Understanding organization event data stores - AWS CloudTrail
Create an organization event data storeApply an account-level event data store to an organizationSee also

Understanding organization event data stores

If you have created an organization in AWS Organizations, you can create an organization event data store that logs all events for all AWS accounts in that organization. Organization event data stores can apply to all AWS Regions, or the current Region. You can't use an organization event data store to collect events from outside of AWS.

You can create an organization event data store by using either the management account or the delegated administrator account. When a delegated administrator creates an organization event data store, the organization event data store exists in the management account for the organization. This approach is because the management account maintains ownership of all organization resources.

The management account for an organization can update an account-level event data store to apply it to an organization.

When the organization event data store is specified as applying to an organization, it's automatically applied to all member accounts in the organization. Member accounts can't see the organization event data store, nor can they modify or delete it. By default, member accounts don't have access to the organization event data store, nor can they run queries on organization event data stores.

The following table shows the capabilities of the management account and delegated administrator accounts within the AWS Organizations organization.

Capabilities Management account Delegated administrator account

Register or remove delegated administrator accounts.

Yes

No

Create an organization event data store for AWS CloudTrail events or AWS Config configuration items.

Yes

Yes

Enable Insights on an organization event data store.

Yes

No

Update an organization event data store.

Yes

Yes1

Enable Lake query federation on an organization event data store.2

Yes

Yes

Disable Lake query federation on an organization event data store.

Yes

Yes

Delete an organization event data store.

Yes

Yes

Copy trail events to an event data store.

Yes

No

Run queries on organization event data stores.

Yes

Yes

View the CloudTrail Lake dashboard for an organization event data store.

Yes

Yes

1Only the management account can convert an organization event data store to an account-level event data store, or convert an account-level event data store to an organization event data store. These actions are not allowed for the delegated administrator because organization event data stores only exist in the management account. When an organization event data store is converted to an account-level event data store, only the management account has access to the event data store. Likewise, only an account-level event data store in the management account can be converted to an organization event data store.

2Only a single delegated administrator account or the management account can enable federation on an organization event data store. Other delegated administrator accounts can query and share information using the Lake Formation data sharing feature. Any delegated administrator account as well as the organization's management account can disable federation.

Create an organization event data store

The management account or delegated administrator account for an organization can create an organization event data store to collect either CloudTrail events (management events, data events) or AWS Config configuration items.

Note

Only the organization's management account can copy trail events to an event data store.

CloudTrail console
To create an organization event data store using the console

  1. Follow the steps in the create an event data store for CloudTrail events procedure to create an organization event data store for CloudTrail management or data events.

    OR

    Follow the steps in the create an event data store for AWS Config configuration items procedure to create an organization event data store for AWS Config configuration items.

  2. On the Choose events page, choose Enable for all accounts in my organization.

AWS CLI

To create an organization event data store run the create-event-data-store command and include the --organization-enabled option.

The following example AWS CLI create-event-data-store command creates an organization event data store that collects all management events. Because CloudTrail logs management events by default, you don't need to specify advanced event selectors if your event data store is logging all management events and is not collecting any data events.

aws cloudtrail create-event-data-store --name org-management-eds --organization-enabled

The following is an example response.

{
    "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE6-d493-4914-9182-e52a7934b207",
    "Name": "org-management-eds",
    "Status": "CREATED",
    "AdvancedEventSelectors": [
        {
            "Name": "Default management events",
            "FieldSelectors": [
                {
                    "Field": "eventCategory",
                    "Equals": [
                        "Management"
                    ]
                }
            ]
        }
    ],
    "MultiRegionEnabled": true,
    "OrganizationEnabled": true,
    "BillingMode": "EXTENDABLE_RETENTION_PRICING",
    "RetentionPeriod": 366,
    "TerminationProtectionEnabled": true,
    "CreatedTimestamp": "2023-11-16T15:30:50.689000+00:00",
    "UpdatedTimestamp": "2023-11-16T15:30:50.851000+00:00"
}

The next example AWS CLI create-event-data-store command creates an organization event data store named config-items-org-eds that collects AWS Config configuration items. To collect configuration items, specify that the eventCategory field equals ConfigurationItem in the advanced event selectors.

aws cloudtrail create-event-data-store --name config-items-org-eds \
--organization-enabled \
--advanced-event-selectors '[
    {
        "Name": "Select AWS Config configuration items",
        "FieldSelectors": [
            { "Field": "eventCategory", "Equals": ["ConfigurationItem"] }
        ]
    }
]'

Apply an account-level event data store to an organization

The organization's management account can convert an account-level event data store to apply it to an organization.

CloudTrail console
To update an account-level event data store using the console

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. In the navigation pane, under Lake, choose Event data stores.

  3. Choose the event data store that you want to update. This action opens the event data store's details page.

  4. In General details, choose Edit.

  5. Choose Enable for all accounts in my organization.

  6. Choose Save changes.

For additional information about updating an event data store, see Update an event data store with the console.

AWS CLI

To update an account-level event data store to apply it to an organization, run the update-event-data-store command and include the --organization-enabled option.

aws cloudtrail update-event-data-store --region us-east-1 \
--organization-enabled \
--event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

See also