# Federate an event data store
**Note**
AWS CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](cloudtrail-lake-service-availability-change.md).
Federating an event data store lets you view the metadata associated with the event data store in the AWS Glue [Data Catalog](https://docs.aws.amazon.com/glue/latest/dg/components-overview.html#data-catalog-intro), registers the Data Catalog with AWS Lake Formation, and lets you run SQL queries against your event data using Amazon Athena. The table metadata stored in the AWS Glue Data Catalog lets the Athena query engine know how to find, read, and process the data that you want to query.
You can enable federation by using the CloudTrail console, AWS CLI, or [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EnableFederation.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EnableFederation.html) API operation. When you enable Lake query federation, CloudTrail creates a managed database named `aws:cloudtrail` (if the database doesn't already exist) and a managed federated table in the AWS Glue Data Catalog. The event data store ID is used for the table name. CloudTrail registers the federation role ARN and event data store in [AWS Lake Formation](query-federation-lake-formation.md), the service responsible for allowing fine-grained access control of the federated resources in the AWS Glue Data Catalog.
To enable Lake query federation, you must create a new IAM role or choose an existing role. Lake Formation uses this role to manage permissions for the federated event data store. When you create a new role using the CloudTrail console, CloudTrail automatically creates the required permissions for the role. If you choose an existing role, be sure that the role provides the [minimum permissions](#query-federation-permissions-role).
You can disable federation by using the CloudTrail console, AWS CLI, or [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DisableFederation.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DisableFederation.html) API operation. When you disable federation, CloudTrail disables the integration with AWS Glue, AWS Lake Formation, and Amazon Athena. After disabling Lake query federation, you can no longer query your event data in Athena. No CloudTrail Lake data is deleted when you disable federation and you can continue to run queries in CloudTrail Lake.
There are no CloudTrail charges for federating a CloudTrail Lake event data store. There are costs for running queries in Amazon Athena. For more information about Athena pricing, see [Amazon Athena Pricing](https://aws.amazon.com/athena/pricing/).
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/cOeZaJt_k-w?si=4LsEgq23NNHSJAAg)
**Topics**
+ [Considerations](#query-federation-considerations)
+ [Required permissions for federation](#query-federation-permissions)
+ [Enable Lake query federation](query-enable-federation.md)
+ [Disable Lake query federation](query-disable-federation.md)
+ [Managing CloudTrail Lake federation resources with AWS Lake Formation](query-federation-lake-formation.md)
## Considerations
Consider the following factors when federating an event data store:
+ There are no CloudTrail charges for federating a CloudTrail Lake event data store. There are costs for running queries in Amazon Athena. For more information about Athena pricing, see [Amazon Athena Pricing](https://aws.amazon.com/athena/pricing/).
+ Lake Formation is used to manage permissions for the federated resources. If you delete the federation role, or revoke permissions to the resources from Lake Formation or AWS Glue, you can't run queries from Athena. For more information about working with Lake Formation, see [Managing CloudTrail Lake federation resources with AWS Lake Formation](query-federation-lake-formation.md).
+ Anyone using Amazon Athena to query data registered with Lake Formation must have an IAM permissions policy that allows the `lakeformation:GetDataAccess` action. The AWS managed policy: [https://docs.aws.amazon.com/athena/latest/ug/managed-policies.html#amazonathenafullaccess-managed-policy](https://docs.aws.amazon.com/athena/latest/ug/managed-policies.html#amazonathenafullaccess-managed-policy) allows this action. If you use inline policies, be sure to update permissions policies to allow this action. For more information, see [Managing Lake Formation and Athena user permissions](https://docs.aws.amazon.com/athena/latest/ug/lf-athena-user-permissions.html).
+ To create views on federated tables in Athena, you need a destination database other than `aws:cloudtrail`. This is because the `aws:cloudtrail` database is managed by CloudTrail.
+ To create a dataset in Amazon Quick, you must choose the **Use custom SQL** option. For more information, see [Creating a dataset using Amazon Athena data](https://docs.aws.amazon.com/quicksight/latest/user/create-a-data-set-athena.html).
+ If federation is enabled, you can't delete an event data store. To delete a federated event data store, you must first [disable federation](query-disable-federation.md) and [termination protection](query-eds-termination-protection.md) if it's enabled.
+ The following considerations apply to organization event data stores:
+ Only a single delegated administrator account or the management account can enable federation on an organization event data store. Other delegated administrator accounts can still query and share information using the [Lake Formation data sharing feature](https://docs.aws.amazon.com/lake-formation/latest/dg/data-sharing-overivew.html).
+ Any delegated administrator account or the organization's management account can disable federation.
## Required permissions for federation
Before federating an event data store, be sure that you have all the required permissions for the federation role and for enabling and disabling federation. You only need to update the federation role permissions if you choose an existing IAM role to enable federation. If you choose to create a new IAM role using the CloudTrail console, CloudTrail provides all necessary permissions for the role.
**Topics**
+ [IAM permissions for federating an event data store](#query-federation-permissions-role)
+ [Required permissions for enabling federation](#query-federation-permissions-enable)
+ [Required permissions for disabling federation](#query-federation-permissions-disable)
### IAM permissions for federating an event data store
When you enable federation, you have the option to create a new IAM role, or use an existing IAM role. When you choose a new IAM role, CloudTrail creates an IAM role with the required permissions and no further action is required on your part.
If you choose an existing role, ensure the IAM role's policies provide the required permissions to enable federation. This section provides examples of the required IAM role permission and trust policies.
The following example provides the permissions policy for the federation role. For the first statement provide the full ARN of your event data store for the `Resource`.
The second statement in this policy allows Lake Formation to decrypt data for an event data store encrypted with a KMS key. Replace *key-region*, *account-id*, and *key-id* with the values for your KMS key. You can omit this statement if your event data store does not use a KMS key for encryption.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LakeFederationEDSDataAccess",
"Effect": "Allow",
"Action": "cloudtrail:GetEventDataStoreData",
"Resource": "arn:aws:cloudtrail:us-east-1:111111111111:eventdatastore/eds-id"
},
{
"Sid": "LakeFederationKMSDecryptAccess",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:111111111111:key/key-id"
}
]
}
```
------
The following example provides the IAM trust policy, which allows AWS Lake Formation to assume an IAM role to manage permissions for the federated event data store.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lakeformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
### Required permissions for enabling federation
The following example policy provides the minimum required permissions to enable federation on an event data store. This policy allows CloudTrail to enable federation on the event data store, AWS Glue to create the federated resources in the AWS Glue Data Catalog, and AWS Lake Formation to manage resource registration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudTrailEnableFederation",
"Effect": "Allow",
"Action": "cloudtrail:EnableFederation",
"Resource": "arn:aws:cloudtrail:us-east-1:111111111111:eventdatastore/eds-id"
},
{
"Sid": "FederationRoleAccess",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:GetRole"
],
"Resource": "arn:aws:iam::111122223333:role/federation-role-name"
},
{
"Sid": "GlueResourceCreation",
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:CreateTable",
"glue:PassConnection"
],
"Resource": [
"arn:aws:glue:us-east-1:111111111111:catalog",
"arn:aws:glue:us-east-1:111111111111:database/aws:cloudtrail",
"arn:aws:glue:us-east-1:111111111111:table/aws:cloudtrail/eds-id",
"arn:aws:glue:us-east-1:111111111111:connection/aws:cloudtrail"
]
},
{
"Sid": "LakeFormationRegistration",
"Effect": "Allow",
"Action": [
"lakeformation:RegisterResource",
"lakeformation:DeregisterResource"
],
"Resource": "arn:aws:lakeformation:region:111111111111:catalog:111111111111"
}
]
}
```
------
### Required permissions for disabling federation
The following example policy provides the minimum required resources to disable federation on an event data store. This policy allows CloudTrail to disable federation on the event data store, AWS Glue to delete the managed federated table in the AWS Glue Data Catalog, and Lake Formation to deregister the federated resource.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CloudTrailDisableFederation",
"Effect": "Allow",
"Action": "cloudtrail:DisableFederation",
"Resource": "arn:aws:cloudtrail:us-east-1:111111111111:eventdatastore/eds-id"
},
{
"Sid": "GlueTableDeletion",
"Effect": "Allow",
"Action": "glue:DeleteTable",
"Resource": [
"arn:aws:glue:us-east-1:111111111111:catalog",
"arn:aws:glue:us-east-1:111111111111:database/aws:cloudtrail",
"arn:aws:glue:us-east-1:111111111111:table/aws:cloudtrail/eds-id"
]
},
{
"Sid": "LakeFormationDeregistration",
"Effect": "Allow",
"Action": "lakeformation:DeregisterResource",
"Resource": "arn:aws:lakeformation:us-east-1:111111111111:catalog:111111111111"
}
]
}
```
------
# Enable Lake query federation
**Note**
AWS CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](cloudtrail-lake-service-availability-change.md).
You can enable Lake query federation by using the CloudTrail console, AWS CLI, or [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EnableFederation.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EnableFederation.html) API operation. When you enable Lake query federation, CloudTrail creates a managed database named `aws:cloudtrail` (if the database doesn't already exist) and a managed federated table in the AWS Glue Data Catalog. The event data store ID is used for the table name. CloudTrail registers the federation role ARN and event data store in [AWS Lake Formation](query-federation-lake-formation.md), the service responsible for allowing fine-grained access control of the federated resources in the AWS Glue Data Catalog.
This section describes how to enable federation using the CloudTrail console and AWS CLI.
------
#### [ CloudTrail console ]
The following procedure shows you how to enable Lake query federation on an existing event data store.
1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. In the navigation pane, under **Lake**, choose **Event data stores**.
1. Choose the event data store that you want to update. This opens the event data store's details page.
1. In **Lake query federation**, choose **Edit** and then choose **Enable**.
1. Choose whether to create a new IAM role, or use an existing role. When you create a new role, CloudTrail automatically creates a role with the required permissions. If you're using an existing role, be sure the role's policy provides the [required minimum permissions](query-federation.md#query-federation-permissions-role).
1. If you're creating a new IAM role, enter a name for the role.
1. If you're choosing an existing IAM role, choose the role you want to use. The role must exist in your account.
1. Choose **Save changes**. The **Federation status** changes to `Enabled`.
------
#### [ AWS CLI ]
To enable federation, run the **aws cloudtrail enable-federation** command, providing the required **--event-data-store** and **--role** parameters. For **--event-data-store**, provide the event data store ARN (or the ID suffix of the ARN). For **--role**, provide the ARN for your federation role. The role must exist in your account and provide the [required minimum permissions](query-federation.md#query-federation-permissions-role).
```
aws cloudtrail enable-federation
--event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id
--role arn:aws:iam::account-id:role/federation-role-name
```
This example shows how a delegated administrator can enable federation on an organization event data store by specifying the ARN of the event data store in the management account and the ARN of the federation role in the delegated administrator account.
```
aws cloudtrail enable-federation
--event-data-store arn:aws:cloudtrail:region:management-account-id:eventdatastore/eds-id
--role arn:aws:iam::delegated-administrator-account-id:role/federation-role-name
```
------
# Disable Lake query federation
**Note**
AWS CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](cloudtrail-lake-service-availability-change.md).
You can disable federation by using the CloudTrail console, AWS CLI, or [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DisableFederation.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DisableFederation.html) API operation. When you disable federation, CloudTrail disables the integration with AWS Glue, AWS Lake Formation, and Amazon Athena. After disabling Lake query federation, you can no longer query your event data in Athena. No CloudTrail Lake data is deleted when you disable federation and you can continue to run queries in CloudTrail Lake.
This section describes how to disable federation using the CloudTrail console and AWS CLI.
------
#### [ CloudTrail console ]
The following procedure shows you how to disable Lake query federation on an existing event data store.
1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).
1. In the navigation pane, under **Lake**, choose **Event data stores**.
1. Choose the event data store that you want to update. This opens the event data store's details page.
1. In **Lake query federation**, choose **Edit** and then choose **Disable**.
1. Choose **Save changes**. The **Federation status** changes to `Disabled`.
------
#### [ AWS CLI ]
To disable federation on the event data store, run the **aws cloudtrail disable-federation** command. The event data store is specified by `--event-data-store`, which accepts an event data store ARN or the ID suffix of the ARN.
```
aws cloudtrail disable-federation
--event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id
```
**Note**
If this is an organization event data store, use the account ID for the management account.
------
# Managing CloudTrail Lake federation resources with AWS Lake Formation
**Note**
AWS CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](cloudtrail-lake-service-availability-change.md).
When you federate an event data store, CloudTrail registers the federation role ARN and event data store in AWS Lake Formation, the service responsible for allowing fine-grained access control of the federated resources in the AWS Glue Data Catalog. This section describes how you can use Lake Formation to manage the CloudTrail Lake federation resources.
When you enable federation, CloudTrail creates the following resources in the AWS Glue Data Catalog.
+ **Managed database** – CloudTrail creates 1 database with the name `aws:cloudtrail` per account. CloudTrail manages the database. You can't delete or modify the database in AWS Glue.
+ **Managed federated table** – CloudTrail creates 1 table for each federated event data store and uses the event data store ID for the table name. CloudTrail manages the tables. You can't delete or modify the tables in AWS Glue. To delete a table, you must [disable federation](query-disable-federation.md) on the event data store.
## Controlling access to federated resources
You can use one of two permissions methods to control access to the managed database and tables.
+ **IAM only access control** – With IAM only access control, all users in the account with the required IAM permissions are given access to all Data Catalog resources. For information about how AWS Glue works with IAM, see [How AWS Glue works with IAM](https://docs.aws.amazon.com/glue/latest/dg/security_iam_service-with-iam.html).
On the Lake Formation console, this method appears as **Use only IAM access control**.
**Note**
If you want to create data filters and use other Lake Formation features, you must use Lake Formation access control.
+ **Lake Formation access control** – This methods provides the following advantages.
+ You can implement column-level, row-level, and cell-level security by creating [data filters](https://docs.aws.amazon.com/lake-formation/latest/dg/data-filters-about.html). For more information, see [Securing data lakes with row-level access control](https://docs.aws.amazon.com/lake-formation/latest/dg/cbac-tutorial.html) in the *AWS Lake Formation Developer Guide*.
+ Database and tables are only visible to Lake Formation administrators and creators of the database and resources. If another user needs access to these resources, you must explicitly [grant access by using Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-catalog-permissions.html).
For more information about access control, see [Methods for fine-grained access control](https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-fine-grained.html).
## Determining the permissions method for a federated resource
When you enable federation for the first time, CloudTrail creates a managed database and managed federated table using your Lake Formation data lake settings.
After CloudTrail enables federation, you can verify which permissions method you are using for the managed database and managed federated table by checking the permissions for those resources. If the `ALL` (*Super*) to `IAM_ALLOWED_PRINCIPALS ` setting is present for the resource, the resource is managed exclusively by IAM permissions. If the setting is missing, the resource is managed by Lake Formation permissions. For more information about Lake Formation permissions, see [Lake Formation permissions reference](https://docs.aws.amazon.com/lake-formation/latest/dg/lf-permissions-reference.html).
The permissions method for the managed database and managed federated table can differ. For example, if you check the values for the database and table, you could see the following:
+ For the database, the value that assigns `ALL` (*Super*) to `IAM_ALLOWED_PRINCIPALS` is present in the permissions indicating that the you're using IAM only access control for the database.
+ For the table, the value that assigns `ALL` (*Super*) to `IAM_ALLOWED_PRINCIPALS` not present, which indicates access control by Lake Formation permissions.
You can switch between access methods at any time by adding or removing `ALL` (*Super*) to `IAM_ALLOWED_PRINCIPALS ` permission on any federated resource in Lake Formation.
## Cross-account sharing using Lake Formation
This section describes how to share a managed database and managed federated table across accounts by using Lake Formation.
You can share a managed database across accounts by taking these steps:
1. Update the [cross-account data sharing version](https://docs.aws.amazon.com/lake-formation/latest/dg/optimize-ram.html) to version 4.
1. Remove `Super` to `IAM_ALLOWED_PRINCIPALS` permissions from the database if present to switch to Lake Formation access control.
1. Grant `Describe` permissions to the external account on the database.
1. If a Data Catalog resource is shared with your AWS account and your account is not in the same AWS organization as the sharing account, accept the resource share invitation from AWS Resource Access Manager (AWS RAM). For more information, see [Accepting a resource share invitation from AWS RAM](https://docs.aws.amazon.com/lake-formation/latest/dg/accepting-ram-invite.html).
After completing these steps, the database should be visible to the external account. By default, sharing the database does not give access to any tables in the database.
You can share all or individual managed federated tables with an external account by taking these steps:
1. Update the [cross-account data sharing version](https://docs.aws.amazon.com/lake-formation/latest/dg/optimize-ram.html) to version 4.
1. Remove `Super` to `IAM_ALLOWED_PRINCIPALS` permissions from the table if present to switch to Lake Formation access control.
1. (Optional) Specify any [data filters](https://docs.aws.amazon.com/lake-formation/latest/dg/data-filters-about.html) to restrict columns or rows.
1. Grant `Select` permissions to the external account on the table.
1. If a Data Catalog resource is shared with your AWS account and your account is not in the same AWS organization as the sharing account, accept the resource share invitation from AWS Resource Access Manager (AWS RAM). For an organization, you can auto accept using RAM settings. For more information, see [Accepting a resource share invitation from AWS RAM](https://docs.aws.amazon.com/lake-formation/latest/dg/accepting-ram-invite.html).
1. The table should now be visible. To enable Amazon Athena queries on this table, create a [resource link in this account](https://docs.aws.amazon.com/lake-formation/latest/dg/create-resource-link-table.html) with the shared table.
The owning account can revoke sharing at any point by removing permissions for the external account from Lake Formation, or by [disabling federation](query-disable-federation.md) in CloudTrail.