CloudTrail Lake event data stores

When you create an event data store in CloudTrail Lake, you choose the type of events to include in your event data store. You can create an event data store to include CloudTrail events (management events, data events, or network activity events), CloudTrail Insights events, AWS Config configuration items, or events outside of AWS. Each event data store type can only contain specific event categories (for example, AWS Config configuration items), because the event schema is unique to the event category. You can run SQL queries across multiple event data stores using the supported SQL JOIN keywords. For information about running queries across multiple event data stores, see Advanced, multi-table query support.

The following table shows the supported event categories for each event data store type. The eventCategory column shows the value that you would specify in the advanced event selectors to collect events of that type.

Event type (console)	eventCategory (API)	Description
CloudTrail events	`Management` `Data` `NetworkActivity`	This event data store type can collect CloudTrail management events, data events, and network activity events. For more information, see Create an event data store for CloudTrail events.
CloudTrail Insights events	`Insight`	This event data store type can collect CloudTrail Insights events. To receive Insights events, you need a source event data store that logs CloudTrail management events and enables Insights. For information about creating the source and destination event data stores, see Create an event data store for CloudTrail Insights events.
Configuration items	`ConfigurationItem`	This event data store type can collect AWS Config configuration items. For more information, see Create an event data store for AWS Config configuration items.
Events from integration	`ActivityAuditLog`	This event data store type can collect non-AWS events from integrations. For more information, see Create an event data store for events outside of AWS.

You can also create an event data store for AWS Audit Manager evidence by using the Audit Manager console. For more information about aggregating evidence in CloudTrail Lake using Audit Manager, see Understanding how evidence finder works with CloudTrail Lake in the AWS Audit Manager User Guide.

CloudTrail Lake event data stores incur charges. When you create an event data store, you choose the pricing option you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. For information about CloudTrail pricing and managing Lake costs, see AWS CloudTrail Pricing and Managing CloudTrail Lake costs.

The sections which follow describe how to create, update, and manage event data stores.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

CloudTrail Lake concepts and terminology

Create, update, and manage event data stores with the console