# Create, update, and manage event data stores with the AWS CLI **Note** AWS CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](cloudtrail-lake-service-availability-change.md). This section describes the AWS CLI commands you can use to create, update, and manage your CloudTrail Lake event data stores. When using the AWS CLI, remember that your commands run in the AWS Region configured for your profile. If you want to run the commands in a different Region, either change the default Region for your profile, or use the **--region** parameter with the command. ## Available commands for event data stores Commands for creating and updating event data stores in CloudTrail Lake include: + `create-event-data-store` to create an event data store. + `get-event-data-store` to return information about the event data store including the advanced event selectors configured for the event data store. + `update-event-data-store` to change the configuration of an existing event data store. + `list-event-data-stores` to list the event data stores. + `delete-event-data-store` to delete an event data store. + `restore-event-data-store` to restore an event data store that is pending deletion. + `start-import` to start an import of trail events to an event data store, or retry a failed import. + `[get-import](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/get-import.html)` to return information about a specific import. + `[stop-import](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/stop-import.html)` to stop an import of trail events to an event data store. + `[list-imports](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/list-imports.html)` to return information on all imports, or a select set of imports by `ImportStatus` or `Destination`. + `[list-import-failures](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/list-import-failures.html)` to list import failures for the specified import. + `stop-event-data-store-ingestion` to stop event ingestion on an event data store. + `start-event-data-store-ingestion` to restart event ingestion on an event data store. + `enable-federation` to enable federation on an event data store to query the event data store in Amazon Athena. + `disable-federation` to disable federation on an event data store. After you disable federation, you can no longer query against the event data store's data in Amazon Athena. You can continue to query in CloudTrail Lake. + `[put-insight-selectors](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-insight-selectors.html)` to add or modify Insights event selectors for an existing event data store, and enable or disable Insights events. + `[get-insight-selectors](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/get-insight-selectors.html)` to return information about Insights event selectors configured for an event data store. + `[add-tags](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/add-tags.html)` to add one or more tags (key-value pairs) to an existing event data store. + `[remove-tags](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/remove-tags.html)` to remove one or more tags from a event data store. + `[list-tags](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/list-tags.html)` to return a list of tags associated with a event data store. + [`get-event-configuration`](lake-cli-manage-eds.md#lake-cli-get-event-configuration) to return any resource tag keys and IAM global conditions keys configured for the event data store. The command also returns whether the event data store is configured to collect `Standard` size events or `Large` size events. + [`put-event-configuration`](lake-cli-manage-eds.md#lake-cli-put-event-configuration) to expand the event size and add or remove resource tag keys and IAM global condition keys. For more information, see [Enrich CloudTrail events by adding resource tag keys and IAM global condition keys](cloudtrail-context-events.md). + `[put-resource-policy](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-resource-policy.html)` to attach a resource-based policy to an event data store. Resource-based polices allow you to control which principals can perform actions on your event data store. For example policies, see [Resource-based policy examples for event data stores](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-eds). + `[get-resource-policy](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/get-resource-policy.html)` to get the resource-based policy attached to an event data store. + `[delete-resource-policy](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/delete-resource-policy.html)` to delete the resource-based policy attached to an event data store. For a list of available commands for CloudTrail Lake queries, see [Available commands for CloudTrail Lake queries](lake-queries-cli.md#lake-queries-cli-commands). For a list of available commands for CloudTrail Lake dashboards, see [Available commands for dashboards](lake-dashboard-cli.md#lake-dashboard-cli-commands). For a list of available commands for CloudTrail Lake integrations, see [Available commands for CloudTrail Lake integrations](lake-integrations-cli.md#lake-integrations-cli-commands). # Create an event data store with the AWS CLI This section describes how to use the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html) command to create an event data store and provides examples of different types of event data stores that you can create. When you create an event data store, the only required parameter is `--name`, which is used to identify the event data store. You can configure additional optional parameters, including: + `--advanced-event-selectors` - Specifies the type of events to include in the event data store. By default, event data stores log all management events. For more information about advanced event selectors, see [AdvancedEventSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html) in the CloudTrail API Reference. + `--kms-key-id` - Specifies the KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by `alias/`, a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier. + `--multi-region-enabled` - Creates a multi-Region event data store that logs events for all AWS Regions in your account. By default, `--multi-region-enabled` is set, even if the parameter is not added. + `--organization-enabled` - Enables an event data store to collect events for all accounts in an organization. By default, the event data store is not enabled for all accounts in an organization. + `--billing-mode` - Determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. The following are the possible values: + `EXTENDABLE_RETENTION_PRICING` - This billing mode is generally recommended if you ingest less than 25 TB of event data a month and want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days. + `FIXED_RETENTION_PRICING` - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days. The default value is `EXTENDABLE_RETENTION_PRICING`. + `--retention-period` - The number of days to keep events in the event data store. Valid values are integers between 7 and 3653 if the `--billing-mode` is `EXTENDABLE_RETENTION_PRICING`, or between 7 and 2557 if the `--billing-mode` is set to `FIXED_RETENTION_PRICING`. If you do not specify `--retention-period`, CloudTrail uses the default retention period for the `--billing-mode`. + `--start-ingestion` - The `--start-ingestion` parameter starts event ingestion on the event data store when it's created. This parameter is set even if the parameter is not added. Specify the `--no-start-ingestion` if you do not want the event data store to ingest live events. For example, you may want to set this parameter if you are copying events to the event data store and only plan to use the event data to analyze past events. The `--no-start-ingestion` parameter is only valid if the `eventCategory` is `Management`, `Data`, or `ConfigurationItem`. The following examples show how to create different types of event data stores. **Topics** + [ ## Create an event data store for S3 data events with the AWS CLI ](#lake-cli-create-eds-data) + [ ## Create an event data store for KMS network activity events with the AWS CLI ](#lake-cli-create-eds-network) + [ ## Create an event data store for AWS Config configuration items with the AWS CLI ](#lake-cli-create-eds-config) + [ ## Create an organization event data store for management events with the AWS CLI ](#lake-cli-create-eds-org) + [ ## Create event data stores for Insights events with the AWS CLI ](#lake-cli-insights) ## Create an event data store for S3 data events with the AWS CLI The following example AWS Command Line Interface (AWS CLI) **create-event-data-store** command creates an event data store named `my-event-data-store` that selects all Amazon S3 data events and is encrypted using a KMS key. ``` aws cloudtrail create-event-data-store \ --name my-event-data-store \ --kms-key-id "arn:aws:kms:us-east-1:123456789012:alias/KMS_key_alias" \ --advanced-event-selectors '[ { "Name": "Select all S3 data events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3"] } ] } ]' ``` The following is an example response. ``` { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-ee54-4813-92d5-999aeEXAMPLE", "Name": "my-event-data-store", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Select all S3 data events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3::Object" ] }, { "Field": "resources.ARN", "StartsWith": [ "arn:aws:s3" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 366, "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:alias/KMS_key_alias", "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-09T22:19:39.417000-05:00", "UpdatedTimestamp": "2023-11-09T22:19:39.603000-05:00" } ``` ## Create an event data store for KMS network activity events with the AWS CLI The following example shows how to create an event data store to include `VpceAccessDenied` network activity events for AWS KMS. This example sets the `errorCode` field equal to `VpceAccessDenied` events and the `eventSource` field equal to `kms.amazonaws.com`. ``` aws cloudtrail create-event-data-store \ --name EventDataStoreName \ --advanced-event-selectors '[ { "Name": "Audit AccessDenied AWS KMS events over a VPC endpoint", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["NetworkActivity"] }, { "Field": "eventSource", "Equals": ["kms.amazonaws.com"] }, { "Field": "errorCode", "Equals": ["VpceAccessDenied"] } ] } ]' ``` The command returns the following example output. ``` { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEb4a8-99b1-4ec2-9258-EXAMPLEc890", "Name": "EventDataStoreName", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Audit AccessDenied AWS KMS events over a VPC endpoint", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "NetworkActivity" ] }, { "Field": "eventSource", "Equals": [ "kms.amazonaws.com" ] }, { "Field": "errorCode", "Equals": [ "VpceAccessDenied" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "RetentionPeriod": 366, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2024-05-20T21:00:17.673000+00:00", "UpdatedTimestamp": "2024-05-20T21:00:17.820000+00:00" } ``` For more information about network activity events, see [Logging network activity events](logging-network-events-with-cloudtrail.md). ## Create an event data store for AWS Config configuration items with the AWS CLI The following example AWS CLI **create-event-data-store** command creates an event data store named `config-items-eds` that selects AWS Config configuration items. To collect configuration items, specify that the `eventCategory` field Equals `ConfigurationItem` in the advanced event selectors. ``` aws cloudtrail create-event-data-store \ --name config-items-eds \ --advanced-event-selectors '[ { "Name": "Select AWS Config configuration items", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["ConfigurationItem"] } ] } ]' ``` The following is an example response. ``` { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-ee54-4813-92d5-999aeEXAMPLE", "Name": "config-items-eds", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Select AWS Config configuration items", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "ConfigurationItem" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 366, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-07T19:03:24.277000+00:00", "UpdatedTimestamp": "2023-11-07T19:03:24.468000+00:00" } ``` ## Create an organization event data store for management events with the AWS CLI The following example AWS CLI **create-event-data-store** command creates an organization event data store that collects all management events and sets the `--billing-mode` parameter to `FIXED_RETENTION_PRICING`. ``` aws cloudtrail create-event-data-store --name org-management-eds --organization-enabled --billing-mode FIXED_RETENTION_PRICING ``` The following is an example response. ``` { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE6-d493-4914-9182-e52a7934b207", "Name": "org-management-eds", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": true, "BillingMode": "FIXED_RETENTION_PRICING", "RetentionPeriod": 2557, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-16T15:30:50.689000+00:00", "UpdatedTimestamp": "2023-11-16T15:30:50.851000+00:00" } ``` ## Create event data stores for Insights events with the AWS CLI To log Insights events in CloudTrail Lake, you need a destination event data store that collects Insights events and a source event data store that enables Insights and logs management events. This procedure shows you how to create the destination and source event data stores and then enable Insights events. 1. Run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html) command to create a destination event data store that collects Insights events. The value for `eventCategory` must be `Insight`. Replace *retention-period-days* with the number of days you would like to retain events in your event data store. Valid values are integers between 7 and 3653 if the `--billing-mode` is `EXTENDABLE_RETENTION_PRICING`, or between 7 and 2557 if the `--billing-mode` is set to `FIXED_RETENTION_PRICING`. If you do not specify `--retention-period`, CloudTrail uses the default retention period for the `--billing-mode`. If you are signed in with the management account for an AWS Organizations organization, include the `--organization-enabled` parameter if you want to give your [delegated administrator](cloudtrail-delegated-administrator.md) access to the event data store. ``` aws cloudtrail create-event-data-store \ --name insights-event-data-store \ --no-multi-region-enabled \ --retention-period retention-period-days \ --advanced-event-selectors '[ { "Name": "Select Insights events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Insight"] } ] } ]' ``` The following is an example response. ``` { "Name": "insights-event-data-store", "ARN": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE", "AdvancedEventSelectors": [ { "Name": "Select Insights events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Insight" ] } ] } ], "MultiRegionEnabled": false, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": "90", "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-05-08T15:22:33.578000+00:00", "UpdatedTimestamp": "2023-05-08T15:22:33.714000+00:00" } ``` You will use the `ARN` (or ID suffix of the ARN) from the response as the value for the `--insights-destination` parameter in step 3. 1. Run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-event-data-store.html) command to create a source event data store that logs management events. By default, event data stores log all management events. You don't need to specify the advanced event selectors if you want to log all management events. Replace *retention-period-days* with the number of days you would like to retain events in your event data store. Valid values are integers between 7 and 3653 if the `--billing-mode` is `EXTENDABLE_RETENTION_PRICING`, or between 7 and 2557 if the `--billing-mode` is set to `FIXED_RETENTION_PRICING`. If you do not specify `--retention-period`, CloudTrail uses the default retention period for the `--billing-mode`. If you are creating an organization event data store, include the `--organization-enabled` parameter. ``` aws cloudtrail create-event-data-store --name source-event-data-store --retention-period retention-period-days ``` The following is an example response. ``` { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE9952-4ab9-49c0-b788-f4f3EXAMPLE", "Name": "source-event-data-store", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 90, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-05-08T15:25:35.578000+00:00", "UpdatedTimestamp": "2023-05-08T15:25:35.714000+00:00" } ``` You will use the `ARN` (or ID suffix of the ARN) from the response as the value for the `--event-data-store` parameter in step 3. 1. Run the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/put-insight-selectors.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/put-insight-selectors.html) command to enable Insights events. Insights selector values can be `ApiCallRateInsight`, `ApiErrorRateInsight`, or both. For the `--event-data-store` parameter, specify the ARN (or ID suffix of the ARN) of the source event data store that logs management events and will enable Insights. For the `--insights-destination` parameter, specify the ARN (or ID suffix of the ARN) of the destination event data store that will log Insights events. ``` aws cloudtrail put-insight-selectors --event-data-store arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE9952-4ab9-49c0-b788-f4f3EXAMPLE --insights-destination arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE --insight-selectors '[{"InsightType": "ApiCallRateInsight"},{"InsightType": "ApiErrorRateInsight"}]' ``` The following result shows the Insights event selector that is configured for the event data store. ``` { "EventDataStoreARN": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE9952-4ab9-49c0-b788-f4f3EXAMPLE", "InsightsDestination": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE", "InsightSelectors": [ { "InsightType": "ApiErrorRateInsight" }, { "InsightType": "ApiCallRateInsight" } ] } ``` After you enable CloudTrail Insights for the first time on an event data store, CloudTrail may take up to 7 days to begin delivering Insights events, provided that unusual activity is detected during that time. CloudTrail Insights analyzes management events that occur in a single Region, not globally. A CloudTrail Insights event is generated in the same Region as its supporting management events are generated. For an organization event data store, CloudTrail analyzes management events from each member's account instead of analyzing the aggregation of all management events for the organization. Additional charges apply for ingesting Insights events in CloudTrail Lake. You will be charged separately if you enable Insights for both trails and event data stores. For information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). # Import trail events to an event data store with the AWS CLI Import trail events with the AWS CLI This section shows how to create and configure an event data store by running the [https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/create-event-data-store.html](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/create-event-data-store.html) command and then how to import the events to that event data store by using the [https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/start-import.html](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/start-import.html) command. For more information about importing trail events, see [Copy trail events to an event data store](cloudtrail-copy-trail-to-lake-eds.md). ## Preparing to import trail events Before you import trail events, make the following preparations. + Be sure you have a role with the [required permissions](cloudtrail-copy-trail-to-lake-eds.md#copy-trail-events-permissions-iam) to import trail events to an event data store. + Determine the [--billing-mode](cloudtrail-lake-manage-costs.md#cloudtrail-lake-manage-costs-pricing-option) value you want to specify for the event data store. The `--billing-mode` determines the cost of ingesting and storing events, and the default and maximum retention period for the event data store. When you import trail events to CloudTrail Lake, CloudTrail unzips the logs that are stored in gzip (compressed) format. Then CloudTrail copies the events contained in the logs to your event data store. The size of the uncompressed data could be greater than the actual Amazon S3 storage size. To get a general estimate of the size of the uncompressed data, multiply the size of the logs in the S3 bucket by 10. You can use this estimate to choose the `--billing-mode` value for your use case. + Determine the value you want to specify for the `--retention-period`. CloudTrail will not copy an event if its `eventTime` is older than the specified retention period. To determine the appropriate retention period, take the sum of the oldest event you want to copy in days and the number of days you want to retain the events in the event data store as demonstrated in this equation: **Retention period** = *oldest-event-in-days* \$1 *number-days-to-retain* For example, if the oldest event you're copying is 45 days old and you want to keep the events in the event data store for a further 45 days, you would set the retention period to 90 days. + Decide whether you want to use the event data store to analyze any future events. If you don't want to ingest any future events, include the `--no-start-ingestion` parameter when you create the event data store. By default, event data store's begin ingesting events when they're created. ## To create an event data store and import trail events to that event data store 1. Run the **create-event-data-store** command to create the new event data store. In this example, the `--retention-period` is set to `120` because the oldest event being copied is 90 days old and we want to retain the events for 30 days. The `--no-start-ingestion` parameter is set because we don't want to ingest any future events. In this example, `--billing-mode` wasn't set, because we are using the default value `EXTENDABLE_RETENTION_PRICING` as we expect to ingest less than 25 TB of event data. **Note** If you're creating the event data store to replace your trail, we recommend configuring the `--advanced-event-selectors` to match the event selectors of your trail to ensure you have the same event coverage. By default, event data stores log all management events. ``` aws cloudtrail create-event-data-store --name import-trail-eds --retention-period 120 --no-start-ingestion ``` The following is the example response: ``` { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9", "Name": "import-trail-eds", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 120, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-09T16:52:25.444000+00:00", "UpdatedTimestamp": "2023-11-09T16:52:25.569000+00:00" } ``` The initial `Status` is `CREATED` so we'll run the **get-event-data-store** command to verify ingestion is stopped. ``` aws cloudtrail get-event-data-store --event-data-store eds-id ``` The response shows the `Status` is now `STOPPED_INGESTION`, which indicates the event data store is not ingesting live events. ``` { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9", "Name": "import-trail-eds", "Status": "STOPPED_INGESTION", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 120, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-09T16:52:25.444000+00:00", "UpdatedTimestamp": "2023-11-09T16:52:25.569000+00:00" } ``` 1. Run the **start-import** command to import the trail events to the event data store created in step 1. Specify the ARN (or ID suffix of the ARN) of the event data store as the value for the `--destinations` parameter. For `--start-event-time` specify the `eventTime` for the oldest event you want to copy and for `--end-event-time` specify the `eventTime` of the newest event you want to copy. For `--import-source` specify the S3 URI for the S3 bucket containing your trail logs, the AWS Region for the S3 bucket, and the ARN of the role used for importing trail events. ``` aws cloudtrail start-import \ --destinations ["arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9"] \ --start-event-time 2023-08-11T16:08:12.934000+00:00 \ --end-event-time 2023-11-09T17:08:20.705000+00:00 \ --import-source {"S3": {"S3LocationUri": "s3://aws-cloudtrail-logs-123456789012-612ff1f6/AWSLogs/123456789012/CloudTrail/","S3BucketRegion":"us-east-1","S3BucketAccessRoleArn": "arn:aws:iam::123456789012:role/service-role/CloudTrailLake-us-east-1-copy-events-eds"}} ``` The following is an example response. ``` { "CreatedTimestamp": "2023-11-09T17:08:20.705000+00:00", "Destinations": [ "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9" ], "EndEventTime": "2023-11-09T17:08:20.705000+00:00", "ImportId": "EXAMPLEe-7be2-4658-9204-b38c3257fcd1", "ImportSource": { "S3": { "S3BucketAccessRoleArn": "arn:aws:iam::123456789012:role/service-role/CloudTrailLake-us-east-1-copy-events-eds", "S3BucketRegion":"us-east-1", "S3LocationUri": "s3://aws-cloudtrail-logs-123456789012-111ff1f6/AWSLogs/123456789012/CloudTrail/" } }, "ImportStatus": "INITIALIZING", "StartEventTime": "2023-08-11T16:08:12.934000+00:00", "UpdatedTimestamp": "2023-11-09T17:08:20.806000+00:00" } ``` 1. Run the [https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/get-import.html](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/get-import.html) command to get information about the import. ``` aws cloudtrail get-import --import-id import-id ``` The following is an example response. ``` { "ImportId": "EXAMPLEe-7be2-4658-9204-b38c3EXAMPLE", "Destinations": [ "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9" ], "ImportSource": { "S3": { "S3LocationUri": "s3://aws-cloudtrail-logs-123456789012-111ff1f6/AWSLogs/123456789012/CloudTrail/", "S3BucketRegion":"us-east-1", "S3BucketAccessRoleArn": "arn:aws:iam::123456789012:role/service-role/CloudTrailLake-us-east-1-copy-events-eds" } }, "StartEventTime": "2023-08-11T16:08:12.934000+00:00", "EndEventTime": "2023-11-09T17:08:20.705000+00:00", "ImportStatus": "COMPLETED", "CreatedTimestamp": "2023-11-09T17:08:20.705000+00:00", "ImportStatistics": { "PrefixesFound": 1548, "PrefixesCompleted": 1548, "FilesCompleted": 92845, "EventsCompleted": 577249, "FailedEntries": 0 } } ``` An import finishes with an `ImportStatus` of `COMPLETED` if there were no failures, or `FAILED` if there were failures. If the import had `FailedEntries`, you can run the [https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/list-import-failures.html](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/list-import-failures.html) command to return a list of failures. ``` aws cloudtrail list-import-failures --import-id import-id ``` To retry an import that had failures, run the **start-import** command with only the `--import-id` parameter. When you retry an import, CloudTrail resumes the import at the location where the failure occurred. ``` aws cloudtrail start-import --import-id import-id ``` # Update an event data store with the AWS CLI This section provides examples that show how to update an event data store's settings by running the AWS CLI `update-event-data-store` command. **Topics** + [ ## Update the billing mode with the AWS CLI ](#lake-cli-update-billing-mode) + [ ## Update the retention mode, enable termination protection, and specify a AWS KMS key with the AWS CLI ](#lake-cli-update-retention) + [ ## Disable termination protection with the AWS CLI ](#lake-cli-update-disable-termination) ## Update the billing mode with the AWS CLI The `--billing-mode` for the event data store determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. If an event data store's `--billing-mode` is set to `FIXED_RETENTION_PRICING`, you can change the value to `EXTENDABLE_RETENTION_PRICING`. `EXTENDABLE_RETENTION_PRICING` is generally recommended if your event data store ingests less than 25 TB of event data per month and you want a flexible retention period of up to 3653 days. For information about pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/) and [Managing CloudTrail Lake costs](cloudtrail-lake-manage-costs.md). **Note** You cannot change the `--billing-mode` value from `EXTENDABLE_RETENTION_PRICING` to `FIXED_RETENTION_PRICING`. If the event data store's billing mode is set to `EXTENDABLE_RETENTION_PRICING` and you want to use `FIXED_RETENTION_PRICING` instead, you can [stop ingestion](lake-cli-manage-eds.md#lake-cli-stop-ingestion-eds) on the event data store and create a new event data store that uses `FIXED_RETENTION_PRICING`. The following example AWS CLI **update-event-data-store** command changes the `--billing-mode` for the event data store from `FIXED_RETENTION_PRICING` to `EXTENDABLE_RETENTION_PRICING`. The required `--event-data-store` parameter value is an ARN (or the ID suffix of the ARN) and is required; other parameters are optional. ``` aws cloudtrail update-event-data-store \ --region us-east-1 \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE \ --billing-mode EXTENDABLE_RETENTION_PRICING ``` The following is an example response. ``` { "EventDataStoreArn": "event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", "Name": "management-events-eds", "Status": "ENABLED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 2557, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-10-27T10:55:55.384000-04:00", "UpdatedTimestamp": "2023-10-27T10:57:05.549000-04:00" } ``` ## Update the retention mode, enable termination protection, and specify a AWS KMS key with the AWS CLI The following example AWS CLI **update-event-data-store** command updates an event data store to change its retention period to 100 days, and enable termination protection. The required `--event-data-store` parameter value is an ARN (or the ID suffix of the ARN) and is required; other parameters are optional. In this example, the `--retention-period` parameter is added to change the retention period to 100 days. Optionally, you can choose to enable AWS Key Management Service encryption and specify an AWS KMS key by adding `--kms-key-id` to the command, and specifying a KMS key ARN as the value. `--termination-protection-enabled` is added to enable termination protection on an event data store that did not have termination protection enabled. An event data store that logs events from outside AWS cannot be updated to log AWS events. Similarly, an event data store that logs AWS events cannot be updated to log events from outside AWS. **Note** If you decrease the retention period of an event data store, CloudTrail will remove any events with an `eventTime` older than the new retention period. For example, if the previous retention period was 365 days and you decrease it to 100 days, CloudTrail will remove events with an `eventTime` older than 100 days. ``` aws cloudtrail update-event-data-store \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE \ --retention-period 100 \ --kms-key-id "arn:aws:kms:us-east-1:0123456789:alias/KMS_key_alias" \ --termination-protection-enabled ``` The following is an example response. ``` { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-ee54-4813-92d5-999aeEXAMPLE", "Name": "my-event-data-store", "Status": "ENABLED", "AdvancedEventSelectors": [ { "Name": "Select all S3 data events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3::Object" ] }, { "Field": "resources.ARN", "StartsWith": [ "arn:aws:s3" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 100, "KmsKeyId": "arn:aws:kms:us-east-1:0123456789:alias/KMS_key_alias", "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-10-27T10:55:55.384000-04:00", "UpdatedTimestamp": "2023-10-27T10:57:05.549000-04:00" } ``` ## Disable termination protection with the AWS CLI By default, termination protection is enabled on an event data store to protect the event data store from accidental deletion. You cannot delete an event data store when termination protection is enabled. If you want to delete the event data store, you must first disable termination protection. The following example AWS CLI **update-event-data-store** command disables termination protection by passing the `--no-termination-protection-enabled` parameter. ``` aws cloudtrail update-event-data-store \ --region us-east-1 \ --no-termination-protection-enabled \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE ``` The following is an example response. ``` { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", "Name": "management-events-eds", "Status": "ENABLED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 366, "TerminationProtectionEnabled": false, "CreatedTimestamp": "2023-10-27T10:55:55.384000-04:00", "UpdatedTimestamp": "2023-10-27T10:57:05.549000-04:00" } ``` # Managing event data stores with the AWS CLI This section describes several other commands that you can run to get information about your event data stores, start and stop ingestion on an event data store, and enable and disable [federation](query-federation.md) on an event data store. **Topics** + [ ## Get an event data store with the AWS CLI ](#lake-cli-get-eds) + [ ## List all event data stores in an account with the AWS CLI ](#lake-cli-list-eds) + [ ## Add resource tag keys and IAM global conditions keys, and expand event size ](#lake-cli-put-event-configuration) + [ ## Get the event configuration for an event data store ](#lake-cli-get-event-configuration) + [ ## Get the resource-based policy for an event data store with the AWS CLI ](#lake-cli-get-resource-policy) + [ ## Attach a resource-based policy to an event data store with the AWS CLI ](#lake-cli-put-resource-policy) + [ ## Delete the resource-based policy attached to an event data store with the AWS CLI ](#lake-cli-delete-resource-policy) + [ ## Stop ingestion on an event data store with the AWS CLI ](#lake-cli-stop-ingestion-eds) + [ ## Start ingestion on an event data store with the AWS CLI ](#lake-cli-start-ingestion-eds) + [ ## Enable federation on an event data store ](#lake-cli-enable-federation-eds) + [ ## Disable federation on an event data store ](#lake-cli-disable-federation-eds) + [ ## Restore an event data store with the AWS CLI ](#lake-cli-restore-eds) ## Get an event data store with the AWS CLI The following example AWS CLI **get-event-data-store** command returns information about the event data store specified by the required `--event-data-store` parameter, which accepts an ARN or the ID suffix of the ARN. ``` aws cloudtrail get-event-data-store \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE ``` The following is an example response. Creation and last updated times are in `timestamp` format. ``` { "EventDataStoreARN": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", "Name": "s3-data-events-eds", "Status": "ENABLED", "AdvancedEventSelectors": [ { "Name": "Log DeleteObject API calls for a specific S3 bucket", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "eventName", "Equals": [ "DeleteObject" ] }, { "Field": "resources.ARN", "StartsWith": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] }, { "Field": "readOnly", "Equals": [ "false" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3::Object" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "FIXED_RETENTION_PRICING", "RetentionPeriod": 2557, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-09T22:20:36.344000+00:00", "UpdatedTimestamp": "2023-11-09T22:20:36.476000+00:00" } ``` ## List all event data stores in an account with the AWS CLI The following example AWS CLI **list-event-data-stores** command returns information about all event data stores in an account, in the current Region. Optional parameters include `--max-results`, to specify a maximum number of results that you want the command to return on a single page. If there are more results than your specified `--max-results` value, run the command again adding the returned `NextToken` value to get the next page of results. ``` aws cloudtrail list-event-data-stores ``` The following is an example response. ``` { "EventDataStores": [ { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE7-cad6-4357-a84b-318f9868e969", "Name": "management-events-eds" }, { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE6-88e1-43b7-b066-9c046b4fd47a", "Name": "config-items-eds" }, { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEf-b314-4c85-964e-3e43b1e8c3b4", "Name": "s3-data-events" } ] } ``` ## Add resource tag keys and IAM global conditions keys, and expand event size Run the AWS CLI `put-event-configuration` command to expand the maximum event size and add up to 50 resource tag keys and 50 IAM global condition keys to provide additional metadata about your events. The `put-event-configuration` command accepts the following arguments: + `--event-data-store` – Specify the ARN of the event data store or the ID suffix of the ARN. This parameter is required. + `--max-event-size` – Set to `Large` to set the maximum event size to 1 MB. By default, the value is `Standard`, which specifies a maximum event size of 256 KB. **Note** In order to add resource tag keys or IAM global conditions keys, you must set the event size to `Large` to ensure all of your added keys are included in the event. + `--context-key-selectors` – Specify the type of keys you want included in the events collected by your event data store. You can include resource tag keys and IAM global condition keys. Information about the added resource tags and IAM global condition keys is shown in the `eventContext` field in the event. For more information, see [Enrich CloudTrail events by adding resource tag keys and IAM global condition keys](cloudtrail-context-events.md). + Set the `Type` to `TagContext` to pass in an array of up to 50 resource tag keys. If you add resource tags, CloudTrail events will include the selected tag keys associated with the resources that were involved in the API call. API events related to deleted resources will not have resource tags. + Set the `Type` to `RequestContext` to pass in an array of up to 50 IAM global condition keys. If you add IAM global condition keys, CloudTrail events will include information about the selected condition keys that were evaluated during the authorization process, including additional details about the principal, session, network, and the request itself. The following example sets the maximum event size to `Large` and adds two resource tag keys `myTagKey1` and `myTagKey2`. ``` aws cloudtrail put-event-configuration \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE \ --max-event-size Large \ --context-key-selectors '[{"Type":"TagContext", "Equals":["myTagKey1","myTagKey2"]}]' ``` The next example sets the maximum event size to `Large` and adds an IAM; global condition key (`aws:MultiFactorAuthAge`). ``` aws cloudtrail put-event-configuration \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE \ --max-event-size Large \ --context-key-selectors '[{"Type":"RequestContext", "Equals":["aws:MultiFactorAuthAge"]}]' ``` The final example removes all resource tag keys and IAM global condition keys and sets the maximum event size to `Standard`. ``` aws cloudtrail put-event-configuration \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE \ --max-event-size Standard \ --context-key-selectors ``` ## Get the event configuration for an event data store Run the AWS CLI `get-event-configuration` command to return the event configuration for an event data store that collects CloudTrail events. This command returns the maximum event size and lists the resource tag keys and IAM global condition keys (if any) that are included in CloudTrail events. ``` aws cloudtrail get-event-configuration \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE ``` ## Get the resource-based policy for an event data store with the AWS CLI The following example runs the `get-resource-policy` command on an organization event data store. ``` aws cloudtrail get-resource-policy --resource-arn arn:aws:cloudtrail:us-east-1:888888888888:eventdatastore/example6-d493-4914-9182-e52a7934b207 ``` Because the command was run on an organization event data store, the output will show both the provided resource-based policy and the [`DelegatedAdminResourcePolicy`](cloudtrail-lake-organizations.md#cloudtrail-lake-organizations-eds-rbp) generated for the delegated administrator accounts. ## Attach a resource-based policy to an event data store with the AWS CLI To run queries on a dashboard during a manual or scheduled refresh, you need to attach a resource-based policy to every event data store that is associated with a widget on the dashboard. This allows CloudTrail Lake to run the queries on your behalf. For more information about the resource-based policy, see [Example: Allow CloudTrail to run queries to refresh a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-eds-dashboard). The following example attaches a resource-based policy to an event data store that allows CloudTrail to run queries on a dashboard when the dashboard is refreshed. The policy is created in a separate file, *policy.json*, with the following example policy statement: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Sid": "EDSPolicy", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Resource": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/event_data_store_ID", "Action": "cloudtrail:StartQuery", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", "AWS:SourceAccount": "123456789012" } } } ] } ``` ------ Replace *123456789012* with your account ID, *arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/event\$1data\$1store\$1ID* with the ARN of the event data store for which CloudTrail will run queries, and *arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE* with the ARN of the dashboard. ``` aws cloudtrail put-resource-policy \ --resource-arn eds-arn \ --resource-policy file://policy.json ``` The following is the example response. ``` { "ResourceArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", "ResourcePolicy": "policy-statement" } ``` For additional policy examples, see [Resource-based policy examples for event data stores](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-eds). ## Delete the resource-based policy attached to an event data store with the AWS CLI The following examples deletes the resource-based policy attached to an event data store. Replace *eds-arn* with the ARN of the event data store. ``` aws cloudtrail delete-resource-policy --resource-arn eds-arn ``` This command produces no output if it's successful. ## Stop ingestion on an event data store with the AWS CLI The following example AWS CLI **stop-event-data-store-ingestion** command stops an event data store from ingesting events. To stop ingestion, the event data store `Status` must be `ENABLED` and the `eventCategory` must be `Management`, `Data`, or `ConfigurationItem`. The event data store is specified by `--event-data-store`, which accepts an event data store ARN, or the ID suffix of the ARN. After you run **stop-event-data-store-ingestion**, the state of the event data store changes to `STOPPED_INGESTION`. The event data store does count towards your account maximum of ten event data stores when its state is `STOPPED_INGESTION`. ``` aws cloudtrail stop-event-data-store-ingestion \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE ``` There is no response if the operation is successful. ## Start ingestion on an event data store with the AWS CLI The following example AWS CLI **start-event-data-store-ingestion** command starts event ingestion on an event data store. To start ingestion, the event data store `Status` must be `STOPPED_INGESTION` and the `eventCategory` must be `Management`, `Data`, or `ConfigurationItem`. The event data store is specified by `--event-data-store`, which accepts an event data store ARN, or the ID suffix of the ARN. After you run **start-event-data-store-ingestion**, the state of the event data store changes to `ENABLED`. ``` aws cloudtrail start-event-data-store-ingestion --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE ``` There is no response if the operation is successful. ## Enable federation on an event data store To enable federation, run the **aws cloudtrail enable-federation** command, providing the required `--event-data-store` and `--role` parameters. For `--event-data-store`, provide the event data store ARN (or the ID suffix of the ARN). For `--role`, provide the ARN for your federation role. The role must exist in your account and provide the [required minimum permissions](query-federation.md#query-federation-permissions-role). ``` aws cloudtrail enable-federation \ --event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id --role arn:aws:iam::account-id:role/federation-role-name ``` This example shows how a delegated administrator can enable federation on an organization event data store by specifying the ARN of the event data store in the management account and the ARN of the federation role in the delegated administrator account. ``` aws cloudtrail enable-federation \ --event-data-store arn:aws:cloudtrail:region:management-account-id:eventdatastore/eds-id --role arn:aws:iam::delegated-administrator-account-id:role/federation-role-name ``` ## Disable federation on an event data store To disable federation on the event data store, run the **aws cloudtrail disable-federation** command. The event data store is specified by `--event-data-store`, which accepts an event data store ARN or the ID suffix of the ARN. ``` aws cloudtrail disable-federation \ --event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id ``` **Note** If this is an organization event data store, use the account ID for the management account. ## Restore an event data store with the AWS CLI The following example AWS CLI **restore-event-data-store** command restores an event data store that is pending deletion. The event data store is specified by `--event-data-store`, which accepts an event data store ARN or the ID suffix of the ARN. You can only restore a deleted event data store within the seven-day wait period after deletion. ``` aws cloudtrail restore-event-data-store \ --event-data-store EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE ``` The response includes information about the event data store, including its ARN, advanced event selectors, and the status of restoration. # Delete an event data store with the AWS CLI This section demonstrates how to delete an event data store by running the AWS CLI `delete-event-data-store` command To delete an event data store, specify the `--event-data-store` by providing the event data store ARN, or the ID suffix of the ARN. After you run **delete-event-data-store**, the final state of the event data store is `PENDING_DELETION`, and the event data store is automatically deleted after a wait period of 7 days. After you run **delete-event-data-store** on an event data store, you cannot run **list-queries**, **describe-query**, or **get-query-results** on queries that are using the disabled data store. The event data store does count towards your account maximum of ten event data stores in an AWS Region when it is pending deletion. **Note** You can't delete an event data store if `--termination-protection-enabled` is set or its `FederationStatus` is `ENABLED`. To delete an event data store with an `eventCategory` of `ActivityAuditLog`, you must first delete the integration's channel. You can delete the channel by using the `aws cloudtrail delete-channel` command. For more information, see [Delete a channel to delete an integration with the AWS CLI](lake-cli-delete-integration.md). ``` aws cloudtrail delete-event-data-store \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE ``` There is no response if the operation is successful.