Create an event data store
When you create an event data store in CloudTrail Lake, you choose the type of events to include in your event data store. You can create an event data store to include CloudTrail data or management events, CloudTrail Insights events, AWS Config configuration items, or events outside of AWS. Each event data store type can only contain specific event categories (for example, AWS Config configuration items), because the event schema is unique to the event category. You can run SQL queries across multiple event data stores using the supported SQL JOIN keywords. For information about running queries across multiple event data stores, see Advanced, multi-table query support.
The following table shows the supported event categories for each event data store type. The eventCategory column shows the value that you would specify in the advanced event selectors to collect events of that type.
| Event type (console) | eventCategory (API) | Description |
|---|---|---|
| CloudTrail events |
|
This event data store type can collect CloudTrail management and data events. For more information, see Create an event data store for CloudTrail events. |
| CloudTrail Insights events |
|
This event data store type can collect CloudTrail Insights events. To receive Insights events, you need a source event data store that logs CloudTrail management events and enables Insights. For information about creating the source and destination event data stores, see Create an event data store for CloudTrail Insights events. |
| Configuration items |
|
This event data store type can collect AWS Config configuration items. For more information, see Create an event data store for AWS Config configuration items. |
| Events from integration |
|
This event data store type can collect non-AWS events from integrations. For more information, see Create an event data store for events outside of AWS. |
You can also create an event data store for AWS Audit Manager evidence by using the Audit Manager console. For more information about aggregating evidence in CloudTrail Lake using Audit Manager, see Understanding how evidence finder works with CloudTrail Lake in the AWS Audit Manager User Guide.
CloudTrail Lake event data stores incur charges. When you create an event data store, you choose the pricing option you want
to use for the event data store. The pricing option determines the cost for ingesting and storing events, and
the default and maximum retention period for the event data store. For information
about CloudTrail pricing and managing Lake costs, see
AWS CloudTrail Pricing
The sections which follow describe how to create, update, and delete an event data store using the CloudTrail console. For information about how to manage event data store using the AWS CLI, see Managing CloudTrail Lake by using the AWS CLI.
Topics
- Create an event data store for CloudTrail events
- Create an event data store for CloudTrail Insights events
- Create an event data store for AWS Config configuration items
- Create an event data store for events outside of AWS
- Copy trail events to an event data store
- Manage event data store lifecycles
- Update an event data store
- Stop and start event ingestion
- Federate an event data store
- Change termination protection
- Delete an event data store
- Restore an event data store
- Organization event data stores
