CloudTrail Lake event data stores - AWS CloudTrail

CloudTrail Lake event data stores

Events are aggregated into event data stores, which are immutable collections of events based on criteria that you select by applying advanced event selectors.

When you create an event data store in CloudTrail Lake, you choose the type of events to include in your event data store. You can create an event data store to include CloudTrail data or management events, CloudTrail Insights events, AWS Config configuration items, or events outside of AWS. Each event data store type can only contain specific event categories (for example, AWS Config configuration items), because the event schema is unique to the event category. You can run SQL queries across multiple event data stores using the supported SQL JOIN keywords. For information about running queries across multiple event data stores, see Advanced, multi-table query support.

The following table shows the supported event categories for each event data store type. The eventCategory column shows the value that you would specify in the advanced event selectors to collect events of that type.

Event type (console) eventCategory (API) Description
CloudTrail events

Management

Data

This event data store type can collect CloudTrail management and data events. For more information, see Create an event data store for CloudTrail events.
CloudTrail Insights events

Insight

This event data store type can collect CloudTrail Insights events. To receive Insights events, you need a source event data store that logs CloudTrail management events and enables Insights. For information about creating the source and destination event data stores, see Create an event data store for CloudTrail Insights events.
Configuration items

ConfigurationItem

This event data store type can collect AWS Config configuration items. For more information, see Create an event data store for AWS Config configuration items.
Events from integration

ActivityAuditLog

This event data store type can collect non-AWS events from integrations. For more information, see Create an event data store for events outside of AWS.

You can also create an event data store for AWS Audit Manager evidence by using the Audit Manager console. For more information about aggregating evidence in CloudTrail Lake using Audit Manager, see Understanding how evidence finder works with CloudTrail Lake in the AWS Audit Manager User Guide.

CloudTrail Lake event data stores incur charges. When you create an event data store, you choose the pricing option you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. For information about CloudTrail pricing and managing Lake costs, see AWS CloudTrail Pricing and Managing CloudTrail Lake costs.

The sections which follow describe how to create, update, and manage event data stores.