Update an event data store with the console
This section describes how to update an event data store's settings using the AWS Management Console. For information about how to update an event data store using the AWS CLI, see Update an event data store with the AWS CLI.
To update an event data store
-
Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
. -
In the navigation pane, under Lake, choose Event data stores.
-
Choose the event data store that you want to update. This action opens the event data store's details page.
-
In General details, choose Edit to change the following settings:
-
Event data store name - Change the name that identifies your event data store.
-
Pricing option- For event data stores using the Seven-year retention pricing option, you can choose to use One-year extendable retention pricing instead. We recommend one-year extendable retention pricing for event data stores that ingest less than 25 TB of event data on a monthly basis. We also recommend one-year extendable retention pricing if you're seeking a flexible retention period of up to 10 years. For more information, see AWS CloudTrail Pricing
and Managing CloudTrail Lake costs. Note
You can't change the pricing option for event data stores that use One-year extendable retention pricing. If you want to use Seven-year retention pricing, stop ingestion on your current event data store. Then create a new event data store with the Seven-year retention pricing option.
-
Retention period - Change the retention period for the event data store. The retention period determines how long event data is kept in the event data store. Retention periods can be between 7 days and 3,653 days (about 10 years) for the One-year extendable retention pricing option, or between 7 days and 2,557 days (about seven years) for the Seven-year retention pricing option.
Note
If you decrease the retention period of an event data store, CloudTrail will remove any events with an
eventTime
older than the new retention period. For example, if the previous retention period was 365 days and you decrease it to 100 days, CloudTrail will remove events with aneventTime
older than 100 days. -
Encryption - To encrypt your event data store using your own KMS key, choose Use my own AWS KMS key. By default, all events in an event data store are encrypted by CloudTrail. Using your own KMS key incurs AWS KMS costs for encryption and decryption.
Note
After you associate an event data store with a KMS key, the KMS key can't be removed or changed.
-
To include only events that are logged in the current AWS Region, choose Include on the current region in my event data store. If you don't choose this option, your event data store includes events from all Regions.
-
To have your event data store collect events from all accounts in an AWS Organizations organization, choose Enable for all accounts in my organization. This option is only available if you're signed in with the management account for your organization, and the Event type for the event data store is CloudTrail events or Configuration items.
Choose Save changes when you're finished.
-
-
In Lake query federation, choose Edit to enable or disable Lake query federation. Enabling Lake query federation lets you view the metadata for your event data store in the AWS Glue Data Catalog and run SQL queries on the event data using Amazon Athena. Disabling Lake query federation disables the integration with AWS Glue, AWS Lake Formation, and Amazon Athena. After disabling Lake query federation, you can no longer query your data in Athena. No CloudTrail Lake data is deleted when you disable federation and you can continue to run queries in CloudTrail Lake.
To enable federation, do the following:
Choose Enable.
-
Choose whether to create a new IAM role, or use an existing role. When you create a new role, CloudTrail automatically creates a role with the required permissions. If you're using an existing role, be sure the role's policy provides the required minimum permissions.
-
If you're creating a new IAM role, enter a name for the role.
-
If you're choosing an existing IAM role, choose the role you want to use. The role must exist in your account.
Choose Save changes when you are finished.
-
In Resource policy, choose Edit to add or revise the resource-based policy for the event data store.
Resource-based policies allow you to control which principals can perform actions on your event data store. For example, you can add a resource based policy that allows the root users in other accounts to query this event data store and view the query results. For example policies, see Resource-based policy examples for event data stores.
A resource-based policy includes one or more statements. Each statement in the policy defines the principals that are allowed or denied access to the event data store and the actions the principals can perform on the event data store resource.
The following actions are supported in resource-based policies for event data stores:
-
cloudtrail:StartQuery
-
cloudtrail:CancelQuery
-
cloudtrail:ListQueries
-
cloudtrail:DescribeQuery
-
cloudtrail:GetQueryResults
-
cloudtrail:GenerateQuery
-
cloudtrail:GenerateQueryResultsSummary
-
cloudtrail:GetEventDataStore
For organization event data stores, CloudTrail creates a default resource-based policy that lists the actions that the delegated administrator accounts are allowed to perform on organization event data stores. The permissions in this policy are derived from the delegated administrator permissions in AWS Organizations. This policy is updated automatically following changes to the organization event data store or to the organization (for example, a CloudTrail delegated administrator account is registered or removed).
-
-
Edit any additional settings for your Event type.
Event type Editable settings CloudTrail events
You can edit the following settings for CloudTrail events:
-
To change which events your event data store logs, choose Edit in CloudTrail events.
-
In Management events, choose Edit to change the settings for management events. For more information, see Updating the management event settings for an existing event data store.
-
In Data events, choose Edit to change the settings for data events. You can choose which resource types you want to log and choose the log selector template you want to use. For more information, see Updating an existing event data store to log data events in the AWS Management Console.
-
In Network activity events, choose Edit to change the settings for network activity events. You can choose which network activity event type you want to log and choose the log selector template you want to use. For more information, see Update an existing event data store to log network activity events.
Choose Save changes when you're finished.
Events from integration
In Integrations, choose your integration. Then choose Edit to change the following settings:
-
In Integration details, change the name that identifies your integration's channel.
-
In Event delivery location, choose the destination for your events.
-
In Resource policy, configure the resource policy for the integration's channel.
Choose Save changes when you're finished.
For more information about these settings, see Create an integration with a CloudTrail partner with the console.
-
-
To add, change, or remove tags, choose Edit in Tags. You can add up to 50 tag key pairs to help you identify, sort, and control access to your event data store. Choose Save changes when you're finished.