event_data_stores
Creates, updates, deletes or gets an event_data_store resource or lists event_data_stores in a region
Overview
| Name | event_data_stores |
| Type | Resource |
| Description | A storage lake of event data against which you can run complex SQL-based queries. An event data store can include events that you have logged on your account from the last 7 to 2557 or 3653 days (about seven or ten years) depending on the selected BillingMode. |
| Id | aws.cloudtrail.event_data_stores |
Fields
| Name | Datatype | Description |
|---|---|---|
advanced_event_selectors | array | The advanced event selectors that were used to select events for the data store. |
created_timestamp | string | The timestamp of the event data store's creation. |
event_data_store_arn | string | The ARN of the event data store. |
federation_enabled | boolean | Indicates whether federation is enabled on an event data store. |
federation_role_arn | string | The ARN of the role used for event data store federation. |
multi_region_enabled | boolean | Indicates whether the event data store includes events from all regions, or only from the region in which it was created. |
name | string | The name of the event data store. |
organization_enabled | boolean | Indicates that an event data store is collecting logged events for an organization. |
billing_mode | string | The mode that the event data store will use to charge for event storage. |
retention_period | integer | The retention period, in days. |
status | string | The status of an event data store. Values are STARTING_INGESTION, ENABLED, STOPPING_INGESTION, STOPPED_INGESTION and PENDING_DELETION. |
termination_protection_enabled | boolean | Indicates whether the event data store is protected from termination. |
updated_timestamp | string | The timestamp showing when an event data store was updated, if applicable. UpdatedTimestamp is always either the same or newer than the time shown in CreatedTimestamp. |
kms_key_id | string | Specifies the KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by 'alias/', a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier. |
tags | array | |
insight_selectors | array | Lets you enable Insights event logging by specifying the Insights selectors that you want to enable on an existing event data store. Both InsightSelectors and InsightsDestination need to have a value in order to enable Insights events on an event data store. |
insights_destination | string | Specifies the ARN of the event data store that will collect Insights events. Both InsightSelectors and InsightsDestination need to have a value in order to enable Insights events on an event data store |
ingestion_enabled | boolean | Indicates whether the event data store is ingesting events. |
region | string | AWS region. |
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | , region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all event_data_stores in a region.
SELECT
region,
advanced_event_selectors,
created_timestamp,
event_data_store_arn,
federation_enabled,
federation_role_arn,
multi_region_enabled,
name,
organization_enabled,
billing_mode,
retention_period,
status,
termination_protection_enabled,
updated_timestamp,
kms_key_id,
tags,
insight_selectors,
insights_destination,
ingestion_enabled
FROM aws.cloudtrail.event_data_stores
WHERE region = 'us-east-1';
Gets all properties from an individual event_data_store.
SELECT
region,
advanced_event_selectors,
created_timestamp,
event_data_store_arn,
federation_enabled,
federation_role_arn,
multi_region_enabled,
name,
organization_enabled,
billing_mode,
retention_period,
status,
termination_protection_enabled,
updated_timestamp,
kms_key_id,
tags,
insight_selectors,
insights_destination,
ingestion_enabled
FROM aws.cloudtrail.event_data_stores
WHERE region = 'us-east-1' AND data__Identifier = '<EventDataStoreArn>';
INSERT example
Use the following StackQL query and manifest file to create a new event_data_store resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.cloudtrail.event_data_stores (
,
region
)
SELECT
'{{ }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.cloudtrail.event_data_stores (
AdvancedEventSelectors,
FederationEnabled,
FederationRoleArn,
MultiRegionEnabled,
Name,
OrganizationEnabled,
BillingMode,
RetentionPeriod,
TerminationProtectionEnabled,
KmsKeyId,
Tags,
InsightSelectors,
InsightsDestination,
IngestionEnabled,
region
)
SELECT
'{{ AdvancedEventSelectors }}',
'{{ FederationEnabled }}',
'{{ FederationRoleArn }}',
'{{ MultiRegionEnabled }}',
'{{ Name }}',
'{{ OrganizationEnabled }}',
'{{ BillingMode }}',
'{{ RetentionPeriod }}',
'{{ TerminationProtectionEnabled }}',
'{{ KmsKeyId }}',
'{{ Tags }}',
'{{ InsightSelectors }}',
'{{ InsightsDestination }}',
'{{ IngestionEnabled }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: event_data_store
props:
- name: AdvancedEventSelectors
value:
- Name: '{{ Name }}'
FieldSelectors:
- Field: '{{ Field }}'
Equals:
- '{{ Equals[0] }}'
StartsWith:
- '{{ StartsWith[0] }}'
EndsWith:
- '{{ EndsWith[0] }}'
NotEquals:
- '{{ NotEquals[0] }}'
NotStartsWith:
- '{{ NotStartsWith[0] }}'
NotEndsWith:
- '{{ NotEndsWith[0] }}'
- name: FederationEnabled
value: '{{ FederationEnabled }}'
- name: FederationRoleArn
value: '{{ FederationRoleArn }}'
- name: MultiRegionEnabled
value: '{{ MultiRegionEnabled }}'
- name: Name
value: '{{ Name }}'
- name: OrganizationEnabled
value: '{{ OrganizationEnabled }}'
- name: BillingMode
value: '{{ BillingMode }}'
- name: RetentionPeriod
value: '{{ RetentionPeriod }}'
- name: TerminationProtectionEnabled
value: '{{ TerminationProtectionEnabled }}'
- name: KmsKeyId
value: '{{ KmsKeyId }}'
- name: Tags
value:
- Key: '{{ Key }}'
Value: '{{ Value }}'
- name: InsightSelectors
value:
- InsightType: '{{ InsightType }}'
- name: InsightsDestination
value: '{{ InsightsDestination }}'
- name: IngestionEnabled
value: '{{ IngestionEnabled }}'
DELETE example
/*+ delete */
DELETE FROM aws.cloudtrail.event_data_stores
WHERE data__Identifier = '<EventDataStoreArn>'
AND region = 'us-east-1';
Permissions
To operate on the event_data_stores resource, the following permissions are required:
Create
CloudTrail:CreateEventDataStore,
CloudTrail:AddTags,
CloudTrail:PutInsightSelectors,
CloudTrail:EnableFederation,
CloudTrail:GetEventDataStore,
iam:PassRole,
iam:GetRole,
iam:CreateServiceLinkedRole,
organizations:DescribeOrganization,
organizations:ListAWSServiceAccessForOrganization,
kms:GenerateDataKey,
kms:Decrypt,
glue:CreateDatabase,
glue:CreateTable,
glue:PassConnection,
lakeformation:RegisterResource
Read
CloudTrail:GetEventDataStore,
CloudTrail:ListEventDataStores,
CloudTrail:GetInsightSelectors,
CloudTrail:ListTags
Update
CloudTrail:UpdateEventDataStore,
CloudTrail:RestoreEventDataStore,
CloudTrail:AddTags,
CloudTrail:RemoveTags,
CloudTrail:StartEventDataStoreIngestion,
CloudTrail:StopEventDataStoreIngestion,
CloudTrail:GetEventDataStore,
CloudTrail:PutInsightSelectors,
CloudTrail:GetInsightSelectors,
CloudTrail:EnableFederation,
CloudTrail:DisableFederation,
iam:PassRole,
iam:GetRole,
iam:CreateServiceLinkedRole,
organizations:DescribeOrganization,
organizations:ListAWSServiceAccessForOrganization,
glue:CreateDatabase,
glue:CreateTable,
glue:PassConnection,
lakeformation:RegisterResource,
glue:DeleteTable,
lakeformation:DeregisterResource,
kms:DescribeKey
Delete
CloudTrail:DeleteEventDataStore,
CloudTrail:GetEventDataStore,
CloudTrail:DisableFederation,
glue:DeleteTable,
lakeformation:DeregisterResource
List
CloudTrail:ListEventDataStores,
CloudTrail:GetEventDataStore,
CloudTrail:GetInsightSelectors,
CloudTrail:ListTags