# Enable Lake query federation **Note** AWS CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](cloudtrail-lake-service-availability-change.md). You can enable Lake query federation by using the CloudTrail console, AWS CLI, or [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EnableFederation.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EnableFederation.html) API operation. When you enable Lake query federation, CloudTrail creates a managed database named `aws:cloudtrail` (if the database doesn't already exist) and a managed federated table in the AWS Glue Data Catalog. The event data store ID is used for the table name. CloudTrail registers the federation role ARN and event data store in [AWS Lake Formation](query-federation-lake-formation.md), the service responsible for allowing fine-grained access control of the federated resources in the AWS Glue Data Catalog. This section describes how to enable federation using the CloudTrail console and AWS CLI. ------ #### [ CloudTrail console ] The following procedure shows you how to enable Lake query federation on an existing event data store. 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the navigation pane, under **Lake**, choose **Event data stores**. 1. Choose the event data store that you want to update. This opens the event data store's details page. 1. In **Lake query federation**, choose **Edit** and then choose **Enable**. 1. Choose whether to create a new IAM role, or use an existing role. When you create a new role, CloudTrail automatically creates a role with the required permissions. If you're using an existing role, be sure the role's policy provides the [required minimum permissions](query-federation.md#query-federation-permissions-role). 1. If you're creating a new IAM role, enter a name for the role. 1. If you're choosing an existing IAM role, choose the role you want to use. The role must exist in your account. 1. Choose **Save changes**. The **Federation status** changes to `Enabled`. ------ #### [ AWS CLI ] To enable federation, run the **aws cloudtrail enable-federation** command, providing the required **--event-data-store** and **--role** parameters. For **--event-data-store**, provide the event data store ARN (or the ID suffix of the ARN). For **--role**, provide the ARN for your federation role. The role must exist in your account and provide the [required minimum permissions](query-federation.md#query-federation-permissions-role). ``` aws cloudtrail enable-federation --event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id --role arn:aws:iam::account-id:role/federation-role-name ``` This example shows how a delegated administrator can enable federation on an organization event data store by specifying the ARN of the event data store in the management account and the ARN of the federation role in the delegated administrator account. ``` aws cloudtrail enable-federation --event-data-store arn:aws:cloudtrail:region:management-account-id:eventdatastore/eds-id --role arn:aws:iam::delegated-administrator-account-id:role/federation-role-name ``` ------