This section describes several other commands that you can run to get information about your event data stores, start and stop ingestion on an event data store, and enable and disable federation on an event data store.
Topics
Get an event data store with the AWS CLI
The following example AWS CLI get-event-data-store command returns information about the event data store
specified by the required --event-data-store parameter, which accepts
an ARN or the ID suffix of the ARN.
aws cloudtrail get-event-data-store \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE
The following is an example response. Creation and last updated times are in
timestamp format.
{
"EventDataStoreARN": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"Name": "s3-data-events-eds",
"Status": "ENABLED",
"AdvancedEventSelectors": [
{
"Name": "Log DeleteObject API calls for a specific S3 bucket",
"FieldSelectors": [
{
"Field": "eventCategory",
"Equals": [
"Data"
]
},
{
"Field": "eventName",
"Equals": [
"DeleteObject"
]
},
{
"Field": "resources.ARN",
"StartsWith": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
},
{
"Field": "readOnly",
"Equals": [
"false"
]
},
{
"Field": "resources.type",
"Equals": [
"AWS::S3::Object"
]
}
]
}
],
"MultiRegionEnabled": true,
"OrganizationEnabled": false,
"BillingMode": "FIXED_RETENTION_PRICING",
"RetentionPeriod": 2557,
"TerminationProtectionEnabled": true,
"CreatedTimestamp": "2023-11-09T22:20:36.344000+00:00",
"UpdatedTimestamp": "2023-11-09T22:20:36.476000+00:00"
}List all event data stores in an account with the AWS CLI
The following example AWS CLI list-event-data-stores command returns information about all event data
stores in an account, in the current Region. Optional parameters include
--max-results, to specify a maximum number of results that you want
the command to return on a single page. If there are more results than your
specified --max-results value, run the command again adding the
returned NextToken value to get the next page of results.
aws cloudtrail list-event-data-stores
The following is an example response.
{
"EventDataStores": [
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE7-cad6-4357-a84b-318f9868e969",
"Name": "management-events-eds"
},
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE6-88e1-43b7-b066-9c046b4fd47a",
"Name": "config-items-eds"
},
{
"EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEf-b314-4c85-964e-3e43b1e8c3b4",
"Name": "s3-data-events"
}
]
}Get the resource-based policy for
an event data store with the AWS CLI
The following example runs the get-resource-policy command on an organization event data store.
aws cloudtrail get-resource-policy --resource-arn arn:aws:cloudtrail:us-east-1:888888888888:eventdatastore/example6-d493-4914-9182-e52a7934b207
Because the command was run on an organization event data store, the output shows both the provided resource-based policy and the DelegatedAdminResourcePolicy generated
for the delegated administrator accounts 333333333333 and 111111111111.
{
"ResourceArn": "arn:aws:cloudtrail:us-east-1:888888888888:eventdatastore/example6-d493-4914-9182-e52a7934b207",
"ResourcePolicy": {
"Version": "2012-10-17",
"Statement": [{
"Sid": "EdsPolicyA",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::666666666666:root"
},
"Action": [
"cloudtrail:geteventdatastore",
"cloudtrail:startquery",
"cloudtrail:describequery",
"cloudtrail:cancelquery",
"cloudtrail:generatequery",
"cloudtrail:generatequeryresultssummary"
],
"Resource": "arn:aws:cloudtrail:us-east-1:888888888888:eventdatastore/example6-d493-4914-9182-e52a7934b207"
}]
},
"DelegatedAdminResourcePolicy": {
"Version": "2012-10-17",
"Statement": [{
"Sid": "Organization-EventDataStore-Auto-Generated-Delegated-Admin-Statement",
"Effect": "Allow",
"Principal": {
"AWS": ["333333333333", "111111111111"]
},
"Action": [
"cloudtrail:AddTags",
"cloudtrail:CancelQuery",
"cloudtrail:CreateEventDataStore",
"cloudtrail:DeleteEventDataStore",
"cloudtrail:DescribeQuery",
"cloudtrail:DisableFederation",
"cloudtrail:EnableFederation",
"cloudtrail:GenerateQuery",
"cloudtrail:GenerateQueryResultsSummary",
"cloudtrail:GetEventConfiguration",
"cloudtrail:GetEventDataStore",
"cloudtrail:GetInsightSelectors",
"cloudtrail:GetQueryResults",
"cloudtrail:ListEventDataStores",
"cloudtrail:ListQueries",
"cloudtrail:ListTags",
"cloudtrail:RemoveTags",
"cloudtrail:RestoreEventDataStore",
"cloudtrail:UpdateEventDataStore",
"cloudtrail:StartEventDataStoreIngestion",
"cloudtrail:StartQuery",
"cloudtrail:StopEventDataStoreIngestion",
"cloudtrail:UpdateEventDataStore"
],
"Resource": "arn:aws:cloudtrail:us-east-1:888888888888:eventdatastore/example6-d493-4914-9182-e52a7934b207"
}]
}
}Attach a resource-based policy to
an event data store with the AWS CLI
To run queries on a dashboard during a manual or scheduled refresh, you need to attach a resource-based policy to every event data store that is associated with a widget on the dashboard. This allows CloudTrail Lake to run the queries on your behalf. For more information about the resource-based policy, see Example: Allow CloudTrail to run queries to refresh a dashboard.
The following example attaches a resource-based policy to an event data store that allows CloudTrail to run queries on a dashboard when the dashboard is refreshed. Replace account-id with your account ID, eds-arn with the ARN of the event data store for which CloudTrail will run queries, and
dashboard-arn with the ARN of the
dashboard.
aws cloudtrail put-resource-policy \ --resource-arneds-arn\ --resource-policy '{"Version": "2012-10-17", "Statement": [{"Sid": "EDSPolicy", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Resource": "eds-arn", "Action": "cloudtrail:StartQuery", "Condition": { "StringEquals": { "AWS:SourceArn": "dashboard-arn", "AWS:SourceAccount": "account-id"}}} ]}'
The following is the example response.
{ "ResourceArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", "ResourcePolicy": "{ "Version": "2012-10-17", "Statement": [{ "Sid": "EDSPolicy", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Resource": "eds-arn", "Action": "cloudtrail:StartQuery", "Condition": { "StringEquals": { "AWS:SourceArn": "dashboard-arn", "AWS:SourceAccount": "account-id" } } } ] }" }
For additional policy examples, see Resource-based policy examples for event data stores.
Delete the resource-based policy attached to
an event data store with the AWS CLI
The following examples deletes the resource-based policy attached to an event data store. Replace eds-arn with the ARN of the event data store.
aws cloudtrail delete-resource-policy --resource-arneds-arn
This command produces no output if it's successful.
Stop ingestion on an event data store with the AWS CLI
The following example AWS CLI stop-event-data-store-ingestion command stops an event data store from ingesting events.
To stop ingestion, the event data store Status must be ENABLED
and the eventCategory must be Management, Data, or ConfigurationItem.
The event data store is specified by --event-data-store, which accepts an event data store ARN, or the
ID suffix of the ARN. After you run stop-event-data-store-ingestion, the
state of the event data store changes to STOPPED_INGESTION.
The event data store does count towards your account maximum of ten
event data stores when its state is STOPPED_INGESTION.
aws cloudtrail stop-event-data-store-ingestion \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE
There is no response if the operation is successful.
Start ingestion on an event data store with the AWS CLI
The following example AWS CLI start-event-data-store-ingestion command starts event ingestion on an event data store.
To start ingestion, the event data store Status must be STOPPED_INGESTION
and the eventCategory must be Management, Data, or ConfigurationItem.
The event data store is specified by --event-data-store, which accepts an event data store ARN, or the
ID suffix of the ARN. After you run start-event-data-store-ingestion, the
state of the event data store changes to ENABLED.
aws cloudtrail start-event-data-store-ingestion --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLEThere is no response if the operation is successful.
Enable federation on an event data store
To enable federation, run the aws cloudtrail enable-federation
command, providing the required --event-data-store and --role
parameters. For --event-data-store, provide the event data store ARN (or
the ID suffix of the ARN). For --role, provide the ARN for your federation
role. The role must exist in your account and provide the required minimum
permissions.
aws cloudtrail enable-federation \ --event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id--role arn:aws:iam::account-id:role/federation-role-name
This example shows how a delegated administrator can enable federation on an organization event data store by specifying the ARN of the event data store in the management account and the ARN of the federation role in the delegated administrator account.
aws cloudtrail enable-federation \ --event-data-store arn:aws:cloudtrail:region:management-account-id:eventdatastore/eds-id--role arn:aws:iam::delegated-administrator-account-id:role/federation-role-name
Disable federation on an event data store
To disable federation on the event data store, run the aws
cloudtrail disable-federation command. The event data
store is specified by --event-data-store, which accepts
an event data store ARN or the ID suffix of the ARN.
aws cloudtrail disable-federation \ --event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id
Note
If this is an organization event data store, use the account ID for the management account.
Restore an event data store with the AWS CLI
The following example AWS CLI restore-event-data-store command restores an event data store that is pending
deletion. The event data store is specified by --event-data-store,
which accepts an event data store ARN or the ID suffix of the ARN. You can only
restore a deleted event data store within the seven-day wait period after
deletion.
aws cloudtrail restore-event-data-store \
--event-data-store EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLEThe response includes information about the event data store, including its ARN, advanced event selectors, and the status of restoration.
