that CloudTrail uses. For more information, see [Granting permission to view and configure Amazon CloudWatch Logs information on the CloudTrail console](security_iam_id-based-policy-examples.md#grant-cloudwatch-permissions-for-cloudtrail-users) and [Sending events to CloudWatch Logs](send-cloudtrail-events-to-cloudwatch-logs.md).

The following AWS managed policies are available for CloudTrail:
+  [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudTrail_FullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudTrail_FullAccess.html) – This policy provides full access to CloudTrail actions on CloudTrail resources, such as trails, event data stores, and channels. This policy provides the required permissions to create, update, and delete CloudTrail trails, event data stores, and channels. 

   This policy also provides permissions to manage the Amazon S3 bucket, the log group for CloudWatch Logs, and an Amazon SNS topic for a trail. However, the `AWSCloudTrail_FullAccess` managed policy doesn't provide permissions to delete the Amazon S3 bucket, the log group for CloudWatch Logs, or an Amazon SNS topic. For information about managed policies for other AWS services, see the [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html).
**Note**  
The **AWSCloudTrail\$1FullAccess** policy isn't intended to be shared broadly across your AWS account. Users with this role can turn off or reconfigure the most sensitive and important auditing functions in their AWS accounts. For this reason, you must only apply this policy to account administrators. You must closely control and monitor use of this policy.
+  [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudTrail_ReadOnlyAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudTrail_ReadOnlyAccess.html) – This policy grants permissions to view the CloudTrail console, including recent events and event history. This policy also allows you to view existing trails, event data stores, and channels. Roles and users with this policy can [download the event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html#downloading-events), but they can't create or update trails, event data stores, or channels.

To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

# View event history
<a name="tutorial-event-history"></a>

This section describes how to use the CloudTrail **Event history** page on the CloudTrail console to view the last 90 days of management events for your AWS account for the current AWS Region.

**To view the **Event history****

1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1. In the navigation pane, choose **Event history**. You see a filtered list of events, with the most recent events showing first. The default filter for events is **Read only**, set to **false**. You can clear that filter by choosing **X** at the right of the filter. You can search events in **Event history** by filtering for events on a single attribute  
![\[The CloudTrail Event history page highlighting the Read-only filter\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-event-history.png)

1. Choose an attribute to filter on and enter the full value for the attribute. CloudTrail can't filter on a partial value. For example, to view all console login events, choose the **Event name** filter, and specify **ConsoleLogin** for the attribute value.  
![\[The CloudTrail Event history page filtered on the ConsoleLogin event.\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-event-history-filters.png)

   Or, to view recent CloudTrail management events, choose **Event source**, and specify `cloudtrail.amazonaws.com`. For information about the events a service logs to CloudTrail, refer to the service's API Reference.  
![\[The CloudTrail Event history page filtered on a specific event source\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/event-history-event-source.png)

1. To view a specific management event, choose the event name. On the event details page, you can view details about the event, see any referenced resources, and view the event record.

1. To compare events, select up to five events by filling their check boxes in the left margin of the **Event history** table. You can view details for selected events side-by-side in the **Compare event details** table.

1. You can save event history by downloading it as a file in CSV or JSON format. Downloading your event history can take a few minutes.  
![\[The CloudTrail Event history page showing the download options\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-event-history-download.png)

For more information, see [Working with CloudTrail event history](view-cloudtrail-events.md).

# Create a trail to log management events
<a name="tutorial-trail"></a>

For your first trail, we recommend creating a trail that logs all [management events](cloudtrail-concepts.md#cloudtrail-concepts-management-events) and does not log any [data events](cloudtrail-concepts.md#cloudtrail-concepts-data-events) or Insights events. Examples of management events include security events such as IAM `CreateUser` and `AttachRolePolicy` events, resource events such as `RunInstances` and `CreateBucket`, and many more. You will create an Amazon S3 bucket where you will store the log files for the trail as part of creating the trail in the CloudTrail console.

**Note**  
AWS Control Tower sets up a new CloudTrail trail logging management events when you set up a landing zone. It is an organization-level trail, which means that it logs all management events for the management account and all member accounts in the organization. For more information, see [About logging in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/about-logging.html) in the *AWS CloudTrail User Guide*.  
This tutorial assumes you are creating your first trail. Depending on the number of trails you have in your AWS account, and how those trails are configured, the following procedure might or might not incur expenses. CloudTrail stores log files in an Amazon S3 bucket, which incurs costs. For more information about pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/) and [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/).

**To create a trail**

1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1. In the **Region** selector, choose the AWS Region where you want your trail to be created. This is the home Region for the trail.
**Note**  
The home Region is the only AWS Region where you can update the trail after it is created.

1. On the CloudTrail service home page, the **Trails** page, or the **Trails** section of the **Dashboard** page, choose **Create trail**.

1. In **Trail name**, give your trail a name, such as *management-events*. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.

1. Leave the default setting for **Enable for all accounts in my organization**. This option won't be available to change unless you have accounts configured in Organizations.

1. For **Storage location**, choose **Create new S3 bucket** to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies. If you choose to create a new S3 bucket, your IAM policy needs to include permission for the `s3:PutEncryptionConfiguration` action because by default server-side encryption is enabled for the bucket. Give your bucket a name that makes it easy to identify.

   To make it easier to find your logs, create a new folder (also known as a *prefix*) in an existing bucket to store your CloudTrail logs.
**Note**  
The name of your Amazon S3 bucket must be globally unique. For more information, see [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html) in the *Amazon Simple Storage Service User Guide*.

1. Clear the check box to disable **Log file SSE-KMS encryption**. By default, your log files are encrypted with SSE-S3 encryption. For more information about this setting, see [Using server-side encryption with Amazon S3 managed keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).

1. Leave default settings in **Additional settings**.

1. Leave the default settings for **CloudWatch Logs**. For now, do not send logs to Amazon CloudWatch Logs.

1. (Optional) In **Tags**, you can add up to 50 tag key pairs to help you identify, sort, and control access to your trail. Tags can help you identify your CloudTrail trails and other resources, such as the Amazon S3 buckets that contain CloudTrail log files. For example, you could attach a tag with the name **Compliance** and the value **Auditing**.
**Note**  
Though you can add tags to trails when you create them in the CloudTrail console, and you can create an Amazon S3 bucket to store your log files in the CloudTrail console, you cannot add tags to the Amazon S3 bucket from the CloudTrail console. For more information about viewing and changing the properties of an Amazon S3 bucket, including adding tags to a bucket, see the [https://docs.aws.amazon.com/AmazonS3/latest/userguide/view-bucket-properties.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/view-bucket-properties.html).

   When you are finished creating tags, choose **Next**.

1. On the **Choose log events** page, select event types to log. For this trail, keep the default, **Management events**. In the **Management events** area, choose to log both **Read** and **Write** events, if they are not already selected. Leave the check boxes for **Exclude AWS KMS events** and **Exclude Amazon RDS Data API events** empty, to log all management events.  
![\[The Create trail page, Event type settings\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-create-trail-event-type.png)

1. Leave default settings for **Data events**, **Insights events**, and **Network activity events**. This trail will not log any data events, Insights events, or network activity events. Choose **Next**.

1. On the **Review and create** page, review the settings you've chosen for your trail. Choose **Edit** for a section to go back and make changes. When you are ready to create your trail, choose **Create trail**.

1. The **Trails** page shows your new trail in the table. Note that the trail is set to **Multi-region trail** by default, and that logging is turned on for the trail by default.  
![\[The Create trail page, Event type settings\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-create-trail-done.png)

For more information about trails, see [Working with CloudTrail trails](cloudtrail-trails.md).

# View your log files
<a name="tutorial-trail-logs"></a>

Within an average of about 5 minutes of creating your first trail, CloudTrail delivers the first set of log files to the Amazon S3 bucket for your trail. You can look at these files and learn about the information they contain.

**Note**  
CloudTrail typically delivers logs within an average of about 5 minutes of an API call. This time is not guaranteed. Review the [AWS CloudTrail Service Level Agreement](https://aws.amazon.com/cloudtrail/sla) for more information.  
If you misconfigure your trail (for example, the S3 bucket is unreachable), CloudTrail will attempt to redeliver the log files to your S3 bucket for 30 days, and these attempted-to-deliver events will be subject to standard CloudTrail charges. To avoid charges on a misconfigured trail, you need to delete the trail.

**To view your log files**

1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1. In the navigation pane, choose **Trails**. On the **Trails** page, find the name of the trail you just created (in the example, *management-events*).

1. In the row for the trail, choose the value for the S3 bucket.

1. The Amazon S3 console opens and shows two folders for the bucket: `CloudTrail-Digest` and `CloudTrail`. Choose the **CloudTrail** folder to view the log files.

1. If you created a multi-Region trail, there is a folder for each AWS Region. Choose the folder for the AWS Region where you want to review log files. For example, if you want to review the log files for the US East (Ohio) Region, choose **us-east-2**.  
![\[An Amazon S3 bucket for a trail, showing the structure for log files in AWS Regions\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-trail-bucket-1.png)

1. Navigate the bucket folder structure to the year, the month, and the day where you want to review logs of activity in that Region. In that day, there are a number of files. The name of the files begin with your AWS account ID, and end with the extension `.gz`. For example, if your account ID is *123456789012*, you would see files with names similar to this: *123456789012*\$1CloudTrail\$1*us-east-2*\$1*20240512T0000Z\$1EXAMPLE*.json.gz.

   To view these files, you can download them, unzip them, and then view them in a plain-text editor or a JSON file viewer. Some browsers also support viewing .gz and JSON files directly. We recommend using a JSON viewer, as it makes it easier to parse the information in CloudTrail log files. 

# Create an event data store for S3 data events
<a name="tutorial-lake-S3"></a>

You can create an event data store to log CloudTrail events (management events, data events), [CloudTrail Insights events](query-event-data-store-insights.md), [AWS Audit Manager evidence](https://docs.aws.amazon.com/audit-manager/latest/userguide/evidence-finder.html#understanding-evidence-finder), [AWS Config configuration items](query-event-data-store-config.md), or [non-AWS events](event-data-store-integration-events.md). 

When you create an event data store for data events, you choose the AWS services and resource types for which you want to log data events. For information about AWS services that log data events, see [Data events](logging-data-events-with-cloudtrail.md#logging-data-events).

This walkthrough shows you how to create an event data store for Amazon S3 data events. In this tutorial, instead of logging all Amazon S3 data events, we'll choose a custom log selector template to log events only when an object is deleted from a specific S3 bucket.

**To create an event data store for S3 data events**

1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1.  From the navigation pane, under **Lake**, choose **Event data stores**. 

1. Choose **Create event data store**.

1. On the **Configure event data store** page, in **General details**, give your event data store a name, such as *s3-data-events-eds*. As a best practice, use a name that quickly identifies the purpose of the event data store. For information about CloudTrail naming requirements, see [Naming requirements for CloudTrail resources, S3 buckets, and KMS keys](cloudtrail-trail-naming-requirements.md).

1. Choose the **Pricing option** that you want to use for your event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention periods for your event data store. For more information, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/) and [Managing CloudTrail Lake costs](cloudtrail-lake-manage-costs.md). 

   The following are the available options:
   + **One-year extendable retention pricing** - Generally recommended if you expect to ingest less than 25 TB of event data per month and want a flexible retention period of up to 10 years. For the first 366 days (the default retention period), storage is included at no additional charge with ingestion pricing. After 366 days, extended retention is available at pay-as-you-go pricing. This is the default option.
     + **Default retention period:** 366 days
     + **Maximum retention period:** 3,653 days
   + **Seven-year retention pricing** - Recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 7 years. Retention is included with ingestion pricing at no additional charge.
     + **Default retention period:** 2,557 days
     + **Maximum retention period:** 2,557 days

1. Specify a retention period for the event data store. Retention periods can be between 7 days and 3,653 days (about 10 years) for the **One-year extendable retention pricing** option, or between 7 days and 2,557 days (about seven years) for the **Seven-year retention pricing** option.

    CloudTrail Lake determines whether to retain an event by checking if the `eventTime` of the event is within the specified retention period. For example, if you specify a retention period of 90 days, CloudTrail will remove events when their `eventTime` is older than 90 days. 

1. (Optional) In **Encryption**. choose whether you want to encrypt the event data store using your own KMS key. By default, all events in an event data store are encrypted by CloudTrail using a KMS key that AWS owns and manages for you.

   To enable encryption using your own KMS key, choose **Use my own AWS KMS key**. Choose **New** to have an AWS KMS key created for you, or choose **Existing** to use an existing KMS key. In **Enter KMS alias**, specify an alias, in the format `alias/`*MyAliasName*. Using your own KMS key requires that you edit your KMS key policy to allow CloudTrail logs to be encrypted and decrypted. For more information, see [Configure AWS KMS key policies for CloudTrail](create-kms-key-policy-for-cloudtrail.md). CloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the *AWS Key Management Service Developer Guide*.

   Using your own KMS key incurs AWS KMS costs for encryption and decryption. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed.
**Note**  
To enable AWS Key Management Service encryption for an organization event data store, you must use an existing KMS key for the management account.

1. (Optional) If you want to query against your event data using Amazon Athena, choose **Enable** in **Lake query federation**. Federation lets you view the metadata associated with the event data store in the AWS Glue [Data Catalog](https://docs.aws.amazon.com/glue/latest/dg/components-overview.html#data-catalog-intro) and run SQL queries against the event data in Athena. The table metadata stored in the AWS Glue Data Catalog lets the Athena query engine know how to find, read, and process the data that you want to query. For more information, see [Federate an event data store](query-federation.md).

   To enable Lake query federation, choose **Enable** and then do the following:

   1. Choose whether you want to create a new role or use an existing IAM role. [AWS Lake Formation](https://docs.aws.amazon.com/lake-formation/latest/dg/how-it-works.html) uses this role to manage permissions for the federated event data store. When you create a new role using the CloudTrail console, CloudTrail automatically creates a role with the required permissions. If you choose an existing role, be sure the policy for the role provides the [required minimum permissions](query-federation.md#query-federation-permissions-role).

   1. If you are creating a new role, enter a name to identify the role.

   1. If you are using an existing role, choose the role you want to use. The role must exist in your account.

1. (Optional) Choose **Enable resource policy** to add a resource-based policy to your event data store. Resource-based policies allow you to control which principals can perform actions on your event data store. For example, you can add a resource based policy that allows the root users in other accounts to query this event data store and view the query results. For example policies, see [Resource-based policy examples for event data stores](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-eds).

   A resource-based policy includes one or more statements. Each statement in the policy defines the [principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) that are allowed or denied access to the event data store and the actions the principals can perform on the event data store resource.

   The following actions are supported in resource-based policies for event data stores:
   +  `cloudtrail:StartQuery` 
   +  `cloudtrail:CancelQuery` 
   +  `cloudtrail:ListQueries` 
   +  `cloudtrail:DescribeQuery` 
   +  `cloudtrail:GetQueryResults` 
   +  `cloudtrail:GenerateQuery` 
   +  `cloudtrail:GenerateQueryResultsSummary` 
   +  `cloudtrail:GetEventDataStore` 

   For [organization event data stores](cloudtrail-lake-organizations.md), CloudTrail creates a [default resource-based policy](cloudtrail-lake-organizations.md#cloudtrail-lake-organizations-eds-rbp) that lists the actions that the delegated administrator accounts are allowed to perform on organization event data stores. The permissions in this policy are derived from the delegated administrator permissions in AWS Organizations. This policy is updated automatically following changes to the organization event data store or to the organization (for example, a CloudTrail delegated administrator account is registered or removed).

1. (Optional) In **Tags**, add one or more custom tags (key-value pairs) to your event data store. Tags can help you identify your CloudTrail event data stores. For example, you could attach a tag with the name **stage** and the value **prod**. You can use tags to limit access to your event data store. You can also use tags to track the query and ingestion costs for your event data store.

   For information about how to use tags to track costs, see [Creating user-defined cost allocation tags for CloudTrail Lake event data stores](cloudtrail-budgets-tools.md#cloudtrail-lake-manage-costs-tags). For information about how to use IAM policies to authorize access to an event data store based on tags, see [Examples: Denying access to create or delete event data stores based on tags](security_iam_id-based-policy-examples.md#security_iam_id-based-policy-examples-eds-tags). For information about how you can use tags in AWS, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *Tagging AWS Resources User Guide*.

1.  Choose **Next** to configure the event data store. 

1.  On the **Choose events** page, leave the default selections for **Event type**.  
![\[Choose event type for the event data store\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/lake-event-type.png)

1. For **CloudTrail events**, choose **Data events** and deselect **Management events**. For more information about data events, see [Logging data events](logging-data-events-with-cloudtrail.md).  
![\[Choose CloudTrail data events for event data store\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cloudtrail-events-data.png)

1. Leave the default setting for **Copy trail events**. You'd use this option to copy existing trail events to your event data store. For more information, see [Copy trail events to an event data store](cloudtrail-copy-trail-to-lake-eds.md).

1. Choose **Enable for all accounts in my organization** if this is an organization event data store. This option won't be available to change unless you have accounts configured in AWS Organizations.

1.  For **Additional settings** leave the default selections. By default, an event data store collects events for all AWS Regions and starts ingesting events when it's created.

1. For **Data events**, make the following selections:

   1. In **Resource type**, choose **S3**. The resource type identifies the AWS service and resource on which data events are logged.

   1. In **Log selector template**, choose **Custom**. Choosing **Custom** lets you define a custom event selector to filter on the `eventName`, `resources.ARN`, and `readOnly` fields. For information about these fields, see [AdvancedFieldSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) in the *AWS CloudTrail API Reference*.

   1. (Optional) In **Selector name**, enter a name to identify your selector. The selector name is a descriptive name for an advanced event selector, such as "Log DeleteObject API calls for a specific S3 bucket". The selector name is listed as `Name` in the advanced event selector and is viewable if you expand the **JSON view**.  
![\[Expanded JSON view showing advanced event selectors\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/json-view-selector-name.png)

   1. In **Advanced event selectors**, we'll build the custom event selector to filter on the `eventName` and `resources.ARN` fields. Advanced event selectors for an event data store work the same as advanced event selectors that you apply to a trail. For more information about how to build advanced event selectors, see [Logging data events with advanced event selectors](logging-data-events-with-cloudtrail.md#creating-data-event-selectors-advanced).

      1. For **Field **choose **eventName**. For **Operator**, choose **equals**. For **Value**, enter **DeleteObject**. Choose **\$1 Field** to filter on another field.

      1. For **Field**, choose **resources.ARN**. For **Operator**, choose **StartsWith**. For **Value**, enter the ARN for your bucket (for example, arn:aws:s3:::*amzn-s3-demo-bucket*). For information about how to get the ARN, see [Amazon S3 resources](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-arn-format.html) in the *Amazon Simple Storage Service User Guide*.  
![\[S3 data events configuration\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/eds-data-events.png)

1. Choose **Next** to review your choices.

1. On the **Review and create** page, review your choices. Choose **Edit** to make changes to a section. When you're ready to create the event data store, choose **Create event data store**.

1. The new event data store is visible in the **Event data stores** table on the **Event data stores** page.

   From this point forward, the event data store captures events that match its advanced event selectors. Events that occurred before you created the event data store are not in the event data store, unless you opted to copy existing trail events.

You are now ready to run queries on your event data store. For information about how to view and run sample queries, see [View sample queries with the CloudTrail console](lake-console-queries.md).

For more information about CloudTrail Lake, see [Working with AWS CloudTrail Lake](cloudtrail-lake.md).