Working with AWS CloudTrail Lake
AWS CloudTrail Lake lets you run SQL-based queries on your events. CloudTrail Lake converts existing
events in row-based JSON format to Apache ORC
When you create an event data store, you choose the category of AWS events to include in your event data store. You can create an event data store to include CloudTrail events, or AWS Config configuration items. Each event data store can only contain a single event category (for example, AWS Config configuration items), because the event schema for each event category is unique. You can run SQL queries across multiple event data stores using the supported SQL JOIN keywords. For information about running queries across multiple event data stores, see Advanced, multi-table query support.
CloudTrail Lake queries offer a deeper and more customizable view of events than simple key and
value lookups in Event history, or running LookupEvents
.
An Event history search is limited to a single AWS account, only
returns events from a single AWS Region, and cannot query multiple attributes. In contrast, CloudTrail
Lake users can run complex Standard Query Language (SQL) queries across multiple fields in a
CloudTrail event or configuration item. For a full list of supported SQL operators, see CloudTrail Lake SQL constraints.
You can save CloudTrail Lake queries for future use, and view results of queries for up to seven days. When you run queries, you can save the query results to an Amazon S3 bucket. CloudTrail Lake can also store events from an organization in AWS Organizations in an event data store, including events from multiple Regions and accounts.
CloudTrail doesn't support authorization based on tags for trails. However, you can control access to actions on event data stores by using authorization based on tags. For more information and examples, see Examples: Denying access to create or delete event data stores based on tags in this guide.
By default, all events in an event data store are encrypted by CloudTrail. When you configure an event data store, you can choose to use your own AWS Key Management Service key. Using your own KMS key incurs AWS KMS costs for encryption and decryption. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed.
CloudTrail Lake event data stores and queries incur CloudTrail charges. For more information about
CloudTrail Lake pricing, see AWS CloudTrail
Pricing
CloudTrail Lake supports Amazon CloudWatch metrics, which you can use to view information about the amount of data ingested into your event data store during the last hour and over the course of its retention period. For more information about supported CloudWatch metrics, see Supported CloudWatch metrics.
CloudTrail typically delivers logs within an average of about 15 minutes of an API call. This time is not guaranteed.
Topics
- CloudTrail Lake supported Regions
- Create an event data store
- Manage event data store lifecycles
- Copy trail events to an event data store
- Create or edit a query
- Run a query and save query results
- View query results
- Get and download saved query results
- Validate saved query results
- Managing CloudTrail Lake by using the AWS CLI
- CloudTrail Lake SQL constraints
- Example queries
- Supported CloudWatch metrics