# Actions
The following actions are supported:
+ [AddTags](API_AddTags.md)
+ [CancelQuery](API_CancelQuery.md)
+ [CreateChannel](API_CreateChannel.md)
+ [CreateDashboard](API_CreateDashboard.md)
+ [CreateEventDataStore](API_CreateEventDataStore.md)
+ [CreateTrail](API_CreateTrail.md)
+ [DeleteChannel](API_DeleteChannel.md)
+ [DeleteDashboard](API_DeleteDashboard.md)
+ [DeleteEventDataStore](API_DeleteEventDataStore.md)
+ [DeleteResourcePolicy](API_DeleteResourcePolicy.md)
+ [DeleteTrail](API_DeleteTrail.md)
+ [DeregisterOrganizationDelegatedAdmin](API_DeregisterOrganizationDelegatedAdmin.md)
+ [DescribeQuery](API_DescribeQuery.md)
+ [DescribeTrails](API_DescribeTrails.md)
+ [DisableFederation](API_DisableFederation.md)
+ [EnableFederation](API_EnableFederation.md)
+ [GenerateQuery](API_GenerateQuery.md)
+ [GetChannel](API_GetChannel.md)
+ [GetDashboard](API_GetDashboard.md)
+ [GetEventConfiguration](API_GetEventConfiguration.md)
+ [GetEventDataStore](API_GetEventDataStore.md)
+ [GetEventSelectors](API_GetEventSelectors.md)
+ [GetImport](API_GetImport.md)
+ [GetInsightSelectors](API_GetInsightSelectors.md)
+ [GetQueryResults](API_GetQueryResults.md)
+ [GetResourcePolicy](API_GetResourcePolicy.md)
+ [GetTrail](API_GetTrail.md)
+ [GetTrailStatus](API_GetTrailStatus.md)
+ [ListChannels](API_ListChannels.md)
+ [ListDashboards](API_ListDashboards.md)
+ [ListEventDataStores](API_ListEventDataStores.md)
+ [ListImportFailures](API_ListImportFailures.md)
+ [ListImports](API_ListImports.md)
+ [ListInsightsData](API_ListInsightsData.md)
+ [ListInsightsMetricData](API_ListInsightsMetricData.md)
+ [ListPublicKeys](API_ListPublicKeys.md)
+ [ListQueries](API_ListQueries.md)
+ [ListTags](API_ListTags.md)
+ [ListTrails](API_ListTrails.md)
+ [LookupEvents](API_LookupEvents.md)
+ [PutEventConfiguration](API_PutEventConfiguration.md)
+ [PutEventSelectors](API_PutEventSelectors.md)
+ [PutInsightSelectors](API_PutInsightSelectors.md)
+ [PutResourcePolicy](API_PutResourcePolicy.md)
+ [RegisterOrganizationDelegatedAdmin](API_RegisterOrganizationDelegatedAdmin.md)
+ [RemoveTags](API_RemoveTags.md)
+ [RestoreEventDataStore](API_RestoreEventDataStore.md)
+ [SearchSampleQueries](API_SearchSampleQueries.md)
+ [StartDashboardRefresh](API_StartDashboardRefresh.md)
+ [StartEventDataStoreIngestion](API_StartEventDataStoreIngestion.md)
+ [StartImport](API_StartImport.md)
+ [StartLogging](API_StartLogging.md)
+ [StartQuery](API_StartQuery.md)
+ [StopEventDataStoreIngestion](API_StopEventDataStoreIngestion.md)
+ [StopImport](API_StopImport.md)
+ [StopLogging](API_StopLogging.md)
+ [UpdateChannel](API_UpdateChannel.md)
+ [UpdateDashboard](API_UpdateDashboard.md)
+ [UpdateEventDataStore](API_UpdateEventDataStore.md)
+ [UpdateTrail](API_UpdateTrail.md)
# AddTags
Adds one or more tags to a trail, event data store, dashboard, or channel, up to a limit of 50. Overwrites an existing tag's value when a new value is specified for an existing tag key. Tag key names must be unique; you cannot have two keys with the same name but different values. If you specify a key without a value, the tag will be created with the specified key and a value of null. You can tag a trail or event data store that applies to all AWS Regions only from the Region in which the trail or event data store was created (also known as its home Region).
## Request Syntax
```
{
"ResourceId": "string",
"TagsList": [
{
"Key": "string",
"Value": "string"
}
]
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ResourceId](#API_AddTags_RequestSyntax) **
Specifies the ARN of the trail, event data store, dashboard, or channel to which one or more tags will be added.
The format of a trail ARN is: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The format of an event data store ARN is: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The format of a dashboard ARN is: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The format of a channel ARN is: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
Type: String
Required: Yes
** [TagsList](#API_AddTags_RequestSyntax) **
Contains a list of tags, up to a limit of 50
Type: Array of [Tag](API_Tag.md) objects
Array Members: Maximum number of 200 items.
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ChannelARNInvalidException **
This exception is thrown when the specified value of `ChannelARN` is not valid.
HTTP Status Code: 400
** ChannelNotFoundException **
This exception is thrown when CloudTrail cannot find the specified channel.
HTTP Status Code: 400
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InvalidTagParameterException **
This exception is thrown when the specified tag key or values are not valid. It can also occur if there are duplicate tags or too many tags on the resource.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** ResourceTypeNotSupportedException **
This exception is thrown when the specified resource type is not supported by CloudTrail.
HTTP Status Code: 400
** TagsLimitExceededException **
The number of tags per trail, event data store, dashboard, or channel has exceeded the permitted amount. Currently, the limit is 50.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/AddTags)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/AddTags)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/AddTags)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/AddTags)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/AddTags)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/AddTags)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/AddTags)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/AddTags)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/AddTags)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/AddTags)
# CancelQuery
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Cancels a query if the query is not in a terminated state, such as `CANCELLED`, `FAILED`, `TIMED_OUT`, or `FINISHED`. You must specify an ARN value for `EventDataStore`. The ID of the query that you want to cancel is also required. When you run `CancelQuery`, the query status might show as `CANCELLED` even if the operation is not yet finished.
## Request Syntax
```
{
"EventDataStore": "string",
"EventDataStoreOwnerAccountId": "string",
"QueryId": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_CancelQuery_RequestSyntax) **
*This parameter has been deprecated.*
The ARN (or the ID suffix of the ARN) of an event data store on which the specified query is running.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [EventDataStoreOwnerAccountId](#API_CancelQuery_RequestSyntax) **
The account ID of the event data store owner.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
Required: No
** [QueryId](#API_CancelQuery_RequestSyntax) **
The ID of the query that you want to cancel. The `QueryId` comes from the response of a `StartQuery` operation.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
Required: Yes
## Response Syntax
```
{
"EventDataStoreOwnerAccountId": "string",
"QueryId": "string",
"QueryStatus": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [EventDataStoreOwnerAccountId](#API_CancelQuery_ResponseSyntax) **
The account ID of the event data store owner.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
** [QueryId](#API_CancelQuery_ResponseSyntax) **
The ID of the canceled query.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
** [QueryStatus](#API_CancelQuery_ResponseSyntax) **
Shows the status of a query after a `CancelQuery` request. Typically, the values shown are either `RUNNING` or `CANCELLED`.
Type: String
Valid Values: `QUEUED | RUNNING | FINISHED | FAILED | CANCELLED | TIMED_OUT`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InactiveQueryException **
The specified query cannot be canceled because it is in the `FINISHED`, `FAILED`, `TIMED_OUT`, or `CANCELLED` state.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** QueryIdNotFoundException **
The query ID does not exist or does not map to a query.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/CancelQuery)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/CancelQuery)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/CancelQuery)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/CancelQuery)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/CancelQuery)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/CancelQuery)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/CancelQuery)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/CancelQuery)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/CancelQuery)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/CancelQuery)
# CreateChannel
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Creates a channel for CloudTrail to ingest events from a partner or external source. After you create a channel, a CloudTrail Lake event data store can log events from the partner or source that you specify.
## Request Syntax
```
{
"Destinations": [
{
"Location": "string",
"Type": "string"
}
],
"Name": "string",
"Source": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
]
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Destinations](#API_CreateChannel_RequestSyntax) **
One or more event data stores to which events arriving through a channel will be logged.
Type: Array of [Destination](API_Destination.md) objects
Array Members: Minimum number of 1 item. Maximum number of 200 items.
Required: Yes
** [Name](#API_CreateChannel_RequestSyntax) **
The name of the channel.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
Required: Yes
** [Source](#API_CreateChannel_RequestSyntax) **
The name of the partner or external event source. You cannot change this name after you create the channel. A maximum of one channel is allowed per source.
A source can be either `Custom` for all valid non-AWS events, or the name of a partner event source. For information about the source names for available partners, see [Additional information about integration partners](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store-integration.html#cloudtrail-lake-partner-information) in the CloudTrail User Guide.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Pattern: `.*`
Required: Yes
** [Tags](#API_CreateChannel_RequestSyntax) **
A list of tags.
Type: Array of [Tag](API_Tag.md) objects
Array Members: Maximum number of 200 items.
Required: No
## Response Syntax
```
{
"ChannelArn": "string",
"Destinations": [
{
"Location": "string",
"Type": "string"
}
],
"Name": "string",
"Source": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [ChannelArn](#API_CreateChannel_ResponseSyntax) **
The Amazon Resource Name (ARN) of the new channel.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [Destinations](#API_CreateChannel_ResponseSyntax) **
The event data stores that log the events arriving through the channel.
Type: Array of [Destination](API_Destination.md) objects
Array Members: Minimum number of 1 item. Maximum number of 200 items.
** [Name](#API_CreateChannel_ResponseSyntax) **
The name of the new channel.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
** [Source](#API_CreateChannel_ResponseSyntax) **
The partner or external event source name.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Pattern: `.*`
** [Tags](#API_CreateChannel_ResponseSyntax) **
A list of tags.
Type: Array of [Tag](API_Tag.md) objects
Array Members: Maximum number of 200 items.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ChannelAlreadyExistsException **
This exception is thrown when the provided channel already exists.
HTTP Status Code: 400
** ChannelMaxLimitExceededException **
This exception is thrown when the maximum number of channels limit is exceeded.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InvalidEventDataStoreCategoryException **
This exception is thrown when event categories of specified event data stores are not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidSourceException **
This exception is thrown when the specified value of `Source` is not valid.
HTTP Status Code: 400
** InvalidTagParameterException **
This exception is thrown when the specified tag key or values are not valid. It can also occur if there are duplicate tags or too many tags on the resource.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** TagsLimitExceededException **
The number of tags per trail, event data store, dashboard, or channel has exceeded the permitted amount. Currently, the limit is 50.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/CreateChannel)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/CreateChannel)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/CreateChannel)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/CreateChannel)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/CreateChannel)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/CreateChannel)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/CreateChannel)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/CreateChannel)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/CreateChannel)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/CreateChannel)
# CreateDashboard
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Creates a custom dashboard or the Highlights dashboard.
+ **Custom dashboards** - Custom dashboards allow you to query events in any event data store type. You can add up to 10 widgets to a custom dashboard. You can manually refresh a custom dashboard, or you can set a refresh schedule.
+ **Highlights dashboard** - You can create the Highlights dashboard to see a summary of key user activities and API usage across all your event data stores. CloudTrail Lake manages the Highlights dashboard and refreshes the dashboard every 6 hours. To create the Highlights dashboard, you must set and enable a refresh schedule.
CloudTrail runs queries to populate the dashboard's widgets during a manual or scheduled refresh. CloudTrail must be granted permissions to run the `StartQuery` operation on your behalf. To provide permissions, run the `PutResourcePolicy` operation to attach a resource-based policy to each event data store. For more information, see [Example: Allow CloudTrail to run queries to populate a dashboard](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_resource-based-policy-examples.html#security_iam_resource-based-policy-examples-eds-dashboard) in the * AWS CloudTrail User Guide*.
To set a refresh schedule, CloudTrail must be granted permissions to run the `StartDashboardRefresh` operation to refresh the dashboard on your behalf. To provide permissions, run the `PutResourcePolicy` operation to attach a resource-based policy to the dashboard. For more information, see [ Resource-based policy example for a dashboard](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_resource-based-policy-examples.html#security_iam_resource-based-policy-examples-dashboards) in the * AWS CloudTrail User Guide*.
For more information about dashboards, see [CloudTrail Lake dashboards](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-dashboard.html) in the * AWS CloudTrail User Guide*.
## Request Syntax
```
{
"Name": "string",
"RefreshSchedule": {
"Frequency": {
"Unit": "string",
"Value": number
},
"Status": "string",
"TimeOfDay": "string"
},
"TagsList": [
{
"Key": "string",
"Value": "string"
}
],
"TerminationProtectionEnabled": boolean,
"Widgets": [
{
"QueryParameters": [ "string" ],
"QueryStatement": "string",
"ViewProperties": {
"string" : "string"
}
}
]
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Name](#API_CreateDashboard_RequestSyntax) **
The name of the dashboard. The name must be unique to your account.
To create the Highlights dashboard, the name must be `AWSCloudTrail-Highlights`.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9_\-]+$`
Required: Yes
** [RefreshSchedule](#API_CreateDashboard_RequestSyntax) **
The refresh schedule configuration for the dashboard.
To create the Highlights dashboard, you must set a refresh schedule and set the `Status` to `ENABLED`. The `Unit` for the refresh schedule must be `HOURS` and the `Value` must be `6`.
Type: [RefreshSchedule](API_RefreshSchedule.md) object
Required: No
** [TagsList](#API_CreateDashboard_RequestSyntax) **
A list of tags.
Type: Array of [Tag](API_Tag.md) objects
Array Members: Maximum number of 200 items.
Required: No
** [TerminationProtectionEnabled](#API_CreateDashboard_RequestSyntax) **
Specifies whether termination protection is enabled for the dashboard. If termination protection is enabled, you cannot delete the dashboard until termination protection is disabled.
Type: Boolean
Required: No
** [Widgets](#API_CreateDashboard_RequestSyntax) **
An array of widgets for a custom dashboard. A custom dashboard can have a maximum of ten widgets.
You do not need to specify widgets for the Highlights dashboard.
Type: Array of [RequestWidget](API_RequestWidget.md) objects
Required: No
## Response Syntax
```
{
"DashboardArn": "string",
"Name": "string",
"RefreshSchedule": {
"Frequency": {
"Unit": "string",
"Value": number
},
"Status": "string",
"TimeOfDay": "string"
},
"TagsList": [
{
"Key": "string",
"Value": "string"
}
],
"TerminationProtectionEnabled": boolean,
"Type": "string",
"Widgets": [
{
"QueryAlias": "string",
"QueryParameters": [ "string" ],
"QueryStatement": "string",
"ViewProperties": {
"string" : "string"
}
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [DashboardArn](#API_CreateDashboard_ResponseSyntax) **
The ARN for the dashboard.
Type: String
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [Name](#API_CreateDashboard_ResponseSyntax) **
The name of the dashboard.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9_\-]+$`
** [RefreshSchedule](#API_CreateDashboard_ResponseSyntax) **
The refresh schedule for the dashboard, if configured.
Type: [RefreshSchedule](API_RefreshSchedule.md) object
** [TagsList](#API_CreateDashboard_ResponseSyntax) **
A list of tags.
Type: Array of [Tag](API_Tag.md) objects
Array Members: Maximum number of 200 items.
** [TerminationProtectionEnabled](#API_CreateDashboard_ResponseSyntax) **
Indicates whether termination protection is enabled for the dashboard.
Type: Boolean
** [Type](#API_CreateDashboard_ResponseSyntax) **
The dashboard type.
Type: String
Valid Values: `MANAGED | CUSTOM`
** [Widgets](#API_CreateDashboard_ResponseSyntax) **
An array of widgets for the dashboard.
Type: Array of [Widget](API_Widget.md) objects
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InvalidQueryStatementException **
The query that was submitted has validation errors, or uses incorrect syntax or unsupported keywords. For more information about writing a query, see [Create or edit a query](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-create-edit-query.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** InvalidTagParameterException **
This exception is thrown when the specified tag key or values are not valid. It can also occur if there are duplicate tags or too many tags on the resource.
HTTP Status Code: 400
** ServiceQuotaExceededException **
This exception is thrown when the quota is exceeded. For information about CloudTrail quotas, see [Service quotas](https://docs.aws.amazon.com/general/latest/gr/ct.html#limits_cloudtrail) in the * AWS General Reference*.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example creates a custom dashboard named `AccountActivityDashboard` with four widgets and a refresh schedule of every 12 hours. This example enables termination protection to prevent the dashboard from being accidentally deleted.
```
{
"Name": "AccountActivityDashboard",
"RefreshSchedule": {
"Frequency": {
"Unit": "HOURS",
"Value": 12
},
"Status": "ENABLED",
"TimeOfDay": "00:00"
},
"TerminationProtectionEnabled": true,
"Widgets": [
{
"ViewProperties": {
"Height": "2",
"Width": "4",
"Title": "TopErrors",
"View": "Table"
},
"QueryStatement": "SELECT errorCode, COUNT(*) AS eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' AND (errorCode is not null) GROUP BY errorCode ORDER BY eventCount DESC LIMIT 100",
"QueryParameters": ["$StartTime$", "$EndTime$"]
},
{
"ViewProperties": {
"Height": "2",
"Width": "4",
"Title": "MostActiveRegions",
"View": "PieChart",
"LabelColumn": "awsRegion",
"ValueColumn": "eventCount",
"FilterColumn": "awsRegion"
},
"QueryStatement": "SELECT awsRegion, COUNT(*) AS eventCount FROM eds where eventTime > '?' and eventTime < '?' GROUP BY awsRegion ORDER BY eventCount LIMIT 100",
"QueryParameters": ["$StartTime$", "$EndTime$"]
},
{
"ViewProperties": {
"Height": "2",
"Width": "4",
"Title": "AccountActivity",
"View": "LineChart",
"YAxisColumn": "eventCount",
"XAxisColumn": "eventDate",
"FilterColumn": "readOnly"
},
"QueryStatement": "SELECT DATE_TRUNC('?', eventTime) AS eventDate, IF(readOnly, 'read', 'write') AS readOnly, COUNT(*) as eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' GROUP BY DATE_TRUNC('?', eventTime), readOnly ORDER BY DATE_TRUNC('?', eventTime), readOnly",
"QueryParameters": ["$Period$", "$StartTime$", "$EndTime$", "$Period$", "$Period$"]
},
{
"ViewProperties": {
"Height": "2",
"Width": "4",
"Title": "TopServices",
"View": "BarChart",
"LabelColumn": "service",
"ValueColumn": "eventCount",
"FilterColumn": "service",
"Orientation": "Horizontal"
},
"QueryStatement": "SELECT REPLACE(eventSource, '.amazonaws.com') AS service, COUNT(*) AS eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' GROUP BY eventSource ORDER BY eventCount DESC LIMIT 100",
"QueryParameters": ["$StartTime$", "$EndTime$"]
}
]
}
```
### Example
The following example creates the Highlights dashboard. The Highlights dashboard requires that you set and enable a refresh schedule for every 6 hours.
```
{
"Name": "AWSCloudTrail-Highlights",
"RefreshSchedule": {
"Frequency": {
"Unit": "HOURS",
"Value": 6
},
"Status": "ENABLED"
},
"TerminationProtectionEnabled": true
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/CreateDashboard)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/CreateDashboard)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/CreateDashboard)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/CreateDashboard)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/CreateDashboard)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/CreateDashboard)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/CreateDashboard)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/CreateDashboard)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/CreateDashboard)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/CreateDashboard)
# CreateEventDataStore
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Creates a new event data store.
## Request Syntax
```
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"BillingMode": "string",
"KmsKeyId": "string",
"MultiRegionEnabled": boolean,
"Name": "string",
"OrganizationEnabled": boolean,
"RetentionPeriod": number,
"StartIngestion": boolean,
"TagsList": [
{
"Key": "string",
"Value": "string"
}
],
"TerminationProtectionEnabled": boolean
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [AdvancedEventSelectors](#API_CreateEventDataStore_RequestSyntax) **
The advanced event selectors to use to select the events for the data store. You can configure up to five advanced event selectors for each event data store.
For more information about how to use advanced event selectors to log CloudTrail events, see [Log events by using advanced event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-advanced) in the CloudTrail User Guide.
For more information about how to use advanced event selectors to include AWS Config configuration items in your event data store, see [Create an event data store for AWS Config configuration items](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-eds-cli.html#lake-cli-create-eds-config) in the CloudTrail User Guide.
For more information about how to use advanced event selectors to include events outside of AWS events in your event data store, see [Create an integration to log events from outside AWS](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-integrations-cli.html#lake-cli-create-integration) in the CloudTrail User Guide.
Type: Array of [AdvancedEventSelector](API_AdvancedEventSelector.md) objects
Required: No
** [BillingMode](#API_CreateEventDataStore_RequestSyntax) **
The billing mode for the event data store determines the cost for ingesting events and the default and maximum retention period for the event data store.
The following are the possible values:
+ `EXTENDABLE_RETENTION_PRICING` - This billing mode is generally recommended if you want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days.
+ `FIXED_RETENTION_PRICING` - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days.
The default value is `EXTENDABLE_RETENTION_PRICING`.
For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](http://aws.amazon.com/cloudtrail/pricing/) and [Managing CloudTrail Lake costs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html).
Type: String
Valid Values: `EXTENDABLE_RETENTION_PRICING | FIXED_RETENTION_PRICING`
Required: No
** [KmsKeyId](#API_CreateEventDataStore_RequestSyntax) **
Specifies the AWS KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by `alias/`, a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
Disabling or deleting the KMS key, or removing CloudTrail permissions on the key, prevents CloudTrail from logging events to the event data store, and prevents users from querying the data in the event data store that was encrypted with the key. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. Before you disable or delete a KMS key that you are using with an event data store, delete or back up your event data store.
CloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the * AWS Key Management Service Developer Guide*.
Examples:
+ `alias/MyAliasName`
+ `arn:aws:kms:us-east-2:123456789012:alias/MyAliasName`
+ `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
+ `12345678-1234-1234-1234-123456789012`
Type: String
Length Constraints: Minimum length of 1. Maximum length of 350.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [MultiRegionEnabled](#API_CreateEventDataStore_RequestSyntax) **
Specifies whether the event data store includes events from all Regions, or only from the Region in which the event data store is created.
Type: Boolean
Required: No
** [Name](#API_CreateEventDataStore_RequestSyntax) **
The name of the event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
Required: Yes
** [OrganizationEnabled](#API_CreateEventDataStore_RequestSyntax) **
Specifies whether an event data store collects events logged for an organization in AWS Organizations.
Type: Boolean
Required: No
** [RetentionPeriod](#API_CreateEventDataStore_RequestSyntax) **
The retention period of the event data store, in days. If `BillingMode` is set to `EXTENDABLE_RETENTION_PRICING`, you can set a retention period of up to 3653 days, the equivalent of 10 years. If `BillingMode` is set to `FIXED_RETENTION_PRICING`, you can set a retention period of up to 2557 days, the equivalent of seven years.
CloudTrail Lake determines whether to retain an event by checking if the `eventTime` of the event is within the specified retention period. For example, if you set a retention period of 90 days, CloudTrail will remove events when the `eventTime` is older than 90 days.
If you plan to copy trail events to this event data store, we recommend that you consider both the age of the events that you want to copy as well as how long you want to keep the copied events in your event data store. For example, if you copy trail events that are 5 years old and specify a retention period of 7 years, the event data store will retain those events for two years.
Type: Integer
Valid Range: Minimum value of 7. Maximum value of 3653.
Required: No
** [StartIngestion](#API_CreateEventDataStore_RequestSyntax) **
Specifies whether the event data store should start ingesting live events. The default is true.
Type: Boolean
Required: No
** [TagsList](#API_CreateEventDataStore_RequestSyntax) **
A list of tags.
Type: Array of [Tag](API_Tag.md) objects
Array Members: Maximum number of 200 items.
Required: No
** [TerminationProtectionEnabled](#API_CreateEventDataStore_RequestSyntax) **
Specifies whether termination protection is enabled for the event data store. If termination protection is enabled, you cannot delete the event data store until termination protection is disabled.
Type: Boolean
Required: No
## Response Syntax
```
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"BillingMode": "string",
"CreatedTimestamp": number,
"EventDataStoreArn": "string",
"KmsKeyId": "string",
"MultiRegionEnabled": boolean,
"Name": "string",
"OrganizationEnabled": boolean,
"RetentionPeriod": number,
"Status": "string",
"TagsList": [
{
"Key": "string",
"Value": "string"
}
],
"TerminationProtectionEnabled": boolean,
"UpdatedTimestamp": number
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [AdvancedEventSelectors](#API_CreateEventDataStore_ResponseSyntax) **
The advanced event selectors that were used to select the events for the data store.
Type: Array of [AdvancedEventSelector](API_AdvancedEventSelector.md) objects
** [BillingMode](#API_CreateEventDataStore_ResponseSyntax) **
The billing mode for the event data store.
Type: String
Valid Values: `EXTENDABLE_RETENTION_PRICING | FIXED_RETENTION_PRICING`
** [CreatedTimestamp](#API_CreateEventDataStore_ResponseSyntax) **
The timestamp that shows when the event data store was created.
Type: Timestamp
** [EventDataStoreArn](#API_CreateEventDataStore_ResponseSyntax) **
The ARN of the event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [KmsKeyId](#API_CreateEventDataStore_ResponseSyntax) **
Specifies the AWS KMS key ID that encrypts the events delivered by CloudTrail. The value is a fully specified ARN to a AWS KMS key in the following format.
`arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
Type: String
Length Constraints: Minimum length of 1. Maximum length of 350.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [MultiRegionEnabled](#API_CreateEventDataStore_ResponseSyntax) **
Indicates whether the event data store collects events from all Regions, or only from the Region in which it was created.
Type: Boolean
** [Name](#API_CreateEventDataStore_ResponseSyntax) **
The name of the event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
** [OrganizationEnabled](#API_CreateEventDataStore_ResponseSyntax) **
Indicates whether an event data store is collecting logged events for an organization in AWS Organizations.
Type: Boolean
** [RetentionPeriod](#API_CreateEventDataStore_ResponseSyntax) **
The retention period of an event data store, in days.
Type: Integer
Valid Range: Minimum value of 7. Maximum value of 3653.
** [Status](#API_CreateEventDataStore_ResponseSyntax) **
The status of event data store creation.
Type: String
Valid Values: `CREATED | ENABLED | PENDING_DELETION | STARTING_INGESTION | STOPPING_INGESTION | STOPPED_INGESTION`
** [TagsList](#API_CreateEventDataStore_ResponseSyntax) **
A list of tags.
Type: Array of [Tag](API_Tag.md) objects
Array Members: Maximum number of 200 items.
** [TerminationProtectionEnabled](#API_CreateEventDataStore_ResponseSyntax) **
Indicates whether termination protection is enabled for the event data store.
Type: Boolean
** [UpdatedTimestamp](#API_CreateEventDataStore_ResponseSyntax) **
The timestamp that shows when an event data store was updated, if applicable. `UpdatedTimestamp` is always either the same or newer than the time shown in `CreatedTimestamp`.
Type: Timestamp
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailAccessNotEnabledException **
This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access) in the * AWS Organizations User Guide* and [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreAlreadyExistsException **
An event data store with that name already exists.
HTTP Status Code: 400
** EventDataStoreMaxLimitExceededException **
Your account has used the maximum number of event data stores.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InvalidEventSelectorsException **
This exception is thrown when the `PutEventSelectors` operation is called with a number of event selectors, advanced event selectors, or data resources that is not valid. The combination of event selectors or advanced event selectors and data resources is not valid. A trail can have up to 5 event selectors. If a trail uses advanced event selectors, a maximum of 500 total values for all conditions in all advanced event selectors is allowed. A trail is limited to 250 data resources. These data resources can be distributed across event selectors, but the overall total cannot exceed 250.
You can:
+ Specify a valid number of event selectors (1 to 5) for a trail.
+ Specify a valid number of data resources (1 to 250) for an event selector. The limit of number of resources on an individual event selector is configurable up to 250. However, this upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors for a trail.
+ Specify up to 500 values for all conditions in all advanced event selectors for a trail.
+ Specify a valid value for a parameter. For example, specifying the `ReadWriteType` parameter with a value of `read-only` is not valid.
HTTP Status Code: 400
** InvalidKmsKeyIdException **
This exception is thrown when the AWS KMS key ARN is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidTagParameterException **
This exception is thrown when the specified tag key or values are not valid. It can also occur if there are duplicate tags or too many tags on the resource.
HTTP Status Code: 400
** KmsException **
This exception is thrown when there is an issue with the specified AWS KMS key and the trail or event data store can't be updated.
HTTP Status Code: 400
** KmsKeyNotFoundException **
This exception is thrown when the AWS KMS key does not exist, when the S3 bucket and the AWS KMS key are not in the same Region, or when the AWS KMS key associated with the Amazon SNS topic either does not exist or is not in the same Region.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OrganizationNotInAllFeaturesModeException **
This exception is thrown when AWS Organizations is not configured to support all features. All features must be enabled in Organizations to support creating an organization trail or event data store.
HTTP Status Code: 400
** OrganizationsNotInUseException **
This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/CreateEventDataStore)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/CreateEventDataStore)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/CreateEventDataStore)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/CreateEventDataStore)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/CreateEventDataStore)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/CreateEventDataStore)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/CreateEventDataStore)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/CreateEventDataStore)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/CreateEventDataStore)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/CreateEventDataStore)
# CreateTrail
Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket.
## Request Syntax
```
{
"CloudWatchLogsLogGroupArn": "string",
"CloudWatchLogsRoleArn": "string",
"EnableLogFileValidation": boolean,
"IncludeGlobalServiceEvents": boolean,
"IsMultiRegionTrail": boolean,
"IsOrganizationTrail": boolean,
"KmsKeyId": "string",
"Name": "string",
"S3BucketName": "string",
"S3KeyPrefix": "string",
"SnsTopicName": "string",
"TagsList": [
{
"Key": "string",
"Value": "string"
}
]
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [CloudWatchLogsLogGroupArn](#API_CreateTrail_RequestSyntax) **
Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs will be delivered. You must use a log group that exists in your account.
Not required unless you specify `CloudWatchLogsRoleArn`.
Type: String
Required: No
** [CloudWatchLogsRoleArn](#API_CreateTrail_RequestSyntax) **
Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group. You must use a role that exists in your account.
Type: String
Required: No
** [EnableLogFileValidation](#API_CreateTrail_RequestSyntax) **
Specifies whether log file integrity validation is enabled. The default is false.
When you disable log file integrity validation, the chain of digest files is broken after one hour. CloudTrail does not create digest files for log files that were delivered during a period in which log file integrity validation was disabled. For example, if you enable log file integrity validation at noon on January 1, disable it at noon on January 2, and re-enable it at noon on January 10, digest files will not be created for the log files delivered from noon on January 2 to noon on January 10. The same applies whenever you stop CloudTrail logging or delete a trail.
Type: Boolean
Required: No
** [IncludeGlobalServiceEvents](#API_CreateTrail_RequestSyntax) **
Specifies whether the trail is publishing events from global services such as IAM to the log files.
Type: Boolean
Required: No
** [IsMultiRegionTrail](#API_CreateTrail_RequestSyntax) **
Specifies whether the trail is created in the current Region or in all Regions. The default is false, which creates a trail only in the Region where you are signed in. As a best practice, consider creating trails that log events in all Regions.
Type: Boolean
Required: No
** [IsOrganizationTrail](#API_CreateTrail_RequestSyntax) **
Specifies whether the trail is created for all accounts in an organization in AWS Organizations, or only for the current AWS account. The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account or delegated administrator account for an organization in AWS Organizations.
Type: Boolean
Required: No
** [KmsKeyId](#API_CreateTrail_RequestSyntax) **
Specifies the AWS KMS key ID to use to encrypt the logs and digest files delivered by CloudTrail. The value can be an alias name prefixed by `alias/`, a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
CloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the * AWS Key Management Service Developer Guide*.
Examples:
+ `alias/MyAliasName`
+ `arn:aws:kms:us-east-2:123456789012:alias/MyAliasName`
+ `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
+ `12345678-1234-1234-1234-123456789012`
Type: String
Required: No
** [Name](#API_CreateTrail_RequestSyntax) **
Specifies the name of the trail. The name must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
Type: String
Required: Yes
** [S3BucketName](#API_CreateTrail_RequestSyntax) **
Specifies the name of the Amazon S3 bucket designated for publishing log files. For information about bucket naming rules, see [Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html) in the *Amazon Simple Storage Service User Guide*.
Type: String
Required: Yes
** [S3KeyPrefix](#API_CreateTrail_RequestSyntax) **
Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. For more information, see [Finding Your CloudTrail Log Files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/get-and-view-cloudtrail-log-files.html#cloudtrail-find-log-files). The maximum length is 200 characters.
Type: String
Required: No
** [SnsTopicName](#API_CreateTrail_RequestSyntax) **
Specifies the name or ARN of the Amazon SNS topic defined for notification of log file delivery. The maximum length is 256 characters.
Type: String
Required: No
** [TagsList](#API_CreateTrail_RequestSyntax) **
A list of tags.
Type: Array of [Tag](API_Tag.md) objects
Array Members: Maximum number of 200 items.
Required: No
## Response Syntax
```
{
"CloudWatchLogsLogGroupArn": "string",
"CloudWatchLogsRoleArn": "string",
"IncludeGlobalServiceEvents": boolean,
"IsMultiRegionTrail": boolean,
"IsOrganizationTrail": boolean,
"KmsKeyId": "string",
"LogFileValidationEnabled": boolean,
"Name": "string",
"S3BucketName": "string",
"S3KeyPrefix": "string",
"SnsTopicARN": "string",
"SnsTopicName": "string",
"TrailARN": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [CloudWatchLogsLogGroupArn](#API_CreateTrail_ResponseSyntax) **
Specifies the Amazon Resource Name (ARN) of the log group to which CloudTrail logs will be delivered.
Type: String
** [CloudWatchLogsRoleArn](#API_CreateTrail_ResponseSyntax) **
Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
Type: String
** [IncludeGlobalServiceEvents](#API_CreateTrail_ResponseSyntax) **
Specifies whether the trail is publishing events from global services such as IAM to the log files.
Type: Boolean
** [IsMultiRegionTrail](#API_CreateTrail_ResponseSyntax) **
Specifies whether the trail exists in one Region or in all Regions.
Type: Boolean
** [IsOrganizationTrail](#API_CreateTrail_ResponseSyntax) **
Specifies whether the trail is an organization trail.
Type: Boolean
** [KmsKeyId](#API_CreateTrail_ResponseSyntax) **
Specifies the AWS KMS key ID that encrypts the events delivered by CloudTrail. The value is a fully specified ARN to a AWS KMS key in the following format.
`arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
Type: String
** [LogFileValidationEnabled](#API_CreateTrail_ResponseSyntax) **
Specifies whether log file integrity validation is enabled.
Type: Boolean
** [Name](#API_CreateTrail_ResponseSyntax) **
Specifies the name of the trail.
Type: String
** [S3BucketName](#API_CreateTrail_ResponseSyntax) **
Specifies the name of the Amazon S3 bucket designated for publishing log files.
Type: String
** [S3KeyPrefix](#API_CreateTrail_ResponseSyntax) **
Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. For more information, see [Finding Your CloudTrail Log Files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/get-and-view-cloudtrail-log-files.html#cloudtrail-find-log-files).
Type: String
** [SnsTopicARN](#API_CreateTrail_ResponseSyntax) **
Specifies the ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered. The format of a topic ARN is:
`arn:aws:sns:us-east-2:123456789012:MyTopic`
Type: String
** [SnsTopicName](#API_CreateTrail_ResponseSyntax) **
*This parameter has been deprecated.*
This field is no longer in use. Use `SnsTopicARN`.
Type: String
** [TrailARN](#API_CreateTrail_ResponseSyntax) **
Specifies the ARN of the trail that was created. The format of a trail ARN is:
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailAccessNotEnabledException **
This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access) in the * AWS Organizations User Guide* and [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** CloudTrailInvalidClientTokenIdException **
This exception is thrown when a call results in the `InvalidClientTokenId` error code. This can occur when you are creating or updating a trail to send notifications to an Amazon SNS topic that is in a suspended AWS account.
HTTP Status Code: 400
** CloudWatchLogsDeliveryUnavailableException **
Cannot set a CloudWatch Logs delivery for this Region.
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InsufficientS3BucketPolicyException **
This exception is thrown when the policy on the S3 bucket is not sufficient.
HTTP Status Code: 400
** InsufficientSnsTopicPolicyException **
This exception is thrown when the policy on the Amazon SNS topic is not sufficient.
HTTP Status Code: 400
** InvalidCloudWatchLogsLogGroupArnException **
This exception is thrown when the provided CloudWatch Logs log group is not valid.
HTTP Status Code: 400
** InvalidCloudWatchLogsRoleArnException **
This exception is thrown when the provided role is not valid.
HTTP Status Code: 400
** InvalidKmsKeyIdException **
This exception is thrown when the AWS KMS key ARN is not valid.
HTTP Status Code: 400
** InvalidParameterCombinationException **
This exception is thrown when the combination of parameters provided is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidS3BucketNameException **
This exception is thrown when the provided S3 bucket name is not valid.
HTTP Status Code: 400
** InvalidS3PrefixException **
This exception is thrown when the provided S3 prefix is not valid.
HTTP Status Code: 400
** InvalidSnsTopicNameException **
This exception is thrown when the provided SNS topic name is not valid.
HTTP Status Code: 400
** InvalidTagParameterException **
This exception is thrown when the specified tag key or values are not valid. It can also occur if there are duplicate tags or too many tags on the resource.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** KmsException **
This exception is thrown when there is an issue with the specified AWS KMS key and the trail or event data store can't be updated.
HTTP Status Code: 400
** KmsKeyDisabledException **
*This error has been deprecated.*
This exception is no longer in use.
HTTP Status Code: 400
** KmsKeyNotFoundException **
This exception is thrown when the AWS KMS key does not exist, when the S3 bucket and the AWS KMS key are not in the same Region, or when the AWS KMS key associated with the Amazon SNS topic either does not exist or is not in the same Region.
HTTP Status Code: 400
** MaximumNumberOfTrailsExceededException **
This exception is thrown when the maximum number of trails is reached.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OrganizationNotInAllFeaturesModeException **
This exception is thrown when AWS Organizations is not configured to support all features. All features must be enabled in Organizations to support creating an organization trail or event data store.
HTTP Status Code: 400
** OrganizationsNotInUseException **
This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.
HTTP Status Code: 400
** S3BucketDoesNotExistException **
This exception is thrown when the specified S3 bucket does not exist.
HTTP Status Code: 400
** TagsLimitExceededException **
The number of tags per trail, event data store, dashboard, or channel has exceeded the permitted amount. Currently, the limit is 50.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** TrailAlreadyExistsException **
This exception is thrown when the specified trail already exists.
HTTP Status Code: 400
** TrailNotProvidedException **
This exception is no longer in use.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/CreateTrail)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/CreateTrail)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/CreateTrail)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/CreateTrail)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/CreateTrail)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/CreateTrail)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/CreateTrail)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/CreateTrail)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/CreateTrail)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/CreateTrail)
# DeleteChannel
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Deletes a channel.
## Request Syntax
```
{
"Channel": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Channel](#API_DeleteChannel_RequestSyntax) **
The ARN or the `UUID` value of the channel that you want to delete.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ChannelARNInvalidException **
This exception is thrown when the specified value of `ChannelARN` is not valid.
HTTP Status Code: 400
** ChannelNotFoundException **
This exception is thrown when CloudTrail cannot find the specified channel.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/DeleteChannel)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/DeleteChannel)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/DeleteChannel)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/DeleteChannel)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/DeleteChannel)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/DeleteChannel)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/DeleteChannel)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/DeleteChannel)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/DeleteChannel)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/DeleteChannel)
# DeleteDashboard
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Deletes the specified dashboard. You cannot delete a dashboard that has termination protection enabled.
## Request Syntax
```
{
"DashboardId": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [DashboardId](#API_DeleteDashboard_RequestSyntax) **
The name or ARN for the dashboard.
Type: String
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/DeleteDashboard)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/DeleteDashboard)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/DeleteDashboard)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/DeleteDashboard)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/DeleteDashboard)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/DeleteDashboard)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/DeleteDashboard)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/DeleteDashboard)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/DeleteDashboard)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/DeleteDashboard)
# DeleteEventDataStore
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Disables the event data store specified by `EventDataStore`, which accepts an event data store ARN. After you run `DeleteEventDataStore`, the event data store enters a `PENDING_DELETION` state, and is automatically deleted after a wait period of seven days. `TerminationProtectionEnabled` must be set to `False` on the event data store and the `FederationStatus` must be `DISABLED`. You cannot delete an event data store if `TerminationProtectionEnabled` is `True` or the `FederationStatus` is `ENABLED`.
After you run `DeleteEventDataStore` on an event data store, you cannot run `ListQueries`, `DescribeQuery`, or `GetQueryResults` on queries that are using an event data store in a `PENDING_DELETION` state. An event data store in the `PENDING_DELETION` state does not incur costs.
## Request Syntax
```
{
"EventDataStore": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_DeleteEventDataStore_RequestSyntax) **
The ARN (or the ID suffix of the ARN) of the event data store to delete.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ChannelExistsForEDSException **
This exception is thrown when the specified event data store cannot yet be deleted because it is in use by a channel.
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreFederationEnabledException **
You cannot delete the event data store because Lake query federation is enabled. To delete the event data store, run the `DisableFederation` operation to disable Lake query federation on the event data store.
HTTP Status Code: 400
** EventDataStoreHasOngoingImportException **
This exception is thrown when you try to update or delete an event data store that currently has an import in progress.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** EventDataStoreTerminationProtectedException **
The event data store cannot be deleted because termination protection is enabled for it.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/DeleteEventDataStore)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/DeleteEventDataStore)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/DeleteEventDataStore)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/DeleteEventDataStore)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/DeleteEventDataStore)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/DeleteEventDataStore)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/DeleteEventDataStore)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/DeleteEventDataStore)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/DeleteEventDataStore)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/DeleteEventDataStore)
# DeleteResourcePolicy
Deletes the resource-based policy attached to the CloudTrail event data store, dashboard, or channel.
## Request Syntax
```
{
"ResourceArn": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ResourceArn](#API_DeleteResourcePolicy_RequestSyntax) **
The Amazon Resource Name (ARN) of the CloudTrail event data store, dashboard, or channel you're deleting the resource-based policy from.
Example event data store ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
Example dashboard ARN format: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
Example channel ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ResourceARNNotValidException **
This exception is thrown when the provided resource does not exist, or the ARN format of the resource is not valid.
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** ResourcePolicyNotFoundException **
This exception is thrown when the specified resource policy is not found.
HTTP Status Code: 400
** ResourceTypeNotSupportedException **
This exception is thrown when the specified resource type is not supported by CloudTrail.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/DeleteResourcePolicy)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/DeleteResourcePolicy)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/DeleteResourcePolicy)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/DeleteResourcePolicy)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/DeleteResourcePolicy)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/DeleteResourcePolicy)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/DeleteResourcePolicy)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/DeleteResourcePolicy)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/DeleteResourcePolicy)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/DeleteResourcePolicy)
# DeleteTrail
Deletes a trail. This operation must be called from the Region in which the trail was created. `DeleteTrail` cannot be called on the shadow trails (replicated trails in other Regions) of a trail that is enabled in all Regions.
**Important**
While deleting a CloudTrail trail is an irreversible action, CloudTrail does not delete log files in the Amazon S3 bucket for that trail, the Amazon S3 bucket itself, or the CloudWatchlog group to which the trail delivers events. Deleting a multi-Region trail will stop logging of events in all AWS Regions enabled in your AWS account. Deleting a single-Region trail will stop logging of events in that Region only. It will not stop logging of events in other Regions even if the trails in those other Regions have identical names to the deleted trail.
For information about account closure and deletion of CloudTrail trails, see [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-account-closure.html](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-account-closure.html).
## Request Syntax
```
{
"Name": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Name](#API_DeleteTrail_RequestSyntax) **
Specifies the name or the CloudTrail ARN of the trail to be deleted. The following is the format of a trail ARN. `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Type: String
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidHomeRegionException **
This exception is thrown when an operation is called on a trail from a Region other than the Region in which the trail was created.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/DeleteTrail)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/DeleteTrail)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/DeleteTrail)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/DeleteTrail)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/DeleteTrail)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/DeleteTrail)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/DeleteTrail)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/DeleteTrail)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/DeleteTrail)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/DeleteTrail)
# DeregisterOrganizationDelegatedAdmin
Removes CloudTrail delegated administrator permissions from a member account in an organization.
## Request Syntax
```
{
"DelegatedAdminAccountId": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [DelegatedAdminAccountId](#API_DeregisterOrganizationDelegatedAdmin_RequestSyntax) **
A delegated administrator account ID. This is a member account in an organization that is currently designated as a delegated administrator.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** AccountNotFoundException **
This exception is thrown when the specified account is not found or not part of an organization.
HTTP Status Code: 400
** AccountNotRegisteredException **
This exception is thrown when the specified account is not registered as the CloudTrail delegated administrator.
HTTP Status Code: 400
** CloudTrailAccessNotEnabledException **
This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access) in the * AWS Organizations User Guide* and [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NotOrganizationManagementAccountException **
This exception is thrown when the account making the request is not the organization's management account.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OrganizationNotInAllFeaturesModeException **
This exception is thrown when AWS Organizations is not configured to support all features. All features must be enabled in Organizations to support creating an organization trail or event data store.
HTTP Status Code: 400
** OrganizationsNotInUseException **
This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/DeregisterOrganizationDelegatedAdmin)
# DescribeQuery
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns metadata about a query, including query run time in milliseconds, number of events scanned and matched, and query status. If the query results were delivered to an S3 bucket, the response also provides the S3 URI and the delivery status.
You must specify either `QueryId` or `QueryAlias`. Specifying the `QueryAlias` parameter returns information about the last query run for the alias. You can provide `RefreshId` along with `QueryAlias` to view the query results of a dashboard query for the specified `RefreshId`.
## Request Syntax
```
{
"EventDataStore": "string",
"EventDataStoreOwnerAccountId": "string",
"QueryAlias": "string",
"QueryId": "string",
"RefreshId": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_DescribeQuery_RequestSyntax) **
*This parameter has been deprecated.*
The ARN (or the ID suffix of the ARN) of an event data store on which the specified query was run.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [EventDataStoreOwnerAccountId](#API_DescribeQuery_RequestSyntax) **
The account ID of the event data store owner.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
Required: No
** [QueryAlias](#API_DescribeQuery_RequestSyntax) **
The alias that identifies a query template.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Pattern: `^[a-zA-Z][a-zA-Z0-9._\-]*$`
Required: No
** [QueryId](#API_DescribeQuery_RequestSyntax) **
The query ID.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
Required: No
** [RefreshId](#API_DescribeQuery_RequestSyntax) **
The ID of the dashboard refresh.
Type: String
Length Constraints: Minimum length of 10. Maximum length of 20.
Pattern: `\d+`
Required: No
## Response Syntax
```
{
"DeliveryS3Uri": "string",
"DeliveryStatus": "string",
"ErrorMessage": "string",
"EventDataStoreOwnerAccountId": "string",
"Prompt": "string",
"QueryId": "string",
"QueryStatistics": {
"BytesScanned": number,
"CreationTime": number,
"EventsMatched": number,
"EventsScanned": number,
"ExecutionTimeInMillis": number
},
"QueryStatus": "string",
"QueryString": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [DeliveryS3Uri](#API_DescribeQuery_ResponseSyntax) **
The URI for the S3 bucket where CloudTrail delivered query results, if applicable.
Type: String
Length Constraints: Maximum length of 1024.
Pattern: `s3://[a-z0-9][\.\-a-z0-9]{1,61}[a-z0-9](/.*)?`
** [DeliveryStatus](#API_DescribeQuery_ResponseSyntax) **
The delivery status.
Type: String
Valid Values: `SUCCESS | FAILED | FAILED_SIGNING_FILE | PENDING | RESOURCE_NOT_FOUND | ACCESS_DENIED | ACCESS_DENIED_SIGNING_FILE | CANCELLED | UNKNOWN`
** [ErrorMessage](#API_DescribeQuery_ResponseSyntax) **
The error message returned if a query failed.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
** [EventDataStoreOwnerAccountId](#API_DescribeQuery_ResponseSyntax) **
The account ID of the event data store owner.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
** [Prompt](#API_DescribeQuery_ResponseSyntax) **
The prompt used for a generated query. For information about generated queries, see [Create CloudTrail Lake queries from natural language prompts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-query-generator.html) in the * AWS CloudTrail * user guide.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 500.
Pattern: `^[ -~\n]*$`
** [QueryId](#API_DescribeQuery_ResponseSyntax) **
The ID of the query.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
** [QueryStatistics](#API_DescribeQuery_ResponseSyntax) **
Metadata about a query, including the number of events that were matched, the total number of events scanned, the query run time in milliseconds, and the query's creation time.
Type: [QueryStatisticsForDescribeQuery](API_QueryStatisticsForDescribeQuery.md) object
** [QueryStatus](#API_DescribeQuery_ResponseSyntax) **
The status of a query. Values for `QueryStatus` include `QUEUED`, `RUNNING`, `FINISHED`, `FAILED`, `TIMED_OUT`, or `CANCELLED`
Type: String
Valid Values: `QUEUED | RUNNING | FINISHED | FAILED | CANCELLED | TIMED_OUT`
** [QueryString](#API_DescribeQuery_ResponseSyntax) **
The SQL code of a query.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 10000.
Pattern: `(?s).*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** QueryIdNotFoundException **
The query ID does not exist or does not map to a query.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/DescribeQuery)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/DescribeQuery)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/DescribeQuery)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/DescribeQuery)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/DescribeQuery)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/DescribeQuery)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/DescribeQuery)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/DescribeQuery)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/DescribeQuery)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/DescribeQuery)
# DescribeTrails
Retrieves settings for one or more trails associated with the current Region for your account.
## Request Syntax
```
{
"includeShadowTrails": boolean,
"trailNameList": [ "string" ]
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [includeShadowTrails](#API_DescribeTrails_RequestSyntax) **
Specifies whether to include shadow trails in the response. A shadow trail is the replication in a Region of a trail that was created in a different Region, or in the case of an organization trail, the replication of an organization trail in member accounts. If you do not include shadow trails, organization trails in a member account and Region replication trails will not be returned. The default is true.
Type: Boolean
Required: No
** [trailNameList](#API_DescribeTrails_RequestSyntax) **
Specifies a list of trail names, trail ARNs, or both, of the trails to describe. The format of a trail ARN is:
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
If an empty list is specified, information for the trail in the current Region is returned.
+ If an empty list is specified and `IncludeShadowTrails` is false, then information for all trails in the current Region is returned.
+ If an empty list is specified and IncludeShadowTrails is null or true, then information for all trails in the current Region and any associated shadow trails in other Regions is returned.
If one or more trail names are specified, information is returned only if the names match the names of trails belonging only to the current Region and current account. To return information about a trail in another Region, you must specify its trail ARN.
Type: Array of strings
Required: No
## Response Syntax
```
{
"trailList": [
{
"CloudWatchLogsLogGroupArn": "string",
"CloudWatchLogsRoleArn": "string",
"HasCustomEventSelectors": boolean,
"HasInsightSelectors": boolean,
"HomeRegion": "string",
"IncludeGlobalServiceEvents": boolean,
"IsMultiRegionTrail": boolean,
"IsOrganizationTrail": boolean,
"KmsKeyId": "string",
"LogFileValidationEnabled": boolean,
"Name": "string",
"S3BucketName": "string",
"S3KeyPrefix": "string",
"SnsTopicARN": "string",
"SnsTopicName": "string",
"TrailARN": "string"
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [trailList](#API_DescribeTrails_ResponseSyntax) **
The list of trail objects. Trail objects with string values are only returned if values for the objects exist in a trail's configuration. For example, `SNSTopicName` and `SNSTopicARN` are only returned in results if a trail is configured to send SNS notifications. Similarly, `KMSKeyId` only appears in results if a trail's log files are encrypted with AWS KMS customer managed keys.
Type: Array of [Trail](API_Trail.md) objects
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/DescribeTrails)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/DescribeTrails)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/DescribeTrails)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/DescribeTrails)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/DescribeTrails)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/DescribeTrails)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/DescribeTrails)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/DescribeTrails)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/DescribeTrails)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/DescribeTrails)
# DisableFederation
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Disables Lake query federation on the specified event data store. When you disable federation, CloudTrail disables the integration with AWS Glue, AWS Lake Formation, and Amazon Athena. After disabling Lake query federation, you can no longer query your event data in Amazon Athena.
No CloudTrail Lake data is deleted when you disable federation and you can continue to run queries in CloudTrail Lake.
## Request Syntax
```
{
"EventDataStore": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_DisableFederation_RequestSyntax) **
The ARN (or ID suffix of the ARN) of the event data store for which you want to disable Lake query federation.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Syntax
```
{
"EventDataStoreArn": "string",
"FederationStatus": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [EventDataStoreArn](#API_DisableFederation_ResponseSyntax) **
The ARN of the event data store for which you disabled Lake query federation.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [FederationStatus](#API_DisableFederation_ResponseSyntax) **
The federation status.
Type: String
Valid Values: `ENABLING | ENABLED | DISABLING | DISABLED`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** AccessDeniedException **
You do not have sufficient access to perform this action.
HTTP Status Code: 400
** CloudTrailAccessNotEnabledException **
This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access) in the * AWS Organizations User Guide* and [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** ConcurrentModificationException **
You are trying to update a resource when another request is in progress. Allow sufficient wait time for the previous request to complete, then retry your request.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OrganizationNotInAllFeaturesModeException **
This exception is thrown when AWS Organizations is not configured to support all features. All features must be enabled in Organizations to support creating an organization trail or event data store.
HTTP Status Code: 400
** OrganizationsNotInUseException **
This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example shows how to disable CloudTrail Lake federation on an event data store.
```
{
"EventDataStore": "arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE"
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/DisableFederation)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/DisableFederation)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/DisableFederation)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/DisableFederation)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/DisableFederation)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/DisableFederation)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/DisableFederation)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/DisableFederation)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/DisableFederation)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/DisableFederation)
# EnableFederation
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Enables Lake query federation on the specified event data store. Federating an event data store lets you view the metadata associated with the event data store in the AWS Glue [Data Catalog](https://docs.aws.amazon.com/glue/latest/dg/components-overview.html#data-catalog-intro) and run SQL queries against your event data using Amazon Athena. The table metadata stored in the AWS Glue Data Catalog lets the Athena query engine know how to find, read, and process the data that you want to query.
When you enable Lake query federation, CloudTrail creates a managed database named `aws:cloudtrail` (if the database doesn't already exist) and a managed federated table in the AWS Glue Data Catalog. The event data store ID is used for the table name. CloudTrail registers the role ARN and event data store in [AWS Lake Formation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation-lake-formation.html), the service responsible for allowing fine-grained access control of the federated resources in the AWS Glue Data Catalog.
For more information about Lake query federation, see [Federate an event data store](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html).
## Request Syntax
```
{
"EventDataStore": "string",
"FederationRoleArn": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_EnableFederation_RequestSyntax) **
The ARN (or ID suffix of the ARN) of the event data store for which you want to enable Lake query federation.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
** [FederationRoleArn](#API_EnableFederation_RequestSyntax) **
The ARN of the federation role to use for the event data store. AWS services like AWS Lake Formation use this federation role to access data for the federated event data store. The federation role must exist in your account and provide the [required minimum permissions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html#query-federation-permissions-role).
Type: String
Length Constraints: Minimum length of 3. Maximum length of 125.
Pattern: `^[a-zA-Z0-9._/\-:@=\+,\.]+$`
Required: Yes
## Response Syntax
```
{
"EventDataStoreArn": "string",
"FederationRoleArn": "string",
"FederationStatus": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [EventDataStoreArn](#API_EnableFederation_ResponseSyntax) **
The ARN of the event data store for which you enabled Lake query federation.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [FederationRoleArn](#API_EnableFederation_ResponseSyntax) **
The ARN of the federation role.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 125.
Pattern: `^[a-zA-Z0-9._/\-:@=\+,\.]+$`
** [FederationStatus](#API_EnableFederation_ResponseSyntax) **
The federation status.
Type: String
Valid Values: `ENABLING | ENABLED | DISABLING | DISABLED`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** AccessDeniedException **
You do not have sufficient access to perform this action.
HTTP Status Code: 400
** CloudTrailAccessNotEnabledException **
This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access) in the * AWS Organizations User Guide* and [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** ConcurrentModificationException **
You are trying to update a resource when another request is in progress. Allow sufficient wait time for the previous request to complete, then retry your request.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreFederationEnabledException **
You cannot delete the event data store because Lake query federation is enabled. To delete the event data store, run the `DisableFederation` operation to disable Lake query federation on the event data store.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OrganizationNotInAllFeaturesModeException **
This exception is thrown when AWS Organizations is not configured to support all features. All features must be enabled in Organizations to support creating an organization trail or event data store.
HTTP Status Code: 400
** OrganizationsNotInUseException **
This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example shows how to enable CloudTrail Lake federation on an event data store.
```
{
"EventDataStore": "arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"FederationRoleArn": "arn:aws:iam::123456789012:role/FederationRole"
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/EnableFederation)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/EnableFederation)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/EnableFederation)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/EnableFederation)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/EnableFederation)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/EnableFederation)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/EnableFederation)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/EnableFederation)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/EnableFederation)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/EnableFederation)
# GenerateQuery
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Generates a query from a natural language prompt. This operation uses generative artificial intelligence (generative AI) to produce a ready-to-use SQL query from the prompt.
The prompt can be a question or a statement about the event data in your event data store. For example, you can enter prompts like "What are my top errors in the past month?" and “Give me a list of users that used SNS.”
The prompt must be in English. For information about limitations, permissions, and supported Regions, see [Create CloudTrail Lake queries from natural language prompts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-query-generator.html) in the * AWS CloudTrail * user guide.
**Note**
Do not include any personally identifying, confidential, or sensitive information in your prompts.
This feature uses generative AI large language models (LLMs); we recommend double-checking the LLM response.
## Request Syntax
```
{
"EventDataStores": [ "string" ],
"Prompt": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStores](#API_GenerateQuery_RequestSyntax) **
The ARN (or ID suffix of the ARN) of the event data store that you want to query. You can only specify one event data store.
Type: Array of strings
Array Members: Fixed number of 1 item.
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
** [Prompt](#API_GenerateQuery_RequestSyntax) **
The prompt that you want to use to generate the query. The prompt must be in English. For example prompts, see [Example prompts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/lake-query-generator.html#lake-query-generator-examples) in the * AWS CloudTrail * user guide.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 500.
Pattern: `^[ -~\n]*$`
Required: Yes
## Response Syntax
```
{
"EventDataStoreOwnerAccountId": "string",
"QueryAlias": "string",
"QueryStatement": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [EventDataStoreOwnerAccountId](#API_GenerateQuery_ResponseSyntax) **
The account ID of the event data store owner.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
** [QueryAlias](#API_GenerateQuery_ResponseSyntax) **
An alias that identifies the prompt. When you run the `StartQuery` operation, you can pass in either the `QueryAlias` or `QueryStatement` parameter.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Pattern: `^[a-zA-Z][a-zA-Z0-9._\-]*$`
** [QueryStatement](#API_GenerateQuery_ResponseSyntax) **
The SQL query statement generated from the prompt.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 10000.
Pattern: `(?s).*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** GenerateResponseException **
This exception is thrown when a valid query could not be generated for the provided prompt.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example provides the prompt `"Show me all console login events for the past week"` to generate a query for the specified event data store.
```
{
"EventDataStores": [ "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-ee54-4813-92d5-999aeEXAMPLE" ],
"Prompt": "Show me all console login events for the past week"
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GenerateQuery)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GenerateQuery)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GenerateQuery)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GenerateQuery)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GenerateQuery)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GenerateQuery)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GenerateQuery)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GenerateQuery)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GenerateQuery)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GenerateQuery)
# GetChannel
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns information about a specific channel.
## Request Syntax
```
{
"Channel": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Channel](#API_GetChannel_RequestSyntax) **
The ARN or `UUID` of a channel.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Syntax
```
{
"ChannelArn": "string",
"Destinations": [
{
"Location": "string",
"Type": "string"
}
],
"IngestionStatus": {
"LatestIngestionAttemptEventID": "string",
"LatestIngestionAttemptTime": number,
"LatestIngestionErrorCode": "string",
"LatestIngestionSuccessEventID": "string",
"LatestIngestionSuccessTime": number
},
"Name": "string",
"Source": "string",
"SourceConfig": {
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"ApplyToAllRegions": boolean
}
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [ChannelArn](#API_GetChannel_ResponseSyntax) **
The ARN of an channel returned by a `GetChannel` request.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [Destinations](#API_GetChannel_ResponseSyntax) **
The destinations for the channel. For channels created for integrations, the destinations are the event data stores that log events arriving through the channel. For service-linked channels, the destination is the AWS service that created the service-linked channel to receive events.
Type: Array of [Destination](API_Destination.md) objects
Array Members: Minimum number of 1 item. Maximum number of 200 items.
** [IngestionStatus](#API_GetChannel_ResponseSyntax) **
A table showing information about the most recent successful and failed attempts to ingest events.
Type: [IngestionStatus](API_IngestionStatus.md) object
** [Name](#API_GetChannel_ResponseSyntax) **
The name of the CloudTrail channel. For service-linked channels, the name is `aws-service-channel/service-name/custom-suffix` where `service-name` represents the name of the AWS service that created the channel and `custom-suffix` represents the suffix generated by the AWS service.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
** [Source](#API_GetChannel_ResponseSyntax) **
The source for the CloudTrail channel.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Pattern: `.*`
** [SourceConfig](#API_GetChannel_ResponseSyntax) **
Provides information about the advanced event selectors configured for the channel, and whether the channel applies to all Regions or a single Region.
Type: [SourceConfig](API_SourceConfig.md) object
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ChannelARNInvalidException **
This exception is thrown when the specified value of `ChannelARN` is not valid.
HTTP Status Code: 400
** ChannelNotFoundException **
This exception is thrown when CloudTrail cannot find the specified channel.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetChannel)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetChannel)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetChannel)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetChannel)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetChannel)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetChannel)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetChannel)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetChannel)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetChannel)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetChannel)
# GetDashboard
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns the specified dashboard.
## Request Syntax
```
{
"DashboardId": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [DashboardId](#API_GetDashboard_RequestSyntax) **
The name or ARN for the dashboard.
Type: String
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Syntax
```
{
"CreatedTimestamp": number,
"DashboardArn": "string",
"LastRefreshFailureReason": "string",
"LastRefreshId": "string",
"RefreshSchedule": {
"Frequency": {
"Unit": "string",
"Value": number
},
"Status": "string",
"TimeOfDay": "string"
},
"Status": "string",
"TerminationProtectionEnabled": boolean,
"Type": "string",
"UpdatedTimestamp": number,
"Widgets": [
{
"QueryAlias": "string",
"QueryParameters": [ "string" ],
"QueryStatement": "string",
"ViewProperties": {
"string" : "string"
}
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [CreatedTimestamp](#API_GetDashboard_ResponseSyntax) **
The timestamp that shows when the dashboard was created.
Type: Timestamp
** [DashboardArn](#API_GetDashboard_ResponseSyntax) **
The ARN for the dashboard.
Type: String
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [LastRefreshFailureReason](#API_GetDashboard_ResponseSyntax) **
Provides information about failures for the last scheduled refresh.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
** [LastRefreshId](#API_GetDashboard_ResponseSyntax) **
The ID of the last dashboard refresh.
Type: String
Length Constraints: Minimum length of 10. Maximum length of 20.
Pattern: `\d+`
** [RefreshSchedule](#API_GetDashboard_ResponseSyntax) **
The refresh schedule for the dashboard, if configured.
Type: [RefreshSchedule](API_RefreshSchedule.md) object
** [Status](#API_GetDashboard_ResponseSyntax) **
The status of the dashboard.
Type: String
Valid Values: `CREATING | CREATED | UPDATING | UPDATED | DELETING`
** [TerminationProtectionEnabled](#API_GetDashboard_ResponseSyntax) **
Indicates whether termination protection is enabled for the dashboard.
Type: Boolean
** [Type](#API_GetDashboard_ResponseSyntax) **
The type of dashboard.
Type: String
Valid Values: `MANAGED | CUSTOM`
** [UpdatedTimestamp](#API_GetDashboard_ResponseSyntax) **
The timestamp that shows when the dashboard was last updated.
Type: Timestamp
** [Widgets](#API_GetDashboard_ResponseSyntax) **
An array of widgets for the dashboard.
Type: Array of [Widget](API_Widget.md) objects
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetDashboard)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetDashboard)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetDashboard)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetDashboard)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetDashboard)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetDashboard)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetDashboard)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetDashboard)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetDashboard)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetDashboard)
# GetEventConfiguration
Retrieves the current event configuration settings for the specified event data store or trail. The response includes maximum event size configuration, the context key selectors configured for the event data store, and any aggregation settings configured for the trail.
## Request Syntax
```
{
"EventDataStore": "string",
"TrailName": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_GetEventConfiguration_RequestSyntax) **
The Amazon Resource Name (ARN) or ID suffix of the ARN of the event data store for which you want to retrieve event configuration settings.
Type: String
Required: No
** [TrailName](#API_GetEventConfiguration_RequestSyntax) **
The name of the trail for which you want to retrieve event configuration settings.
Type: String
Required: No
## Response Syntax
```
{
"AggregationConfigurations": [
{
"EventCategory": "string",
"Templates": [ "string" ]
}
],
"ContextKeySelectors": [
{
"Equals": [ "string" ],
"Type": "string"
}
],
"EventDataStoreArn": "string",
"MaxEventSize": "string",
"TrailARN": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [AggregationConfigurations](#API_GetEventConfiguration_ResponseSyntax) **
The list of aggregation configurations that are configured for the trail.
Type: Array of [AggregationConfiguration](API_AggregationConfiguration.md) objects
Array Members: Maximum number of 1 item.
** [ContextKeySelectors](#API_GetEventConfiguration_ResponseSyntax) **
The list of context key selectors that are configured for the event data store.
Type: Array of [ContextKeySelector](API_ContextKeySelector.md) objects
Array Members: Maximum number of 2 items.
** [EventDataStoreArn](#API_GetEventConfiguration_ResponseSyntax) **
The Amazon Resource Name (ARN) or ID suffix of the ARN of the event data store for which the event configuration settings are returned.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [MaxEventSize](#API_GetEventConfiguration_ResponseSyntax) **
The maximum allowed size for events stored in the specified event data store.
Type: String
Valid Values: `Standard | Large`
** [TrailARN](#API_GetEventConfiguration_ResponseSyntax) **
The Amazon Resource Name (ARN) of the trail for which the event configuration settings are returned.
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InvalidEventDataStoreCategoryException **
This exception is thrown when event categories of specified event data stores are not valid.
HTTP Status Code: 400
** InvalidEventDataStoreStatusException **
The event data store is not in a status that supports the operation.
HTTP Status Code: 400
** InvalidParameterCombinationException **
This exception is thrown when the combination of parameters provided is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetEventConfiguration)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetEventConfiguration)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetEventConfiguration)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetEventConfiguration)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetEventConfiguration)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetEventConfiguration)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetEventConfiguration)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetEventConfiguration)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetEventConfiguration)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetEventConfiguration)
# GetEventDataStore
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns information about an event data store specified as either an ARN or the ID portion of the ARN.
## Request Syntax
```
{
"EventDataStore": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_GetEventDataStore_RequestSyntax) **
The ARN (or ID suffix of the ARN) of the event data store about which you want information.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Syntax
```
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"BillingMode": "string",
"CreatedTimestamp": number,
"EventDataStoreArn": "string",
"FederationRoleArn": "string",
"FederationStatus": "string",
"KmsKeyId": "string",
"MultiRegionEnabled": boolean,
"Name": "string",
"OrganizationEnabled": boolean,
"PartitionKeys": [
{
"Name": "string",
"Type": "string"
}
],
"RetentionPeriod": number,
"Status": "string",
"TerminationProtectionEnabled": boolean,
"UpdatedTimestamp": number
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [AdvancedEventSelectors](#API_GetEventDataStore_ResponseSyntax) **
The advanced event selectors used to select events for the data store.
Type: Array of [AdvancedEventSelector](API_AdvancedEventSelector.md) objects
** [BillingMode](#API_GetEventDataStore_ResponseSyntax) **
The billing mode for the event data store.
Type: String
Valid Values: `EXTENDABLE_RETENTION_PRICING | FIXED_RETENTION_PRICING`
** [CreatedTimestamp](#API_GetEventDataStore_ResponseSyntax) **
The timestamp of the event data store's creation.
Type: Timestamp
** [EventDataStoreArn](#API_GetEventDataStore_ResponseSyntax) **
The event data store Amazon Resource Number (ARN).
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [FederationRoleArn](#API_GetEventDataStore_ResponseSyntax) **
If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 125.
Pattern: `^[a-zA-Z0-9._/\-:@=\+,\.]+$`
** [FederationStatus](#API_GetEventDataStore_ResponseSyntax) **
Indicates the [Lake query federation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html) status. The status is `ENABLED` if Lake query federation is enabled, or `DISABLED` if Lake query federation is disabled. You cannot delete an event data store if the `FederationStatus` is `ENABLED`.
Type: String
Valid Values: `ENABLING | ENABLED | DISABLING | DISABLED`
** [KmsKeyId](#API_GetEventDataStore_ResponseSyntax) **
Specifies the AWS KMS key ID that encrypts the events delivered by CloudTrail. The value is a fully specified ARN to a AWS KMS key in the following format.
`arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
Type: String
Length Constraints: Minimum length of 1. Maximum length of 350.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [MultiRegionEnabled](#API_GetEventDataStore_ResponseSyntax) **
Indicates whether the event data store includes events from all Regions, or only from the Region in which it was created.
Type: Boolean
** [Name](#API_GetEventDataStore_ResponseSyntax) **
The name of the event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
** [OrganizationEnabled](#API_GetEventDataStore_ResponseSyntax) **
Indicates whether an event data store is collecting logged events for an organization in AWS Organizations.
Type: Boolean
** [PartitionKeys](#API_GetEventDataStore_ResponseSyntax) **
The partition keys for the event data store. To improve query performance and efficiency, CloudTrail Lake organizes event data into partitions based on values derived from partition keys.
Type: Array of [PartitionKey](API_PartitionKey.md) objects
Array Members: Maximum number of 2 items.
** [RetentionPeriod](#API_GetEventDataStore_ResponseSyntax) **
The retention period of the event data store, in days.
Type: Integer
Valid Range: Minimum value of 7. Maximum value of 3653.
** [Status](#API_GetEventDataStore_ResponseSyntax) **
The status of an event data store.
Type: String
Valid Values: `CREATED | ENABLED | PENDING_DELETION | STARTING_INGESTION | STOPPING_INGESTION | STOPPED_INGESTION`
** [TerminationProtectionEnabled](#API_GetEventDataStore_ResponseSyntax) **
Indicates that termination protection is enabled.
Type: Boolean
** [UpdatedTimestamp](#API_GetEventDataStore_ResponseSyntax) **
Shows the time that an event data store was updated, if applicable. `UpdatedTimestamp` is always either the same or newer than the time shown in `CreatedTimestamp`.
Type: Timestamp
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetEventDataStore)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetEventDataStore)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetEventDataStore)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetEventDataStore)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetEventDataStore)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetEventDataStore)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetEventDataStore)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetEventDataStore)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetEventDataStore)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetEventDataStore)
# GetEventSelectors
Describes the settings for the event selectors that you configured for your trail. The information returned for your event selectors includes the following:
+ If your event selector includes read-only events, write-only events, or all events. This applies to management events, data events, and network activity events.
+ If your event selector includes management events.
+ If your event selector includes network activity events, the event sources for which you are logging network activity events.
+ If your event selector includes data events, the resources on which you are logging data events.
For more information about logging management, data, and network activity events, see the following topics in the * AWS CloudTrail User Guide*:
+ [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html)
+ [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html)
+ [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html)
## Request Syntax
```
{
"TrailName": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [TrailName](#API_GetEventSelectors_RequestSyntax) **
Specifies the name of the trail or trail ARN. If you specify a trail name, the string must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
If you specify a trail ARN, it must be in the format:
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Type: String
Required: Yes
## Response Syntax
```
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"EventSelectors": [
{
"DataResources": [
{
"Type": "string",
"Values": [ "string" ]
}
],
"ExcludeManagementEventSources": [ "string" ],
"IncludeManagementEvents": boolean,
"ReadWriteType": "string"
}
],
"TrailARN": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [AdvancedEventSelectors](#API_GetEventSelectors_ResponseSyntax) **
The advanced event selectors that are configured for the trail.
Type: Array of [AdvancedEventSelector](API_AdvancedEventSelector.md) objects
** [EventSelectors](#API_GetEventSelectors_ResponseSyntax) **
The event selectors that are configured for the trail.
Type: Array of [EventSelector](API_EventSelector.md) objects
** [TrailARN](#API_GetEventSelectors_ResponseSyntax) **
The specified trail ARN that has the event selectors.
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetEventSelectors)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetEventSelectors)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetEventSelectors)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetEventSelectors)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetEventSelectors)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetEventSelectors)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetEventSelectors)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetEventSelectors)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetEventSelectors)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetEventSelectors)
# GetImport
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns information about a specific import.
## Request Syntax
```
{
"ImportId": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ImportId](#API_GetImport_RequestSyntax) **
The ID for the import.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
Required: Yes
## Response Syntax
```
{
"CreatedTimestamp": number,
"Destinations": [ "string" ],
"EndEventTime": number,
"ImportId": "string",
"ImportSource": {
"S3": {
"S3BucketAccessRoleArn": "string",
"S3BucketRegion": "string",
"S3LocationUri": "string"
}
},
"ImportStatistics": {
"EventsCompleted": number,
"FailedEntries": number,
"FilesCompleted": number,
"PrefixesCompleted": number,
"PrefixesFound": number
},
"ImportStatus": "string",
"StartEventTime": number,
"UpdatedTimestamp": number
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [CreatedTimestamp](#API_GetImport_ResponseSyntax) **
The timestamp of the import's creation.
Type: Timestamp
** [Destinations](#API_GetImport_ResponseSyntax) **
The ARN of the destination event data store.
Type: Array of strings
Array Members: Fixed number of 1 item.
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [EndEventTime](#API_GetImport_ResponseSyntax) **
Used with `StartEventTime` to bound a `StartImport` request, and limit imported trail events to only those events logged within a specified time period.
Type: Timestamp
** [ImportId](#API_GetImport_ResponseSyntax) **
The ID of the import.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
** [ImportSource](#API_GetImport_ResponseSyntax) **
The source S3 bucket.
Type: [ImportSource](API_ImportSource.md) object
** [ImportStatistics](#API_GetImport_ResponseSyntax) **
Provides statistics for the import. CloudTrail does not update import statistics in real-time. Returned values for parameters such as `EventsCompleted` may be lower than the actual value, because CloudTrail updates statistics incrementally over the course of the import.
Type: [ImportStatistics](API_ImportStatistics.md) object
** [ImportStatus](#API_GetImport_ResponseSyntax) **
The status of the import.
Type: String
Valid Values: `INITIALIZING | IN_PROGRESS | FAILED | STOPPED | COMPLETED`
** [StartEventTime](#API_GetImport_ResponseSyntax) **
Used with `EndEventTime` to bound a `StartImport` request, and limit imported trail events to only those events logged within a specified time period.
Type: Timestamp
** [UpdatedTimestamp](#API_GetImport_ResponseSyntax) **
The timestamp of when the import was updated.
Type: Timestamp
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ImportNotFoundException **
The specified import was not found.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetImport)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetImport)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetImport)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetImport)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetImport)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetImport)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetImport)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetImport)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetImport)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetImport)
# GetInsightSelectors
Describes the settings for the Insights event selectors that you configured for your trail or event data store. `GetInsightSelectors` shows if CloudTrail Insights logging is enabled and which Insights types are configured with corresponding event categories. If you run `GetInsightSelectors` on a trail or event data store that does not have Insights events enabled, the operation throws the exception `InsightNotEnabledException`
Specify either the `EventDataStore` parameter to get Insights event selectors for an event data store, or the `TrailName` parameter to the get Insights event selectors for a trail. You cannot specify these parameters together.
For more information, see [Working with CloudTrail Insights](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-insights-events-with-cloudtrail.html) in the * AWS CloudTrail User Guide*.
## Request Syntax
```
{
"EventDataStore": "string",
"TrailName": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_GetInsightSelectors_RequestSyntax) **
Specifies the ARN (or ID suffix of the ARN) of the event data store for which you want to get Insights selectors.
You cannot use this parameter with the `TrailName` parameter.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [TrailName](#API_GetInsightSelectors_RequestSyntax) **
Specifies the name of the trail or trail ARN. If you specify a trail name, the string must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
If you specify a trail ARN, it must be in the format:
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
You cannot use this parameter with the `EventDataStore` parameter.
Type: String
Required: No
## Response Syntax
```
{
"EventDataStoreArn": "string",
"InsightsDestination": "string",
"InsightSelectors": [
{
"EventCategories": [ "string" ],
"InsightType": "string"
}
],
"TrailARN": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [EventDataStoreArn](#API_GetInsightSelectors_ResponseSyntax) **
The ARN of the source event data store that enabled Insights events.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [InsightsDestination](#API_GetInsightSelectors_ResponseSyntax) **
The ARN of the destination event data store that logs Insights events.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [InsightSelectors](#API_GetInsightSelectors_ResponseSyntax) **
Contains the Insights types that are enabled on a trail or event data store. It also specifies the event categories on which a particular Insight type is enabled. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.The EventCategory field can specify `Management` or `Data` events or both. For event data store, you can log Insights for management events only.
Type: Array of [InsightSelector](API_InsightSelector.md) objects
** [TrailARN](#API_GetInsightSelectors_ResponseSyntax) **
The Amazon Resource Name (ARN) of a trail for which you want to get Insights selectors.
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** InsightNotEnabledException **
If you run `GetInsightSelectors` on a trail or event data store that does not have Insights events enabled, the operation throws the exception `InsightNotEnabledException`.
HTTP Status Code: 400
** InvalidParameterCombinationException **
This exception is thrown when the combination of parameters provided is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetInsightSelectors)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetInsightSelectors)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetInsightSelectors)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetInsightSelectors)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetInsightSelectors)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetInsightSelectors)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetInsightSelectors)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetInsightSelectors)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetInsightSelectors)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetInsightSelectors)
# GetQueryResults
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Gets event data results of a query. You must specify the `QueryID` value returned by the `StartQuery` operation.
## Request Syntax
```
{
"EventDataStore": "string",
"EventDataStoreOwnerAccountId": "string",
"MaxQueryResults": number,
"NextToken": "string",
"QueryId": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_GetQueryResults_RequestSyntax) **
*This parameter has been deprecated.*
The ARN (or ID suffix of the ARN) of the event data store against which the query was run.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [EventDataStoreOwnerAccountId](#API_GetQueryResults_RequestSyntax) **
The account ID of the event data store owner.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
Required: No
** [MaxQueryResults](#API_GetQueryResults_RequestSyntax) **
The maximum number of query results to display on a single page.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
** [NextToken](#API_GetQueryResults_RequestSyntax) **
A token you can use to get the next page of query results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
Required: No
** [QueryId](#API_GetQueryResults_RequestSyntax) **
The ID of the query for which you want to get results.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
Required: Yes
## Response Syntax
```
{
"ErrorMessage": "string",
"NextToken": "string",
"QueryResultRows": [
[
{
"string" : "string"
}
]
],
"QueryStatistics": {
"BytesScanned": number,
"ResultsCount": number,
"TotalResultsCount": number
},
"QueryStatus": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [ErrorMessage](#API_GetQueryResults_ResponseSyntax) **
The error message returned if a query failed.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
** [NextToken](#API_GetQueryResults_ResponseSyntax) **
A token you can use to get the next page of query results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
** [QueryResultRows](#API_GetQueryResults_ResponseSyntax) **
Contains the individual event results of the query.
Type: Array of arrays of string to string maps
** [QueryStatistics](#API_GetQueryResults_ResponseSyntax) **
Shows the count of query results.
Type: [QueryStatistics](API_QueryStatistics.md) object
** [QueryStatus](#API_GetQueryResults_ResponseSyntax) **
The status of the query. Values include `QUEUED`, `RUNNING`, `FINISHED`, `FAILED`, `TIMED_OUT`, or `CANCELLED`.
Type: String
Valid Values: `QUEUED | RUNNING | FINISHED | FAILED | CANCELLED | TIMED_OUT`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InvalidMaxResultsException **
This exception is thrown if the limit specified is not valid.
HTTP Status Code: 400
** InvalidNextTokenException **
A token that is not valid, or a token that was previously used in a request with different parameters. This exception is thrown if the token is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** QueryIdNotFoundException **
The query ID does not exist or does not map to a query.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetQueryResults)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetQueryResults)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetQueryResults)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetQueryResults)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetQueryResults)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetQueryResults)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetQueryResults)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetQueryResults)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetQueryResults)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetQueryResults)
# GetResourcePolicy
Retrieves the JSON text of the resource-based policy document attached to the CloudTrail event data store, dashboard, or channel.
## Request Syntax
```
{
"ResourceArn": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ResourceArn](#API_GetResourcePolicy_RequestSyntax) **
The Amazon Resource Name (ARN) of the CloudTrail event data store, dashboard, or channel attached to the resource-based policy.
Example event data store ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
Example dashboard ARN format: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
Example channel ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Syntax
```
{
"DelegatedAdminResourcePolicy": "string",
"ResourceArn": "string",
"ResourcePolicy": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [DelegatedAdminResourcePolicy](#API_GetResourcePolicy_ResponseSyntax) **
The default resource-based policy that is automatically generated for the delegated administrator of an AWS Organizations organization. This policy will be evaluated in tandem with any policy you submit for the resource. For more information about this policy, see [Default resource policy for delegated administrators](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html#cloudtrail-lake-organizations-eds-rbp).
Type: String
Length Constraints: Minimum length of 1. Maximum length of 8192.
** [ResourceArn](#API_GetResourcePolicy_ResponseSyntax) **
The Amazon Resource Name (ARN) of the CloudTrail event data store, dashboard, or channel attached to resource-based policy.
Example event data store ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
Example dashboard ARN format: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
Example channel ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [ResourcePolicy](#API_GetResourcePolicy_ResponseSyntax) **
A JSON-formatted string that contains the resource-based policy attached to the CloudTrail event data store, dashboard, or channel.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 8192.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ResourceARNNotValidException **
This exception is thrown when the provided resource does not exist, or the ARN format of the resource is not valid.
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** ResourcePolicyNotFoundException **
This exception is thrown when the specified resource policy is not found.
HTTP Status Code: 400
** ResourceTypeNotSupportedException **
This exception is thrown when the specified resource type is not supported by CloudTrail.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetResourcePolicy)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetResourcePolicy)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetResourcePolicy)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetResourcePolicy)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetResourcePolicy)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetResourcePolicy)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetResourcePolicy)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetResourcePolicy)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetResourcePolicy)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetResourcePolicy)
# GetTrail
Returns settings information for a specified trail.
## Request Syntax
```
{
"Name": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Name](#API_GetTrail_RequestSyntax) **
The name or the Amazon Resource Name (ARN) of the trail for which you want to retrieve settings information.
Type: String
Required: Yes
## Response Syntax
```
{
"Trail": {
"CloudWatchLogsLogGroupArn": "string",
"CloudWatchLogsRoleArn": "string",
"HasCustomEventSelectors": boolean,
"HasInsightSelectors": boolean,
"HomeRegion": "string",
"IncludeGlobalServiceEvents": boolean,
"IsMultiRegionTrail": boolean,
"IsOrganizationTrail": boolean,
"KmsKeyId": "string",
"LogFileValidationEnabled": boolean,
"Name": "string",
"S3BucketName": "string",
"S3KeyPrefix": "string",
"SnsTopicARN": "string",
"SnsTopicName": "string",
"TrailARN": "string"
}
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [Trail](#API_GetTrail_ResponseSyntax) **
The settings for a trail.
Type: [Trail](API_Trail.md) object
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetTrail)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetTrail)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetTrail)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetTrail)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetTrail)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetTrail)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetTrail)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetTrail)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetTrail)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetTrail)
# GetTrailStatus
Returns a JSON-formatted list of information about the specified trail. Fields include information on delivery errors, Amazon SNS and Amazon S3 errors, and start and stop logging times for each trail. This operation returns trail status from a single Region. To return trail status from all Regions, you must call the operation on each Region.
## Request Syntax
```
{
"Name": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Name](#API_GetTrailStatus_RequestSyntax) **
Specifies the name or the CloudTrail ARN of the trail for which you are requesting status. To get the status of a shadow trail (a replication of the trail in another Region), you must specify its ARN.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
If the trail is an organization trail and you are a member account in the organization in AWS Organizations, you must provide the full ARN of that trail, and not just the name.
Type: String
Required: Yes
## Response Syntax
```
{
"IsLogging": boolean,
"LatestCloudWatchLogsDeliveryError": "string",
"LatestCloudWatchLogsDeliveryTime": number,
"LatestDeliveryAttemptSucceeded": "string",
"LatestDeliveryAttemptTime": "string",
"LatestDeliveryError": "string",
"LatestDeliveryTime": number,
"LatestDigestDeliveryError": "string",
"LatestDigestDeliveryTime": number,
"LatestNotificationAttemptSucceeded": "string",
"LatestNotificationAttemptTime": "string",
"LatestNotificationError": "string",
"LatestNotificationTime": number,
"StartLoggingTime": number,
"StopLoggingTime": number,
"TimeLoggingStarted": "string",
"TimeLoggingStopped": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [IsLogging](#API_GetTrailStatus_ResponseSyntax) **
Whether the CloudTrail trail is currently logging AWS API calls.
Type: Boolean
** [LatestCloudWatchLogsDeliveryError](#API_GetTrailStatus_ResponseSyntax) **
Displays any CloudWatch Logs error that CloudTrail encountered when attempting to deliver logs to CloudWatch Logs.
Type: String
** [LatestCloudWatchLogsDeliveryTime](#API_GetTrailStatus_ResponseSyntax) **
Displays the most recent date and time when CloudTrail delivered logs to CloudWatch Logs.
Type: Timestamp
** [LatestDeliveryAttemptSucceeded](#API_GetTrailStatus_ResponseSyntax) **
This field is no longer in use.
Type: String
** [LatestDeliveryAttemptTime](#API_GetTrailStatus_ResponseSyntax) **
This field is no longer in use.
Type: String
** [LatestDeliveryError](#API_GetTrailStatus_ResponseSyntax) **
Displays any Amazon S3 error that CloudTrail encountered when attempting to deliver log files to the designated bucket. For more information, see [Error Responses](https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html) in the Amazon S3 API Reference.
This error occurs only when there is a problem with the destination S3 bucket, and does not occur for requests that time out. To resolve the issue, fix the [bucket policy](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html) so that CloudTrail can write to the bucket; or create a new bucket and call `UpdateTrail` to specify the new bucket.
Type: String
** [LatestDeliveryTime](#API_GetTrailStatus_ResponseSyntax) **
Specifies the date and time that CloudTrail last delivered log files to an account's Amazon S3 bucket.
Type: Timestamp
** [LatestDigestDeliveryError](#API_GetTrailStatus_ResponseSyntax) **
Displays any Amazon S3 error that CloudTrail encountered when attempting to deliver a digest file to the designated bucket. For more information, see [Error Responses](https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html) in the Amazon S3 API Reference.
This error occurs only when there is a problem with the destination S3 bucket, and does not occur for requests that time out. To resolve the issue, fix the [bucket policy](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html) so that CloudTrail can write to the bucket; or create a new bucket and call `UpdateTrail` to specify the new bucket.
Type: String
** [LatestDigestDeliveryTime](#API_GetTrailStatus_ResponseSyntax) **
Specifies the date and time that CloudTrail last delivered a digest file to an account's Amazon S3 bucket.
Type: Timestamp
** [LatestNotificationAttemptSucceeded](#API_GetTrailStatus_ResponseSyntax) **
This field is no longer in use.
Type: String
** [LatestNotificationAttemptTime](#API_GetTrailStatus_ResponseSyntax) **
This field is no longer in use.
Type: String
** [LatestNotificationError](#API_GetTrailStatus_ResponseSyntax) **
Displays any Amazon SNS error that CloudTrail encountered when attempting to send a notification. For more information about Amazon SNS errors, see the [Amazon SNS Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/welcome.html).
Type: String
** [LatestNotificationTime](#API_GetTrailStatus_ResponseSyntax) **
Specifies the date and time of the most recent Amazon SNS notification that CloudTrail has written a new log file to an account's Amazon S3 bucket.
Type: Timestamp
** [StartLoggingTime](#API_GetTrailStatus_ResponseSyntax) **
Specifies the most recent date and time when CloudTrail started recording API calls for an AWS account.
Type: Timestamp
** [StopLoggingTime](#API_GetTrailStatus_ResponseSyntax) **
Specifies the most recent date and time when CloudTrail stopped recording API calls for an AWS account.
Type: Timestamp
** [TimeLoggingStarted](#API_GetTrailStatus_ResponseSyntax) **
This field is no longer in use.
Type: String
** [TimeLoggingStopped](#API_GetTrailStatus_ResponseSyntax) **
This field is no longer in use.
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/GetTrailStatus)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/GetTrailStatus)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/GetTrailStatus)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/GetTrailStatus)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/GetTrailStatus)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/GetTrailStatus)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/GetTrailStatus)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/GetTrailStatus)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/GetTrailStatus)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/GetTrailStatus)
# ListChannels
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Lists the channels in the current account, and their source names.
## Request Syntax
```
{
"MaxResults": number,
"NextToken": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [MaxResults](#API_ListChannels_RequestSyntax) **
The maximum number of CloudTrail channels to display on a single page.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
** [NextToken](#API_ListChannels_RequestSyntax) **
The token to use to get the next page of results after a previous API call. This token must be passed in with the same parameters that were specified in the original call. For example, if the original call specified an AttributeKey of 'Username' with a value of 'root', the call with NextToken should include those same parameters.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
Required: No
## Response Syntax
```
{
"Channels": [
{
"ChannelArn": "string",
"Name": "string"
}
],
"NextToken": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [Channels](#API_ListChannels_ResponseSyntax) **
The list of channels in the account.
Type: Array of [Channel](API_Channel.md) objects
** [NextToken](#API_ListChannels_ResponseSyntax) **
The token to use to get the next page of results after a previous API call.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** InvalidNextTokenException **
A token that is not valid, or a token that was previously used in a request with different parameters. This exception is thrown if the token is not valid.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListChannels)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListChannels)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListChannels)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListChannels)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListChannels)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListChannels)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListChannels)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListChannels)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListChannels)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListChannels)
# ListDashboards
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns information about all dashboards in the account, in the current Region.
## Request Syntax
```
{
"MaxResults": number,
"NamePrefix": "string",
"NextToken": "string",
"Type": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [MaxResults](#API_ListDashboards_RequestSyntax) **
The maximum number of dashboards to display on a single page.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
** [NamePrefix](#API_ListDashboards_RequestSyntax) **
Specify a name prefix to filter on.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9_\-]+$`
Required: No
** [NextToken](#API_ListDashboards_RequestSyntax) **
A token you can use to get the next page of dashboard results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
Required: No
** [Type](#API_ListDashboards_RequestSyntax) **
Specify a dashboard type to filter on: `CUSTOM` or `MANAGED`.
Type: String
Valid Values: `MANAGED | CUSTOM`
Required: No
## Response Syntax
```
{
"Dashboards": [
{
"DashboardArn": "string",
"Type": "string"
}
],
"NextToken": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [Dashboards](#API_ListDashboards_ResponseSyntax) **
Contains information about dashboards in the account, in the current Region that match the applied filters.
Type: Array of [DashboardDetail](API_DashboardDetail.md) objects
** [NextToken](#API_ListDashboards_ResponseSyntax) **
A token you can use to get the next page of dashboard results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListDashboards)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListDashboards)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListDashboards)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListDashboards)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListDashboards)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListDashboards)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListDashboards)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListDashboards)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListDashboards)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListDashboards)
# ListEventDataStores
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns information about all event data stores in the account, in the current Region.
## Request Syntax
```
{
"MaxResults": number,
"NextToken": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [MaxResults](#API_ListEventDataStores_RequestSyntax) **
The maximum number of event data stores to display on a single page.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
** [NextToken](#API_ListEventDataStores_RequestSyntax) **
A token you can use to get the next page of event data store results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
Required: No
## Response Syntax
```
{
"EventDataStores": [
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"CreatedTimestamp": number,
"EventDataStoreArn": "string",
"MultiRegionEnabled": boolean,
"Name": "string",
"OrganizationEnabled": boolean,
"RetentionPeriod": number,
"Status": "string",
"TerminationProtectionEnabled": boolean,
"UpdatedTimestamp": number
}
],
"NextToken": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [EventDataStores](#API_ListEventDataStores_ResponseSyntax) **
Contains information about event data stores in the account, in the current Region.
Type: Array of [EventDataStore](API_EventDataStore.md) objects
** [NextToken](#API_ListEventDataStores_ResponseSyntax) **
A token you can use to get the next page of results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** InvalidMaxResultsException **
This exception is thrown if the limit specified is not valid.
HTTP Status Code: 400
** InvalidNextTokenException **
A token that is not valid, or a token that was previously used in a request with different parameters. This exception is thrown if the token is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListEventDataStores)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListEventDataStores)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListEventDataStores)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListEventDataStores)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListEventDataStores)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListEventDataStores)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListEventDataStores)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListEventDataStores)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListEventDataStores)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListEventDataStores)
# ListImportFailures
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns a list of failures for the specified import.
## Request Syntax
```
{
"ImportId": "string",
"MaxResults": number,
"NextToken": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ImportId](#API_ListImportFailures_RequestSyntax) **
The ID of the import.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
Required: Yes
** [MaxResults](#API_ListImportFailures_RequestSyntax) **
The maximum number of failures to display on a single page.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
** [NextToken](#API_ListImportFailures_RequestSyntax) **
A token you can use to get the next page of import failures.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
Required: No
## Response Syntax
```
{
"Failures": [
{
"ErrorMessage": "string",
"ErrorType": "string",
"LastUpdatedTime": number,
"Location": "string",
"Status": "string"
}
],
"NextToken": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [Failures](#API_ListImportFailures_ResponseSyntax) **
Contains information about the import failures.
Type: Array of [ImportFailureListItem](API_ImportFailureListItem.md) objects
** [NextToken](#API_ListImportFailures_ResponseSyntax) **
A token you can use to get the next page of results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** InvalidNextTokenException **
A token that is not valid, or a token that was previously used in a request with different parameters. This exception is thrown if the token is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListImportFailures)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListImportFailures)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListImportFailures)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListImportFailures)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListImportFailures)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListImportFailures)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListImportFailures)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListImportFailures)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListImportFailures)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListImportFailures)
# ListImports
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns information on all imports, or a select set of imports by `ImportStatus` or `Destination`.
## Request Syntax
```
{
"Destination": "string",
"ImportStatus": "string",
"MaxResults": number,
"NextToken": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Destination](#API_ListImports_RequestSyntax) **
The ARN of the destination event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [ImportStatus](#API_ListImports_RequestSyntax) **
The status of the import.
Type: String
Valid Values: `INITIALIZING | IN_PROGRESS | FAILED | STOPPED | COMPLETED`
Required: No
** [MaxResults](#API_ListImports_RequestSyntax) **
The maximum number of imports to display on a single page.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
** [NextToken](#API_ListImports_RequestSyntax) **
A token you can use to get the next page of import results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
Required: No
## Response Syntax
```
{
"Imports": [
{
"CreatedTimestamp": number,
"Destinations": [ "string" ],
"ImportId": "string",
"ImportStatus": "string",
"UpdatedTimestamp": number
}
],
"NextToken": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [Imports](#API_ListImports_ResponseSyntax) **
The list of returned imports.
Type: Array of [ImportsListItem](API_ImportsListItem.md) objects
** [NextToken](#API_ListImports_ResponseSyntax) **
A token you can use to get the next page of import results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** InvalidNextTokenException **
A token that is not valid, or a token that was previously used in a request with different parameters. This exception is thrown if the token is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListImports)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListImports)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListImports)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListImports)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListImports)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListImports)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListImports)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListImports)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListImports)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListImports)
# ListInsightsData
Returns Insights events generated on a trail that logs data events. You can list Insights events that occurred in a Region within the last 90 days.
ListInsightsData supports the following Dimensions for Insights events:
+ Event ID
+ Event name
+ Event source
All dimensions are optional. The default number of results returned is 50, with a maximum of 50 possible. The response includes a token that you can use to get the next page of results.
The rate of ListInsightsData requests is limited to two per second, per account, per Region. If this limit is exceeded, a throttling error occurs.
## Request Syntax
```
{
"DataType": "string",
"Dimensions": {
"string" : "string"
},
"EndTime": number,
"InsightSource": "string",
"MaxResults": number,
"NextToken": "string",
"StartTime": number
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [DataType](#API_ListInsightsData_RequestSyntax) **
Specifies the category of events returned. To fetch Insights events, specify `InsightsEvents` as the value of `DataType`
Type: String
Valid Values: `InsightsEvents`
Required: Yes
** [Dimensions](#API_ListInsightsData_RequestSyntax) **
Contains a map of dimensions. Currently the map can contain only one item.
Type: String to string map
Map Entries: Maximum number of 1 item.
Valid Keys: `EventId | EventName | EventSource`
Value Length Constraints: Minimum length of 1. Maximum length of 2000.
Required: No
** [EndTime](#API_ListInsightsData_RequestSyntax) **
Specifies that only events that occur before or at the specified time are returned. If the specified end time is before the specified start time, an error is returned.
Type: Timestamp
Required: No
** [InsightSource](#API_ListInsightsData_RequestSyntax) **
The Amazon Resource Name(ARN) of the trail for which you want to retrieve Insights events.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
** [MaxResults](#API_ListInsightsData_RequestSyntax) **
The number of events to return. Possible values are 1 through 50. The default is 50.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 50.
Required: No
** [NextToken](#API_ListInsightsData_RequestSyntax) **
The token to use to get the next page of results after a previous API call. This token must be passed in with the same parameters that were specified in the original call. For example, if the original call specified a EventName as a dimension with `PutObject` as a value, the call with NextToken should include those same parameters.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
Required: No
** [StartTime](#API_ListInsightsData_RequestSyntax) **
Specifies that only events that occur after or at the specified time are returned. If the specified start time is after the specified end time, an error is returned.
Type: Timestamp
Required: No
## Response Syntax
```
{
"Events": [
{
"AccessKeyId": "string",
"CloudTrailEvent": "string",
"EventId": "string",
"EventName": "string",
"EventSource": "string",
"EventTime": number,
"ReadOnly": "string",
"Resources": [
{
"ResourceName": "string",
"ResourceType": "string"
}
],
"Username": "string"
}
],
"NextToken": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [Events](#API_ListInsightsData_ResponseSyntax) **
A list of events returned based on the InsightSource, DataType or Dimensions specified. The events list is sorted by time. The most recent event is listed first.
Type: Array of [Event](API_Event.md) objects
** [NextToken](#API_ListInsightsData_ResponseSyntax) **
The token to use to get the next page of results after a previous API call. If the token does not appear, there are no more results to return. The token must be passed in with the same parameters as the previous call. For example, if the original call specified a EventName as a dimension with `PutObject` as a value, the call with NextToken should include those same parameters.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListInsightsData)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListInsightsData)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListInsightsData)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListInsightsData)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListInsightsData)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListInsightsData)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListInsightsData)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListInsightsData)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListInsightsData)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListInsightsData)
# ListInsightsMetricData
Returns Insights metrics data for trails that have enabled Insights. The request must include the `EventSource`, `EventName`, and `InsightType` parameters.
If the `InsightType` is set to `ApiErrorRateInsight`, the request must also include the `ErrorCode` parameter.
The following are the available time periods for `ListInsightsMetricData`. Each cutoff is inclusive.
+ Data points with a period of 60 seconds (1-minute) are available for 15 days.
+ Data points with a period of 300 seconds (5-minute) are available for 63 days.
+ Data points with a period of 3600 seconds (1 hour) are available for 90 days.
To use `ListInsightsMetricData` operation, you must have the following permissions:
+ If `ListInsightsMetricData` is invoked with `TrailName` parameter, access to the `ListInsightsMetricData` API operation is linked to the `cloudtrail:LookupEvents` action and `cloudtrail:ListInsightsData`. To use this operation, you must have permissions to perform the `cloudtrail:LookupEvents` and `cloudtrail:ListInsightsData` action on the specific trail.
+ If `ListInsightsMetricData` is invoked without `TrailName` parameter, access to the `ListInsightsMetricData` API operation is linked to the `cloudtrail:LookupEvents` action only. To use this operation, you must have permissions to perform the `cloudtrail:LookupEvents` action.
## Request Syntax
```
{
"DataType": "string",
"EndTime": number,
"ErrorCode": "string",
"EventName": "string",
"EventSource": "string",
"InsightType": "string",
"MaxResults": number,
"NextToken": "string",
"Period": number,
"StartTime": number,
"TrailName": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [DataType](#API_ListInsightsMetricData_RequestSyntax) **
Type of data points to return. Valid values are `NonZeroData` and `FillWithZeros`. The default is `NonZeroData`.
Type: String
Valid Values: `FillWithZeros | NonZeroData`
Required: No
** [EndTime](#API_ListInsightsMetricData_RequestSyntax) **
Specifies, in UTC, the end time for time-series data. The value specified is exclusive; results include data points up to the specified time stamp.
The default is the time of request.
Type: Timestamp
Required: No
** [ErrorCode](#API_ListInsightsMetricData_RequestSyntax) **
Conditionally required if the `InsightType` parameter is set to `ApiErrorRateInsight`.
If returning metrics for the `ApiErrorRateInsight` Insights type, this is the error to retrieve data for. For example, `AccessDenied`.
Type: String
Length Constraints: Maximum length of 128.
Pattern: `^[\w\d\s_.,\-:\[\]]+$`
Required: No
** [EventName](#API_ListInsightsMetricData_RequestSyntax) **
The name of the event, typically the AWS API on which unusual levels of activity were recorded.
Type: String
Length Constraints: Maximum length of 128.
Pattern: `^[A-Za-z0-9_]+$`
Required: Yes
** [EventSource](#API_ListInsightsMetricData_RequestSyntax) **
The AWS service to which the request was made, such as `iam.amazonaws.com` or `s3.amazonaws.com`.
Type: String
Length Constraints: Maximum length of 256.
Pattern: `^[a-z0-9_-]+\.amazonaws\.com$`
Required: Yes
** [InsightType](#API_ListInsightsMetricData_RequestSyntax) **
The type of CloudTrail Insights event, which is either `ApiCallRateInsight` or `ApiErrorRateInsight`. The `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume. The `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes.
Type: String
Valid Values: `ApiCallRateInsight | ApiErrorRateInsight`
Required: Yes
** [MaxResults](#API_ListInsightsMetricData_RequestSyntax) **
The maximum number of data points to return. Valid values are integers from 1 to 21600. The default value is 21600.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 21600.
Required: No
** [NextToken](#API_ListInsightsMetricData_RequestSyntax) **
Returned if all datapoints can't be returned in a single call. For example, due to reaching `MaxResults`.
Add this parameter to the request to continue retrieving results starting from the last evaluated point.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 5000.
Required: No
** [Period](#API_ListInsightsMetricData_RequestSyntax) **
Granularity of data to retrieve, in seconds. Valid values are `60`, `300`, and `3600`. If you specify any other value, you will get an error. The default is 3600 seconds.
Type: Integer
Valid Range: Minimum value of 60. Maximum value of 3600.
Required: No
** [StartTime](#API_ListInsightsMetricData_RequestSyntax) **
Specifies, in UTC, the start time for time-series data. The value specified is inclusive; results include data points with the specified time stamp.
The default is 90 days before the time of request.
Type: Timestamp
Required: No
** [TrailName](#API_ListInsightsMetricData_RequestSyntax) **
The Amazon Resource Name(ARN) or name of the trail for which you want to retrieve Insights metrics data. This parameter should only be provided to fetch Insights metrics data generated on trails logging data events. This parameter is not required for Insights metric data generated on trails logging management events.
Type: String
Required: No
## Response Syntax
```
{
"ErrorCode": "string",
"EventName": "string",
"EventSource": "string",
"InsightType": "string",
"NextToken": "string",
"Timestamps": [ number ],
"TrailARN": "string",
"Values": [ number ]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [ErrorCode](#API_ListInsightsMetricData_ResponseSyntax) **
Only returned if `InsightType` parameter was set to `ApiErrorRateInsight`.
If returning metrics for the `ApiErrorRateInsight` Insights type, this is the error to retrieve data for. For example, `AccessDenied`.
Type: String
Length Constraints: Maximum length of 128.
Pattern: `^[\w\d\s_.,\-:\[\]]+$`
** [EventName](#API_ListInsightsMetricData_ResponseSyntax) **
The name of the event, typically the AWS API on which unusual levels of activity were recorded.
Type: String
Length Constraints: Maximum length of 128.
Pattern: `^[A-Za-z0-9_]+$`
** [EventSource](#API_ListInsightsMetricData_ResponseSyntax) **
The AWS service to which the request was made, such as `iam.amazonaws.com` or `s3.amazonaws.com`.
Type: String
Length Constraints: Maximum length of 256.
Pattern: `^[a-z0-9_-]+\.amazonaws\.com$`
** [InsightType](#API_ListInsightsMetricData_ResponseSyntax) **
The type of CloudTrail Insights event, which is either `ApiCallRateInsight` or `ApiErrorRateInsight`. The `ApiCallRateInsight` Insights type analyzes write-only management API calls that are aggregated per minute against a baseline API call volume. The `ApiErrorRateInsight` Insights type analyzes management API calls that result in error codes.
Type: String
Valid Values: `ApiCallRateInsight | ApiErrorRateInsight`
** [NextToken](#API_ListInsightsMetricData_ResponseSyntax) **
Only returned if the full results could not be returned in a single query. You can set the `NextToken` parameter in the next request to this value to continue retrieval.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 5000.
** [Timestamps](#API_ListInsightsMetricData_ResponseSyntax) **
List of timestamps at intervals corresponding to the specified time period.
Type: Array of timestamps
** [TrailARN](#API_ListInsightsMetricData_ResponseSyntax) **
Specifies the ARN of the trail. This is only returned when Insights is enabled on a trail logging data events.
Type: String
** [Values](#API_ListInsightsMetricData_ResponseSyntax) **
List of values representing the API call rate or error rate at each timestamp. The number of values is equal to the number of timestamps.
Type: Array of doubles
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example shows how to retrieve API call rate metric data for the CloudTrail `CreateTrail` API.
```
{
"EventSource": "cloudtrail.amazonaws.com",
"EventName": "CreateTrail",
"InsightType": "ApiCallRateInsight"
}
```
### Example
The following example shows how to retrieve API error rate metric data for receiving the error `TrailNotFoundException` when calling the CloudTrail `UpdateTrail` API.
```
{
"EventSource": "cloudtrail.amazonaws.com",
"EventName": "UpdateTrail",
"InsightType": "ApiErrorRateInsight",
"ErrorCode": "TrailNotFoundException"
}
```
### Example
The following example shows how to retrieve API call rate metric data for Amazon S3 `PutObject` data event API.
```
{
"EventSource": "s3.amazonaws.com",
"EventName": "PutObject",
"InsightType": "ApiCallRateInsight",
"TrailName": "arn:aws:cloudtrail:us-east-1:888888888888:trail/test-trail-name"
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListInsightsMetricData)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListInsightsMetricData)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListInsightsMetricData)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListInsightsMetricData)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListInsightsMetricData)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListInsightsMetricData)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListInsightsMetricData)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListInsightsMetricData)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListInsightsMetricData)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListInsightsMetricData)
# ListPublicKeys
Returns all public keys whose private keys were used to sign the digest files within the specified time range. The public key is needed to validate digest files that were signed with its corresponding private key.
**Note**
CloudTrail uses different private and public key pairs per Region. Each digest file is signed with a private key unique to its Region. When you validate a digest file from a specific Region, you must look in the same Region for its corresponding public key.
## Request Syntax
```
{
"EndTime": number,
"NextToken": "string",
"StartTime": number
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EndTime](#API_ListPublicKeys_RequestSyntax) **
Optionally specifies, in UTC, the end of the time range to look up public keys for CloudTrail digest files. If not specified, the current time is used.
Type: Timestamp
Required: No
** [NextToken](#API_ListPublicKeys_RequestSyntax) **
Reserved for future use.
Type: String
Required: No
** [StartTime](#API_ListPublicKeys_RequestSyntax) **
Optionally specifies, in UTC, the start of the time range to look up public keys for CloudTrail digest files. If not specified, the current time is used, and the current public key is returned.
Type: Timestamp
Required: No
## Response Syntax
```
{
"NextToken": "string",
"PublicKeyList": [
{
"Fingerprint": "string",
"ValidityEndTime": number,
"ValidityStartTime": number,
"Value": blob
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [NextToken](#API_ListPublicKeys_ResponseSyntax) **
Reserved for future use.
Type: String
** [PublicKeyList](#API_ListPublicKeys_ResponseSyntax) **
Contains an array of PublicKey objects.
The returned public keys may have validity time ranges that overlap.
Type: Array of [PublicKey](API_PublicKey.md) objects
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** InvalidTimeRangeException **
Occurs if the timestamp values are not valid. Either the start time occurs after the end time, or the time range is outside the range of possible values.
HTTP Status Code: 400
** InvalidTokenException **
Reserved for future use.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListPublicKeys)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListPublicKeys)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListPublicKeys)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListPublicKeys)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListPublicKeys)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListPublicKeys)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListPublicKeys)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListPublicKeys)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListPublicKeys)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListPublicKeys)
# ListQueries
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Returns a list of queries and query statuses for the past seven days. You must specify an ARN value for `EventDataStore`. Optionally, to shorten the list of results, you can specify a time range, formatted as timestamps, by adding `StartTime` and `EndTime` parameters, and a `QueryStatus` value. Valid values for `QueryStatus` include `QUEUED`, `RUNNING`, `FINISHED`, `FAILED`, `TIMED_OUT`, or `CANCELLED`.
## Request Syntax
```
{
"EndTime": number,
"EventDataStore": "string",
"MaxResults": number,
"NextToken": "string",
"QueryStatus": "string",
"StartTime": number
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EndTime](#API_ListQueries_RequestSyntax) **
Use with `StartTime` to bound a `ListQueries` request, and limit its results to only those queries run within a specified time period.
Type: Timestamp
Required: No
** [EventDataStore](#API_ListQueries_RequestSyntax) **
The ARN (or the ID suffix of the ARN) of an event data store on which queries were run.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
** [MaxResults](#API_ListQueries_RequestSyntax) **
The maximum number of queries to show on a page.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
** [NextToken](#API_ListQueries_RequestSyntax) **
A token you can use to get the next page of results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
Required: No
** [QueryStatus](#API_ListQueries_RequestSyntax) **
The status of queries that you want to return in results. Valid values for `QueryStatus` include `QUEUED`, `RUNNING`, `FINISHED`, `FAILED`, `TIMED_OUT`, or `CANCELLED`.
Type: String
Valid Values: `QUEUED | RUNNING | FINISHED | FAILED | CANCELLED | TIMED_OUT`
Required: No
** [StartTime](#API_ListQueries_RequestSyntax) **
Use with `EndTime` to bound a `ListQueries` request, and limit its results to only those queries run within a specified time period.
Type: Timestamp
Required: No
## Response Syntax
```
{
"NextToken": "string",
"Queries": [
{
"CreationTime": number,
"QueryId": "string",
"QueryStatus": "string"
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [NextToken](#API_ListQueries_ResponseSyntax) **
A token you can use to get the next page of results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
** [Queries](#API_ListQueries_ResponseSyntax) **
Lists matching query results, and shows query ID, status, and creation time of each query.
Type: Array of [Query](API_Query.md) objects
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InvalidDateRangeException **
A date range for the query was specified that is not valid. Be sure that the start time is chronologically before the end time. For more information about writing a query, see [Create or edit a query](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-create-edit-query.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** InvalidMaxResultsException **
This exception is thrown if the limit specified is not valid.
HTTP Status Code: 400
** InvalidNextTokenException **
A token that is not valid, or a token that was previously used in a request with different parameters. This exception is thrown if the token is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidQueryStatusException **
The query status is not valid for the operation.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListQueries)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListQueries)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListQueries)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListQueries)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListQueries)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListQueries)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListQueries)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListQueries)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListQueries)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListQueries)
# ListTags
Lists the tags for the specified trails, event data stores, dashboards, or channels in the current Region.
## Request Syntax
```
{
"NextToken": "string",
"ResourceIdList": [ "string" ]
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [NextToken](#API_ListTags_RequestSyntax) **
Reserved for future use.
Type: String
Required: No
** [ResourceIdList](#API_ListTags_RequestSyntax) **
Specifies a list of trail, event data store, dashboard, or channel ARNs whose tags will be listed. The list has a limit of 20 ARNs.
Example trail ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Example event data store ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
Example dashboard ARN format: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
Example channel ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
Type: Array of strings
Required: Yes
## Response Syntax
```
{
"NextToken": "string",
"ResourceTagList": [
{
"ResourceId": "string",
"TagsList": [
{
"Key": "string",
"Value": "string"
}
]
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [NextToken](#API_ListTags_ResponseSyntax) **
Reserved for future use.
Type: String
** [ResourceTagList](#API_ListTags_ResponseSyntax) **
A list of resource tags.
Type: Array of [ResourceTag](API_ResourceTag.md) objects
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ChannelARNInvalidException **
This exception is thrown when the specified value of `ChannelARN` is not valid.
HTTP Status Code: 400
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InvalidTokenException **
Reserved for future use.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** ResourceTypeNotSupportedException **
This exception is thrown when the specified resource type is not supported by CloudTrail.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListTags)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListTags)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListTags)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListTags)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListTags)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListTags)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListTags)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListTags)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListTags)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListTags)
# ListTrails
Lists trails that are in the current account.
## Request Syntax
```
{
"NextToken": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [NextToken](#API_ListTrails_RequestSyntax) **
The token to use to get the next page of results after a previous API call. This token must be passed in with the same parameters that were specified in the original call. For example, if the original call specified an AttributeKey of 'Username' with a value of 'root', the call with NextToken should include those same parameters.
Type: String
Required: No
## Response Syntax
```
{
"NextToken": "string",
"Trails": [
{
"HomeRegion": "string",
"Name": "string",
"TrailARN": "string"
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [NextToken](#API_ListTrails_ResponseSyntax) **
The token to use to get the next page of results after a previous API call. If the token does not appear, there are no more results to return. The token must be passed in with the same parameters as the previous call. For example, if the original call specified an AttributeKey of 'Username' with a value of 'root', the call with NextToken should include those same parameters.
Type: String
** [Trails](#API_ListTrails_ResponseSyntax) **
Returns the name, ARN, and home Region of trails in the current account.
Type: Array of [TrailInfo](API_TrailInfo.md) objects
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/ListTrails)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/ListTrails)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/ListTrails)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/ListTrails)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/ListTrails)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/ListTrails)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/ListTrails)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/ListTrails)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/ListTrails)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/ListTrails)
# LookupEvents
Looks up [management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events) or [CloudTrail Insights events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-insights-events) that are captured by CloudTrail. You can look up events that occurred in a Region within the last 90 days.
**Note**
`LookupEvents` returns recent Insights events for trails that enable Insights. To view Insights events for an event data store, you can run queries on your Insights event data store, and you can also view the Lake dashboard for Insights.
Lookup supports the following attributes for management events:
+ AWS access key
+ Event ID
+ Event name
+ Event source
+ Read only
+ Resource name
+ Resource type
+ User name
Lookup supports the following attributes for Insights events:
+ Event ID
+ Event name
+ Event source
All attributes are optional. The default number of results returned is 50, with a maximum of 50 possible. The response includes a token that you can use to get the next page of results.
**Important**
The rate of lookup requests is limited to two per second, per account, per Region. If this limit is exceeded, a throttling error occurs.
## Request Syntax
```
{
"EndTime": number,
"EventCategory": "string",
"LookupAttributes": [
{
"AttributeKey": "string",
"AttributeValue": "string"
}
],
"MaxResults": number,
"NextToken": "string",
"StartTime": number
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EndTime](#API_LookupEvents_RequestSyntax) **
Specifies that only events that occur before or at the specified time are returned. If the specified end time is before the specified start time, an error is returned.
Type: Timestamp
Required: No
** [EventCategory](#API_LookupEvents_RequestSyntax) **
Specifies the event category. If you do not specify an event category, events of the category are not returned in the response. For example, if you do not specify `insight` as the value of `EventCategory`, no Insights events are returned.
Type: String
Valid Values: `insight`
Required: No
** [LookupAttributes](#API_LookupEvents_RequestSyntax) **
Contains a list of lookup attributes. Currently the list can contain only one item.
Type: Array of [LookupAttribute](API_LookupAttribute.md) objects
Required: No
** [MaxResults](#API_LookupEvents_RequestSyntax) **
The number of events to return. Possible values are 1 through 50. The default is 50.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 50.
Required: No
** [NextToken](#API_LookupEvents_RequestSyntax) **
The token to use to get the next page of results after a previous API call. This token must be passed in with the same parameters that were specified in the original call. For example, if the original call specified an AttributeKey of 'Username' with a value of 'root', the call with NextToken should include those same parameters.
Type: String
Required: No
** [StartTime](#API_LookupEvents_RequestSyntax) **
Specifies that only events that occur after or at the specified time are returned. If the specified start time is after the specified end time, an error is returned.
Type: Timestamp
Required: No
## Response Syntax
```
{
"Events": [
{
"AccessKeyId": "string",
"CloudTrailEvent": "string",
"EventId": "string",
"EventName": "string",
"EventSource": "string",
"EventTime": number,
"ReadOnly": "string",
"Resources": [
{
"ResourceName": "string",
"ResourceType": "string"
}
],
"Username": "string"
}
],
"NextToken": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [Events](#API_LookupEvents_ResponseSyntax) **
A list of events returned based on the lookup attributes specified and the CloudTrail event. The events list is sorted by time. The most recent event is listed first.
Type: Array of [Event](API_Event.md) objects
** [NextToken](#API_LookupEvents_ResponseSyntax) **
The token to use to get the next page of results after a previous API call. If the token does not appear, there are no more results to return. The token must be passed in with the same parameters as the previous call. For example, if the original call specified an AttributeKey of 'Username' with a value of 'root', the call with NextToken should include those same parameters.
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** InvalidEventCategoryException **
Occurs if an event category that is not valid is specified as a value of `EventCategory`.
HTTP Status Code: 400
** InvalidLookupAttributesException **
Occurs when a lookup attribute is specified that is not valid.
HTTP Status Code: 400
** InvalidMaxResultsException **
This exception is thrown if the limit specified is not valid.
HTTP Status Code: 400
** InvalidNextTokenException **
A token that is not valid, or a token that was previously used in a request with different parameters. This exception is thrown if the token is not valid.
HTTP Status Code: 400
** InvalidTimeRangeException **
Occurs if the timestamp values are not valid. Either the start time occurs after the end time, or the time range is outside the range of possible values.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/LookupEvents)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/LookupEvents)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/LookupEvents)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/LookupEvents)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/LookupEvents)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/LookupEvents)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/LookupEvents)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/LookupEvents)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/LookupEvents)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/LookupEvents)
# PutEventConfiguration
Updates the event configuration settings for the specified event data store or trail. This operation supports updating the maximum event size, adding or modifying context key selectors for event data store, and configuring aggregation settings for the trail.
## Request Syntax
```
{
"AggregationConfigurations": [
{
"EventCategory": "string",
"Templates": [ "string" ]
}
],
"ContextKeySelectors": [
{
"Equals": [ "string" ],
"Type": "string"
}
],
"EventDataStore": "string",
"MaxEventSize": "string",
"TrailName": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [AggregationConfigurations](#API_PutEventConfiguration_RequestSyntax) **
The list of aggregation configurations that you want to configure for the trail.
Type: Array of [AggregationConfiguration](API_AggregationConfiguration.md) objects
Array Members: Maximum number of 1 item.
Required: No
** [ContextKeySelectors](#API_PutEventConfiguration_RequestSyntax) **
A list of context key selectors that will be included to provide enriched event data.
Type: Array of [ContextKeySelector](API_ContextKeySelector.md) objects
Array Members: Maximum number of 2 items.
Required: No
** [EventDataStore](#API_PutEventConfiguration_RequestSyntax) **
The Amazon Resource Name (ARN) or ID suffix of the ARN of the event data store for which event configuration settings are updated.
Type: String
Required: No
** [MaxEventSize](#API_PutEventConfiguration_RequestSyntax) **
The maximum allowed size for events to be stored in the specified event data store. If you are using context key selectors, MaxEventSize must be set to Large.
Type: String
Valid Values: `Standard | Large`
Required: No
** [TrailName](#API_PutEventConfiguration_RequestSyntax) **
The name of the trail for which you want to update event configuration settings.
Type: String
Required: No
## Response Syntax
```
{
"AggregationConfigurations": [
{
"EventCategory": "string",
"Templates": [ "string" ]
}
],
"ContextKeySelectors": [
{
"Equals": [ "string" ],
"Type": "string"
}
],
"EventDataStoreArn": "string",
"MaxEventSize": "string",
"TrailARN": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [AggregationConfigurations](#API_PutEventConfiguration_ResponseSyntax) **
A list of aggregation configurations that are configured for the trail.
Type: Array of [AggregationConfiguration](API_AggregationConfiguration.md) objects
Array Members: Maximum number of 1 item.
** [ContextKeySelectors](#API_PutEventConfiguration_ResponseSyntax) **
The list of context key selectors that are configured for the event data store.
Type: Array of [ContextKeySelector](API_ContextKeySelector.md) objects
Array Members: Maximum number of 2 items.
** [EventDataStoreArn](#API_PutEventConfiguration_ResponseSyntax) **
The Amazon Resource Name (ARN) or ID suffix of the ARN of the event data store for which the event configuration settings were updated.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [MaxEventSize](#API_PutEventConfiguration_ResponseSyntax) **
The maximum allowed size for events stored in the specified event data store.
Type: String
Valid Values: `Standard | Large`
** [TrailARN](#API_PutEventConfiguration_ResponseSyntax) **
The Amazon Resource Name (ARN) of the trail that has aggregation enabled.
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InsufficientIAMAccessPermissionException **
The task can't be completed because you are signed in with an account that lacks permissions to view or create a service-linked role. Sign in with an account that has the required permissions and then try again.
HTTP Status Code: 400
** InvalidEventDataStoreCategoryException **
This exception is thrown when event categories of specified event data stores are not valid.
HTTP Status Code: 400
** InvalidEventDataStoreStatusException **
The event data store is not in a status that supports the operation.
HTTP Status Code: 400
** InvalidHomeRegionException **
This exception is thrown when an operation is called on a trail from a Region other than the Region in which the trail was created.
HTTP Status Code: 400
** InvalidParameterCombinationException **
This exception is thrown when the combination of parameters provided is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/PutEventConfiguration)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/PutEventConfiguration)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/PutEventConfiguration)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/PutEventConfiguration)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/PutEventConfiguration)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/PutEventConfiguration)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/PutEventConfiguration)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/PutEventConfiguration)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/PutEventConfiguration)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/PutEventConfiguration)
# PutEventSelectors
Configures event selectors (also referred to as *basic event selectors*) or advanced event selectors for your trail. You can use either `AdvancedEventSelectors` or `EventSelectors`, but not both. If you apply `AdvancedEventSelectors` to a trail, any existing `EventSelectors` are overwritten.
You can use `AdvancedEventSelectors` to log management events, data events for all resource types, and network activity events.
You can use `EventSelectors` to log management events and data events for the following resource types:
+ `AWS::DynamoDB::Table`
+ `AWS::Lambda::Function`
+ `AWS::S3::Object`
You can't use `EventSelectors` to log network activity events.
If you want your trail to log Insights events, be sure the event selector or advanced event selector enables logging of the Insights event types you want configured for your trail. For more information about logging Insights events, see [Working with CloudTrail Insights](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-insights-events-with-cloudtrail.html) in the *CloudTrail User Guide*. By default, trails created without specific event selectors are configured to log all read and write management events, and no data events or network activity events.
When an event occurs in your account, CloudTrail evaluates the event selectors or advanced event selectors in all trails. For each trail, if the event matches any event selector, the trail processes and logs the event. If the event doesn't match any event selector, the trail doesn't log the event.
Example
1. You create an event selector for a trail and specify that you want to log write-only events.
1. The EC2 `GetConsoleOutput` and `RunInstances` API operations occur in your account.
1. CloudTrail evaluates whether the events match your event selectors.
1. The `RunInstances` is a write-only event and it matches your event selector. The trail logs the event.
1. The `GetConsoleOutput` is a read-only event that doesn't match your event selector. The trail doesn't log the event.
The `PutEventSelectors` operation must be called from the Region in which the trail was created; otherwise, an `InvalidHomeRegionException` exception is thrown.
You can configure up to five event selectors for each trail.
You can add advanced event selectors, and conditions for your advanced event selectors, up to a maximum of 500 values for all conditions and selectors on a trail. For more information, see [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html), [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html), [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html), and [Quotas in AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in the * AWS CloudTrail User Guide*.
## Request Syntax
```
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"EventSelectors": [
{
"DataResources": [
{
"Type": "string",
"Values": [ "string" ]
}
],
"ExcludeManagementEventSources": [ "string" ],
"IncludeManagementEvents": boolean,
"ReadWriteType": "string"
}
],
"TrailName": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [AdvancedEventSelectors](#API_PutEventSelectors_RequestSyntax) **
Specifies the settings for advanced event selectors. You can use advanced event selectors to log management events, data events for all resource types, and network activity events.
You can add advanced event selectors, and conditions for your advanced event selectors, up to a maximum of 500 values for all conditions and selectors on a trail. You can use either `AdvancedEventSelectors` or `EventSelectors`, but not both. If you apply `AdvancedEventSelectors` to a trail, any existing `EventSelectors` are overwritten. For more information about advanced event selectors, see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) and [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) in the * AWS CloudTrail User Guide*.
Type: Array of [AdvancedEventSelector](API_AdvancedEventSelector.md) objects
Required: No
** [EventSelectors](#API_PutEventSelectors_RequestSyntax) **
Specifies the settings for your event selectors. You can use event selectors to log management events and data events for the following resource types:
+ `AWS::DynamoDB::Table`
+ `AWS::Lambda::Function`
+ `AWS::S3::Object`
You can't use event selectors to log network activity events.
You can configure up to five event selectors for a trail. You can use either `EventSelectors` or `AdvancedEventSelectors` in a `PutEventSelectors` request, but not both. If you apply `EventSelectors` to a trail, any existing `AdvancedEventSelectors` are overwritten.
Type: Array of [EventSelector](API_EventSelector.md) objects
Required: No
** [TrailName](#API_PutEventSelectors_RequestSyntax) **
Specifies the name of the trail or trail ARN. If you specify a trail name, the string must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
If you specify a trail ARN, it must be in the following format.
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Type: String
Required: Yes
## Response Syntax
```
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"EventSelectors": [
{
"DataResources": [
{
"Type": "string",
"Values": [ "string" ]
}
],
"ExcludeManagementEventSources": [ "string" ],
"IncludeManagementEvents": boolean,
"ReadWriteType": "string"
}
],
"TrailARN": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [AdvancedEventSelectors](#API_PutEventSelectors_ResponseSyntax) **
Specifies the advanced event selectors configured for your trail.
Type: Array of [AdvancedEventSelector](API_AdvancedEventSelector.md) objects
** [EventSelectors](#API_PutEventSelectors_ResponseSyntax) **
Specifies the event selectors configured for your trail.
Type: Array of [EventSelector](API_EventSelector.md) objects
** [TrailARN](#API_PutEventSelectors_ResponseSyntax) **
Specifies the ARN of the trail that was updated with event selectors. The following is the format of a trail ARN.
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidEventSelectorsException **
This exception is thrown when the `PutEventSelectors` operation is called with a number of event selectors, advanced event selectors, or data resources that is not valid. The combination of event selectors or advanced event selectors and data resources is not valid. A trail can have up to 5 event selectors. If a trail uses advanced event selectors, a maximum of 500 total values for all conditions in all advanced event selectors is allowed. A trail is limited to 250 data resources. These data resources can be distributed across event selectors, but the overall total cannot exceed 250.
You can:
+ Specify a valid number of event selectors (1 to 5) for a trail.
+ Specify a valid number of data resources (1 to 250) for an event selector. The limit of number of resources on an individual event selector is configurable up to 250. However, this upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors for a trail.
+ Specify up to 500 values for all conditions in all advanced event selectors for a trail.
+ Specify a valid value for a parameter. For example, specifying the `ReadWriteType` parameter with a value of `read-only` is not valid.
HTTP Status Code: 400
** InvalidHomeRegionException **
This exception is thrown when an operation is called on a trail from a Region other than the Region in which the trail was created.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example shows how to use advanced event selectors to log all management events (both readOnly and writeOnly), include `PutObject` and `DeleteObject` data events for the S3 objects in two S3 bucket prefixes, and log network activity events for AWS KMS. As shown here, you can use advanced event selectors to select not only the S3 prefix names by ARN, but the names of the specific events that you want to log.
```
{
"AdvancedEventSelectors": [
{
"Name": "Log all management events",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Management"] }
]
},
{
"Name": "Log PutObject and DeleteObject data events for two S3 prefixes",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::S3::Object"] },
{ "Field": "eventName", "Equals": ["PutObject","DeleteObject"] },
{ "Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::amzn-s3-demo-bucket/prefix","arn:aws:s3:::amzn-s3-demo-bucket2/prefix2"] }
]
},
{
"Name": "Log network activity events for AWS KMS",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["NetworkActivity"]},
{"Field": "eventSource", "Equals": ["kms.amazonaws.com"]}
]
}
],
"TrailName": "myTrail"
}
```
### Example
The following example shows how to use advanced event selectors to log all data events for Amazon SNS topics and platform endpoints, and to log only `SendMessage` data events for Amazon SQS.
```
{
"AdvancedEventSelectors": [
{
"Name": "Log all data events for Amazon SNS topics",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::SNS::Topic"] }
]
},
{
"Name": "Log all data events for Amazon SNS platform endpoints",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::SNS::PlatformEndpoint"] }
]
},
{
"Name": "Log SendMessage data events for SQS",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::SQS::Queue"] },
{ "Field": "eventName", "Equals": ["SendMessage"] }
]
}
],
"TrailName": "myTrail"
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/PutEventSelectors)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/PutEventSelectors)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/PutEventSelectors)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/PutEventSelectors)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/PutEventSelectors)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/PutEventSelectors)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/PutEventSelectors)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/PutEventSelectors)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/PutEventSelectors)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/PutEventSelectors)
# PutInsightSelectors
Lets you enable Insights event logging on specific event categories by specifying the Insights selectors that you want to enable on an existing trail or event data store. You also use `PutInsightSelectors` to turn off Insights event logging, by passing an empty list of Insights types. The valid Insights event types are `ApiErrorRateInsight` and `ApiCallRateInsight`, and valid EventCategories are `Management` and `Data`.
**Note**
Insights on data events are not supported on event data stores. For event data stores, you can only enable Insights on management events.
To enable Insights on an event data store, you must specify the ARNs (or ID suffix of the ARNs) for the source event data store (`EventDataStore`) and the destination event data store (`InsightsDestination`). The source event data store logs management events and enables Insights. The destination event data store logs Insights events based upon the management event activity of the source event data store. The source and destination event data stores must belong to the same AWS account.
To log Insights events for a trail, you must specify the name (`TrailName`) of the CloudTrail trail for which you want to change or add Insights selectors.
+ For Management events Insights: To log CloudTrail Insights on the API call rate, the trail or event data store must log `write` management events. To log CloudTrail Insights on the API error rate, the trail or event data store must log `read` or `write` management events.
+ For Data events Insights: To log CloudTrail Insights on the API call rate or API error rate, the trail must log `read` or `write` data events. Data events Insights are not supported on event data store.
To log CloudTrail Insights events on API call volume, the trail or event data store must log `write` management events. To log CloudTrail Insights events on API error rate, the trail or event data store must log `read` or `write` management events. You can call `GetEventSelectors` on a trail to check whether the trail logs management events. You can call `GetEventDataStore` on an event data store to check whether the event data store logs management events.
For more information, see [Working with CloudTrail Insights](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-insights-events-with-cloudtrail.html) in the * AWS CloudTrail User Guide*.
## Request Syntax
```
{
"EventDataStore": "string",
"InsightsDestination": "string",
"InsightSelectors": [
{
"EventCategories": [ "string" ],
"InsightType": "string"
}
],
"TrailName": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_PutInsightSelectors_RequestSyntax) **
The ARN (or ID suffix of the ARN) of the source event data store for which you want to change or add Insights selectors. To enable Insights on an event data store, you must provide both the `EventDataStore` and `InsightsDestination` parameters.
You cannot use this parameter with the `TrailName` parameter.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [InsightsDestination](#API_PutInsightSelectors_RequestSyntax) **
The ARN (or ID suffix of the ARN) of the destination event data store that logs Insights events. To enable Insights on an event data store, you must provide both the `EventDataStore` and `InsightsDestination` parameters.
You cannot use this parameter with the `TrailName` parameter.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [InsightSelectors](#API_PutInsightSelectors_RequestSyntax) **
Contains the Insights types you want to log on a specific category of events on a trail or event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.The EventCategory field can specify `Management` or `Data` events or both. For event data store, you can log Insights for management events only.
The `ApiCallRateInsight` Insights type analyzes write-only management API calls or read and write data API calls that are aggregated per minute against a baseline API call volume.
The `ApiErrorRateInsight` Insights type analyzes management and data API calls that result in error codes. The error is shown if the API call is unsuccessful.
Type: Array of [InsightSelector](API_InsightSelector.md) objects
Required: Yes
** [TrailName](#API_PutInsightSelectors_RequestSyntax) **
The name of the CloudTrail trail for which you want to change or add Insights selectors.
You cannot use this parameter with the `EventDataStore` and `InsightsDestination` parameters.
Type: String
Required: No
## Response Syntax
```
{
"EventDataStoreArn": "string",
"InsightsDestination": "string",
"InsightSelectors": [
{
"EventCategories": [ "string" ],
"InsightType": "string"
}
],
"TrailARN": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [EventDataStoreArn](#API_PutInsightSelectors_ResponseSyntax) **
The Amazon Resource Name (ARN) of the source event data store for which you want to change or add Insights selectors.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [InsightsDestination](#API_PutInsightSelectors_ResponseSyntax) **
The ARN of the destination event data store that logs Insights events.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [InsightSelectors](#API_PutInsightSelectors_ResponseSyntax) **
Contains the Insights types you want to log on a specific category of events in a trail or event data store. `ApiCallRateInsight` and `ApiErrorRateInsight` are valid Insight types.The EventCategory field can specify `Management` or `Data` events or both. For event data store, you can only log Insights for management events only.
Type: Array of [InsightSelector](API_InsightSelector.md) objects
** [TrailARN](#API_PutInsightSelectors_ResponseSyntax) **
The Amazon Resource Name (ARN) of a trail for which you want to change or add Insights selectors.
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InsufficientS3BucketPolicyException **
This exception is thrown when the policy on the S3 bucket is not sufficient.
HTTP Status Code: 400
** InvalidHomeRegionException **
This exception is thrown when an operation is called on a trail from a Region other than the Region in which the trail was created.
HTTP Status Code: 400
** InvalidInsightSelectorsException **
For `PutInsightSelectors`, this exception is thrown when the formatting or syntax of the `InsightSelectors` JSON statement is not valid, or the specified `InsightType` in the `InsightSelectors` statement is not valid. Valid values for `InsightType` are `ApiCallRateInsight` and `ApiErrorRateInsight`. To enable Insights on an event data store, the destination event data store specified by the `InsightsDestination` parameter must log Insights events and the source event data store specified by the `EventDataStore` parameter must log management events.
For `UpdateEventDataStore`, this exception is thrown if Insights are enabled on the event data store and the updated advanced event selectors are not compatible with the configured `InsightSelectors`. If the `InsightSelectors` includes an `InsightType` of `ApiCallRateInsight`, the source event data store must log `write` management events. If the `InsightSelectors` includes an `InsightType` of `ApiErrorRateInsight`, the source event data store must log management events.
HTTP Status Code: 400
** InvalidParameterCombinationException **
This exception is thrown when the combination of parameters provided is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** KmsException **
This exception is thrown when there is an issue with the specified AWS KMS key and the trail or event data store can't be updated.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** S3BucketDoesNotExistException **
This exception is thrown when the specified S3 bucket does not exist.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example shows how to use Insight selectors to enable CloudTrail Insights on a trail named *SampleTrail*.
```
{
"InsightSelectors": '[{"InsightType": "ApiCallRateInsight"},{"InsightType": "ApiErrorRateInsight"}]',
"TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/SampleTrail"
}
```
### Example
The following example shows how to disable CloudTrail Insights on a trail named SampleTrail. Disable Insights event collection by passing an empty string of insight types (`[ ]`).
```
{
"InsightSelectors": [ ],
"TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/SampleTrail"
}
```
### Example
The following example shows how to use Insight selectors to enable CloudTrail Insights on an event data store.
```
{
"EventDataStore": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"InsightsDestination": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-d483-5c7d-4ac2-adb5dEXAMPLE",
"InsightSelectors": [
{
"InsightType": "ApiCallRateInsight"
},
{
"InsightType": "ApiErrorRateInsight"
}
]
}
```
### Example
The following example shows how to disable CloudTrail Insights on an event data store.
```
{
"EventDataStore": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
"InsightSelectors": [ ]
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/PutInsightSelectors)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/PutInsightSelectors)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/PutInsightSelectors)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/PutInsightSelectors)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/PutInsightSelectors)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/PutInsightSelectors)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/PutInsightSelectors)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/PutInsightSelectors)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/PutInsightSelectors)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/PutInsightSelectors)
# PutResourcePolicy
Attaches a resource-based permission policy to a CloudTrail event data store, dashboard, or channel. For more information about resource-based policies, see [CloudTrail resource-based policy examples](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_resource-based-policy-examples.html) in the *CloudTrail User Guide*.
## Request Syntax
```
{
"ResourceArn": "string",
"ResourcePolicy": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ResourceArn](#API_PutResourcePolicy_RequestSyntax) **
The Amazon Resource Name (ARN) of the CloudTrail event data store, dashboard, or channel attached to the resource-based policy.
Example event data store ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
Example dashboard ARN format: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
Example channel ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
** [ResourcePolicy](#API_PutResourcePolicy_RequestSyntax) **
A JSON-formatted string for an AWS resource-based policy.
For example resource-based policies, see [CloudTrail resource-based policy examples](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_resource-based-policy-examples.html) in the *CloudTrail User Guide*.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 8192.
Required: Yes
## Response Syntax
```
{
"DelegatedAdminResourcePolicy": "string",
"ResourceArn": "string",
"ResourcePolicy": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [DelegatedAdminResourcePolicy](#API_PutResourcePolicy_ResponseSyntax) **
The default resource-based policy that is automatically generated for the delegated administrator of an AWS Organizations organization. This policy will be evaluated in tandem with any policy you submit for the resource. For more information about this policy, see [Default resource policy for delegated administrators](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html#cloudtrail-lake-organizations-eds-rbp).
Type: String
Length Constraints: Minimum length of 1. Maximum length of 8192.
** [ResourceArn](#API_PutResourcePolicy_ResponseSyntax) **
The Amazon Resource Name (ARN) of the CloudTrail event data store, dashboard, or channel attached to the resource-based policy.
Example event data store ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
Example dashboard ARN format: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
Example channel ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [ResourcePolicy](#API_PutResourcePolicy_ResponseSyntax) **
The JSON-formatted string of the AWS resource-based policy attached to the CloudTrail event data store, dashboard, or channel.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 8192.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ResourceARNNotValidException **
This exception is thrown when the provided resource does not exist, or the ARN format of the resource is not valid.
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** ResourcePolicyNotValidException **
This exception is thrown when the resouce-based policy has syntax errors, or contains a principal that is not valid.
HTTP Status Code: 400
** ResourceTypeNotSupportedException **
This exception is thrown when the specified resource type is not supported by CloudTrail.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/PutResourcePolicy)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/PutResourcePolicy)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/PutResourcePolicy)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/PutResourcePolicy)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/PutResourcePolicy)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/PutResourcePolicy)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/PutResourcePolicy)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/PutResourcePolicy)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/PutResourcePolicy)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/PutResourcePolicy)
# RegisterOrganizationDelegatedAdmin
Registers an organization’s member account as the CloudTrail [delegated administrator](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-delegated-administrator.html).
## Request Syntax
```
{
"MemberAccountId": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [MemberAccountId](#API_RegisterOrganizationDelegatedAdmin_RequestSyntax) **
An organization member account ID that you want to designate as a delegated administrator.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** AccountNotFoundException **
This exception is thrown when the specified account is not found or not part of an organization.
HTTP Status Code: 400
** AccountRegisteredException **
This exception is thrown when the account is already registered as the CloudTrail delegated administrator.
HTTP Status Code: 400
** CannotDelegateManagementAccountException **
This exception is thrown when the management account of an organization is registered as the CloudTrail delegated administrator.
HTTP Status Code: 400
** CloudTrailAccessNotEnabledException **
This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access) in the * AWS Organizations User Guide* and [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** DelegatedAdminAccountLimitExceededException **
This exception is thrown when the maximum number of CloudTrail delegated administrators is reached.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InsufficientIAMAccessPermissionException **
The task can't be completed because you are signed in with an account that lacks permissions to view or create a service-linked role. Sign in with an account that has the required permissions and then try again.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NotOrganizationManagementAccountException **
This exception is thrown when the account making the request is not the organization's management account.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OrganizationNotInAllFeaturesModeException **
This exception is thrown when AWS Organizations is not configured to support all features. All features must be enabled in Organizations to support creating an organization trail or event data store.
HTTP Status Code: 400
** OrganizationsNotInUseException **
This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/RegisterOrganizationDelegatedAdmin)
# RemoveTags
Removes the specified tags from a trail, event data store, dashboard, or channel.
## Request Syntax
```
{
"ResourceId": "string",
"TagsList": [
{
"Key": "string",
"Value": "string"
}
]
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ResourceId](#API_RemoveTags_RequestSyntax) **
Specifies the ARN of the trail, event data store, dashboard, or channel from which tags should be removed.
Example trail ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Example event data store ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
Example dashboard ARN format: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
Example channel ARN format: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
Type: String
Required: Yes
** [TagsList](#API_RemoveTags_RequestSyntax) **
Specifies a list of tags to be removed.
Type: Array of [Tag](API_Tag.md) objects
Array Members: Maximum number of 200 items.
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ChannelARNInvalidException **
This exception is thrown when the specified value of `ChannelARN` is not valid.
HTTP Status Code: 400
** ChannelNotFoundException **
This exception is thrown when CloudTrail cannot find the specified channel.
HTTP Status Code: 400
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InvalidTagParameterException **
This exception is thrown when the specified tag key or values are not valid. It can also occur if there are duplicate tags or too many tags on the resource.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** ResourceTypeNotSupportedException **
This exception is thrown when the specified resource type is not supported by CloudTrail.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/RemoveTags)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/RemoveTags)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/RemoveTags)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/RemoveTags)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/RemoveTags)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/RemoveTags)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/RemoveTags)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/RemoveTags)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/RemoveTags)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/RemoveTags)
# RestoreEventDataStore
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Restores a deleted event data store specified by `EventDataStore`, which accepts an event data store ARN. You can only restore a deleted event data store within the seven-day wait period after deletion. Restoring an event data store can take several minutes, depending on the size of the event data store.
## Request Syntax
```
{
"EventDataStore": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_RestoreEventDataStore_RequestSyntax) **
The ARN (or the ID suffix of the ARN) of the event data store that you want to restore.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Syntax
```
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"BillingMode": "string",
"CreatedTimestamp": number,
"EventDataStoreArn": "string",
"KmsKeyId": "string",
"MultiRegionEnabled": boolean,
"Name": "string",
"OrganizationEnabled": boolean,
"RetentionPeriod": number,
"Status": "string",
"TerminationProtectionEnabled": boolean,
"UpdatedTimestamp": number
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [AdvancedEventSelectors](#API_RestoreEventDataStore_ResponseSyntax) **
The advanced event selectors that were used to select events.
Type: Array of [AdvancedEventSelector](API_AdvancedEventSelector.md) objects
** [BillingMode](#API_RestoreEventDataStore_ResponseSyntax) **
The billing mode for the event data store.
Type: String
Valid Values: `EXTENDABLE_RETENTION_PRICING | FIXED_RETENTION_PRICING`
** [CreatedTimestamp](#API_RestoreEventDataStore_ResponseSyntax) **
The timestamp of an event data store's creation.
Type: Timestamp
** [EventDataStoreArn](#API_RestoreEventDataStore_ResponseSyntax) **
The event data store ARN.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [KmsKeyId](#API_RestoreEventDataStore_ResponseSyntax) **
Specifies the AWS KMS key ID that encrypts the events delivered by CloudTrail. The value is a fully specified ARN to a AWS KMS key in the following format.
`arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
Type: String
Length Constraints: Minimum length of 1. Maximum length of 350.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [MultiRegionEnabled](#API_RestoreEventDataStore_ResponseSyntax) **
Indicates whether the event data store is collecting events from all Regions, or only from the Region in which the event data store was created.
Type: Boolean
** [Name](#API_RestoreEventDataStore_ResponseSyntax) **
The name of the event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
** [OrganizationEnabled](#API_RestoreEventDataStore_ResponseSyntax) **
Indicates whether an event data store is collecting logged events for an organization in AWS Organizations.
Type: Boolean
** [RetentionPeriod](#API_RestoreEventDataStore_ResponseSyntax) **
The retention period, in days.
Type: Integer
Valid Range: Minimum value of 7. Maximum value of 3653.
** [Status](#API_RestoreEventDataStore_ResponseSyntax) **
The status of the event data store.
Type: String
Valid Values: `CREATED | ENABLED | PENDING_DELETION | STARTING_INGESTION | STOPPING_INGESTION | STOPPED_INGESTION`
** [TerminationProtectionEnabled](#API_RestoreEventDataStore_ResponseSyntax) **
Indicates that termination protection is enabled and the event data store cannot be automatically deleted.
Type: Boolean
** [UpdatedTimestamp](#API_RestoreEventDataStore_ResponseSyntax) **
The timestamp that shows when an event data store was updated, if applicable. `UpdatedTimestamp` is always either the same or newer than the time shown in `CreatedTimestamp`.
Type: Timestamp
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailAccessNotEnabledException **
This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access) in the * AWS Organizations User Guide* and [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreMaxLimitExceededException **
Your account has used the maximum number of event data stores.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidEventDataStoreStatusException **
The event data store is not in a status that supports the operation.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OrganizationNotInAllFeaturesModeException **
This exception is thrown when AWS Organizations is not configured to support all features. All features must be enabled in Organizations to support creating an organization trail or event data store.
HTTP Status Code: 400
** OrganizationsNotInUseException **
This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/RestoreEventDataStore)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/RestoreEventDataStore)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/RestoreEventDataStore)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/RestoreEventDataStore)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/RestoreEventDataStore)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/RestoreEventDataStore)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/RestoreEventDataStore)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/RestoreEventDataStore)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/RestoreEventDataStore)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/RestoreEventDataStore)
# SearchSampleQueries
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Searches sample queries and returns a list of sample queries that are sorted by relevance. To search for sample queries, provide a natural language `SearchPhrase` in English.
## Request Syntax
```
{
"MaxResults": number,
"NextToken": "string",
"SearchPhrase": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [MaxResults](#API_SearchSampleQueries_RequestSyntax) **
The maximum number of results to return on a single page. The default value is 10.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 50.
Required: No
** [NextToken](#API_SearchSampleQueries_RequestSyntax) **
A token you can use to get the next page of results. The length constraint is in characters, not words.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
Required: No
** [SearchPhrase](#API_SearchSampleQueries_RequestSyntax) **
The natural language phrase to use for the semantic search. The phrase must be in English. The length constraint is in characters, not words.
Type: String
Length Constraints: Minimum length of 2. Maximum length of 1000.
Pattern: `^[ -~\n]*$`
Required: Yes
## Response Syntax
```
{
"NextToken": "string",
"SearchResults": [
{
"Description": "string",
"Name": "string",
"Relevance": number,
"SQL": "string"
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [NextToken](#API_SearchSampleQueries_ResponseSyntax) **
A token you can use to get the next page of results.
Type: String
Length Constraints: Minimum length of 4. Maximum length of 1000.
Pattern: `.*`
** [SearchResults](#API_SearchSampleQueries_ResponseSyntax) **
A list of objects containing the search results ordered from most relevant to least relevant.
Type: Array of [SearchSampleQueriesSearchResult](API_SearchSampleQueriesSearchResult.md) objects
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/SearchSampleQueries)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/SearchSampleQueries)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/SearchSampleQueries)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/SearchSampleQueries)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/SearchSampleQueries)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/SearchSampleQueries)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/SearchSampleQueries)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/SearchSampleQueries)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/SearchSampleQueries)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/SearchSampleQueries)
# StartDashboardRefresh
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Starts a refresh of the specified dashboard.
Each time a dashboard is refreshed, CloudTrail runs queries to populate the dashboard's widgets. CloudTrail must be granted permissions to run the `StartQuery` operation on your behalf. To provide permissions, run the `PutResourcePolicy` operation to attach a resource-based policy to each event data store. For more information, see [Example: Allow CloudTrail to run queries to populate a dashboard](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_resource-based-policy-examples.html#security_iam_resource-based-policy-examples-eds-dashboard) in the * AWS CloudTrail User Guide*.
## Request Syntax
```
{
"DashboardId": "string",
"QueryParameterValues": {
"string" : "string"
}
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [DashboardId](#API_StartDashboardRefresh_RequestSyntax) **
The name or ARN of the dashboard.
Type: String
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
** [QueryParameterValues](#API_StartDashboardRefresh_RequestSyntax) **
The query parameter values for the dashboard
For custom dashboards, the following query parameters are valid: `$StartTime$`, `$EndTime$`, and `$Period$`.
For managed dashboards, the following query parameters are valid: `$StartTime$`, `$EndTime$`, `$Period$`, and `$EventDataStoreId$`. The `$EventDataStoreId$` query parameter is required.
Type: String to string map
Key Length Constraints: Minimum length of 3. Maximum length of 128.
Key Pattern: `^[a-zA-Z0-9._/\-:$]+$`
Value Length Constraints: Minimum length of 1. Maximum length of 128.
Value Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
## Response Syntax
```
{
"RefreshId": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [RefreshId](#API_StartDashboardRefresh_ResponseSyntax) **
The refresh ID for the dashboard.
Type: String
Length Constraints: Minimum length of 10. Maximum length of 20.
Pattern: `\d+`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** ServiceQuotaExceededException **
This exception is thrown when the quota is exceeded. For information about CloudTrail quotas, see [Service quotas](https://docs.aws.amazon.com/general/latest/gr/ct.html#limits_cloudtrail) in the * AWS General Reference*.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example refreshes a managed dashboard. Because managed dashboards are configured by CloudTrail, the refresh request needs to include the ID of the event data store that the queries will run on.
```
{
"DashboardId": "AWSCloudTrail-Overview",
"QueryParameterValues": {
"$StartTime$": "2024-11-13T08:00:00.00Z",
"$EndTime$": "2024-11-13T12:00:00.00Z",
"$Period$": "minute",
"$EventDataStoreId$": ""
}
}
```
### Example
The following example refreshes a custom dashboard named `AccountActivityDashboard`.
```
{
"DashboardId": "AccountActivityDashboard",
"QueryParameterValues": {
"$StartTime$": "2024-11-13T08:00:00.00Z",
"$EndTime$": "2024-11-13T12:00:00.00Z",
"$Period$": "minute"
}
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/StartDashboardRefresh)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/StartDashboardRefresh)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/StartDashboardRefresh)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/StartDashboardRefresh)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/StartDashboardRefresh)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/StartDashboardRefresh)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/StartDashboardRefresh)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/StartDashboardRefresh)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/StartDashboardRefresh)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/StartDashboardRefresh)
# StartEventDataStoreIngestion
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Starts the ingestion of live events on an event data store specified as either an ARN or the ID portion of the ARN. To start ingestion, the event data store `Status` must be `STOPPED_INGESTION` and the `eventCategory` must be `Management`, `Data`, `NetworkActivity`, or `ConfigurationItem`.
## Request Syntax
```
{
"EventDataStore": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_StartEventDataStoreIngestion_RequestSyntax) **
The ARN (or ID suffix of the ARN) of the event data store for which you want to start ingestion.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidEventDataStoreCategoryException **
This exception is thrown when event categories of specified event data stores are not valid.
HTTP Status Code: 400
** InvalidEventDataStoreStatusException **
The event data store is not in a status that supports the operation.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/StartEventDataStoreIngestion)
# StartImport
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Starts an import of logged trail events from a source S3 bucket to a destination event data store. By default, CloudTrail only imports events contained in the S3 bucket's `CloudTrail` prefix and the prefixes inside the `CloudTrail` prefix, and does not check prefixes for other AWS services. If you want to import CloudTrail events contained in another prefix, you must include the prefix in the `S3LocationUri`. For more considerations about importing trail events, see [Considerations for copying trail events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-copy-trail-to-lake.html#cloudtrail-trail-copy-considerations) in the *CloudTrail User Guide*.
When you start a new import, the `Destinations` and `ImportSource` parameters are required. Before starting a new import, disable any access control lists (ACLs) attached to the source S3 bucket. For more information about disabling ACLs, see [Controlling ownership of objects and disabling ACLs for your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html).
When you retry an import, the `ImportID` parameter is required.
**Note**
If the destination event data store is for an organization, you must use the management account to import trail events. You cannot use the delegated administrator account for the organization.
## Request Syntax
```
{
"Destinations": [ "string" ],
"EndEventTime": number,
"ImportId": "string",
"ImportSource": {
"S3": {
"S3BucketAccessRoleArn": "string",
"S3BucketRegion": "string",
"S3LocationUri": "string"
}
},
"StartEventTime": number
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Destinations](#API_StartImport_RequestSyntax) **
The ARN of the destination event data store. Use this parameter for a new import.
Type: Array of strings
Array Members: Fixed number of 1 item.
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [EndEventTime](#API_StartImport_RequestSyntax) **
Use with `StartEventTime` to bound a `StartImport` request, and limit imported trail events to only those events logged within a specified time period. When you specify a time range, CloudTrail checks the prefix and log file names to verify the names contain a date between the specified `StartEventTime` and `EndEventTime` before attempting to import events.
Type: Timestamp
Required: No
** [ImportId](#API_StartImport_RequestSyntax) **
The ID of the import. Use this parameter when you are retrying an import.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
Required: No
** [ImportSource](#API_StartImport_RequestSyntax) **
The source S3 bucket for the import. Use this parameter for a new import.
Type: [ImportSource](API_ImportSource.md) object
Required: No
** [StartEventTime](#API_StartImport_RequestSyntax) **
Use with `EndEventTime` to bound a `StartImport` request, and limit imported trail events to only those events logged within a specified time period. When you specify a time range, CloudTrail checks the prefix and log file names to verify the names contain a date between the specified `StartEventTime` and `EndEventTime` before attempting to import events.
Type: Timestamp
Required: No
## Response Syntax
```
{
"CreatedTimestamp": number,
"Destinations": [ "string" ],
"EndEventTime": number,
"ImportId": "string",
"ImportSource": {
"S3": {
"S3BucketAccessRoleArn": "string",
"S3BucketRegion": "string",
"S3LocationUri": "string"
}
},
"ImportStatus": "string",
"StartEventTime": number,
"UpdatedTimestamp": number
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [CreatedTimestamp](#API_StartImport_ResponseSyntax) **
The timestamp for the import's creation.
Type: Timestamp
** [Destinations](#API_StartImport_ResponseSyntax) **
The ARN of the destination event data store.
Type: Array of strings
Array Members: Fixed number of 1 item.
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [EndEventTime](#API_StartImport_ResponseSyntax) **
Used with `StartEventTime` to bound a `StartImport` request, and limit imported trail events to only those events logged within a specified time period.
Type: Timestamp
** [ImportId](#API_StartImport_ResponseSyntax) **
The ID of the import.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
** [ImportSource](#API_StartImport_ResponseSyntax) **
The source S3 bucket for the import.
Type: [ImportSource](API_ImportSource.md) object
** [ImportStatus](#API_StartImport_ResponseSyntax) **
Shows the status of the import after a `StartImport` request. An import finishes with a status of `COMPLETED` if there were no failures, or `FAILED` if there were failures.
Type: String
Valid Values: `INITIALIZING | IN_PROGRESS | FAILED | STOPPED | COMPLETED`
** [StartEventTime](#API_StartImport_ResponseSyntax) **
Used with `EndEventTime` to bound a `StartImport` request, and limit imported trail events to only those events logged within a specified time period.
Type: Timestamp
** [UpdatedTimestamp](#API_StartImport_ResponseSyntax) **
The timestamp of the import's last update, if applicable.
Type: Timestamp
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** AccountHasOngoingImportException **
This exception is thrown when you start a new import and a previous import is still in progress.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** ImportNotFoundException **
The specified import was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InvalidEventDataStoreCategoryException **
This exception is thrown when event categories of specified event data stores are not valid.
HTTP Status Code: 400
** InvalidEventDataStoreStatusException **
The event data store is not in a status that supports the operation.
HTTP Status Code: 400
** InvalidImportSourceException **
This exception is thrown when the provided source S3 bucket is not valid for import.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/StartImport)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/StartImport)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/StartImport)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/StartImport)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/StartImport)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/StartImport)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/StartImport)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/StartImport)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/StartImport)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/StartImport)
# StartLogging
Starts the recording of AWS API calls and log file delivery for a trail. For a trail that is enabled in all Regions, this operation must be called from the Region in which the trail was created. This operation cannot be called on the shadow trails (replicated trails in other Regions) of a trail that is enabled in all Regions.
## Request Syntax
```
{
"Name": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Name](#API_StartLogging_RequestSyntax) **
Specifies the name or the CloudTrail ARN of the trail for which CloudTrail logs AWS API calls. The following is the format of a trail ARN.
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Type: String
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidHomeRegionException **
This exception is thrown when an operation is called on a trail from a Region other than the Region in which the trail was created.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/StartLogging)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/StartLogging)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/StartLogging)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/StartLogging)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/StartLogging)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/StartLogging)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/StartLogging)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/StartLogging)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/StartLogging)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/StartLogging)
# StartQuery
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Starts a CloudTrail Lake query. Use the `QueryStatement` parameter to provide your SQL query, enclosed in single quotation marks. Use the optional `DeliveryS3Uri` parameter to deliver the query results to an S3 bucket.
`StartQuery` requires you specify either the `QueryStatement` parameter, or a `QueryAlias` and any `QueryParameters`. In the current release, the `QueryAlias` and `QueryParameters` parameters are used only for the queries that populate the CloudTrail Lake dashboards.
## Request Syntax
```
{
"DeliveryS3Uri": "string",
"EventDataStoreOwnerAccountId": "string",
"QueryAlias": "string",
"QueryParameters": [ "string" ],
"QueryStatement": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [DeliveryS3Uri](#API_StartQuery_RequestSyntax) **
The URI for the S3 bucket where CloudTrail delivers the query results.
Type: String
Length Constraints: Maximum length of 1024.
Pattern: `s3://[a-z0-9][\.\-a-z0-9]{1,61}[a-z0-9](/.*)?`
Required: No
** [EventDataStoreOwnerAccountId](#API_StartQuery_RequestSyntax) **
The account ID of the event data store owner.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
Required: No
** [QueryAlias](#API_StartQuery_RequestSyntax) **
The alias that identifies a query template.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Pattern: `^[a-zA-Z][a-zA-Z0-9._\-]*$`
Required: No
** [QueryParameters](#API_StartQuery_RequestSyntax) **
The query parameters for the specified `QueryAlias`.
Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 10 items.
Length Constraints: Minimum length of 1. Maximum length of 1024.
Pattern: `.*`
Required: No
** [QueryStatement](#API_StartQuery_RequestSyntax) **
The SQL code of your query.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 10000.
Pattern: `(?s).*`
Required: No
## Response Syntax
```
{
"EventDataStoreOwnerAccountId": "string",
"QueryId": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [EventDataStoreOwnerAccountId](#API_StartQuery_ResponseSyntax) **
The account ID of the event data store owner.
Type: String
Length Constraints: Minimum length of 12. Maximum length of 16.
Pattern: `\d+`
** [QueryId](#API_StartQuery_ResponseSyntax) **
The ID of the started query.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InsufficientS3BucketPolicyException **
This exception is thrown when the policy on the S3 bucket is not sufficient.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidQueryStatementException **
The query that was submitted has validation errors, or uses incorrect syntax or unsupported keywords. For more information about writing a query, see [Create or edit a query](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-create-edit-query.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** InvalidS3BucketNameException **
This exception is thrown when the provided S3 bucket name is not valid.
HTTP Status Code: 400
** InvalidS3PrefixException **
This exception is thrown when the provided S3 prefix is not valid.
HTTP Status Code: 400
** MaxConcurrentQueriesException **
You are already running the maximum number of concurrent queries. The maximum number of concurrent queries is 10. Wait a minute for some queries to finish, and then run the query again.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** S3BucketDoesNotExistException **
This exception is thrown when the specified S3 bucket does not exist.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example uses the `QueryStatement` parameter with the optional `DeliveryS3Uri` parameter to deliver the query results to an S3 bucket.
```
{
"DeliveryS3Uri": "s3://aws-cloudtrail-lake-query-results-123456789012-us-east-1",
"QueryStatement": "SELECT eventID, eventTime FROM EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE LIMIT 10"
}
```
### Example
The following example uses the `QueryAlias` and `QueryParameters` parameters.
```
{
"QueryAlias": "query-alias",
"QueryParameters": [ "EXAMPLE-b8e1-4e93-848f-573b9bfEXAMPLE","2023-05-26T17:47:22.541Z","2023-05-27T17:47:22.541Z" ]
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/StartQuery)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/StartQuery)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/StartQuery)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/StartQuery)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/StartQuery)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/StartQuery)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/StartQuery)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/StartQuery)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/StartQuery)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/StartQuery)
# StopEventDataStoreIngestion
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Stops the ingestion of live events on an event data store specified as either an ARN or the ID portion of the ARN. To stop ingestion, the event data store `Status` must be `ENABLED` and the `eventCategory` must be `Management`, `Data`, `NetworkActivity`, or `ConfigurationItem`.
## Request Syntax
```
{
"EventDataStore": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [EventDataStore](#API_StopEventDataStoreIngestion_RequestSyntax) **
The ARN (or ID suffix of the ARN) of the event data store for which you want to stop ingestion.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidEventDataStoreCategoryException **
This exception is thrown when event categories of specified event data stores are not valid.
HTTP Status Code: 400
** InvalidEventDataStoreStatusException **
The event data store is not in a status that supports the operation.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/StopEventDataStoreIngestion)
# StopImport
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Stops a specified import.
## Request Syntax
```
{
"ImportId": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ImportId](#API_StopImport_RequestSyntax) **
The ID of the import.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
Required: Yes
## Response Syntax
```
{
"CreatedTimestamp": number,
"Destinations": [ "string" ],
"EndEventTime": number,
"ImportId": "string",
"ImportSource": {
"S3": {
"S3BucketAccessRoleArn": "string",
"S3BucketRegion": "string",
"S3LocationUri": "string"
}
},
"ImportStatistics": {
"EventsCompleted": number,
"FailedEntries": number,
"FilesCompleted": number,
"PrefixesCompleted": number,
"PrefixesFound": number
},
"ImportStatus": "string",
"StartEventTime": number,
"UpdatedTimestamp": number
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [CreatedTimestamp](#API_StopImport_ResponseSyntax) **
The timestamp of the import's creation.
Type: Timestamp
** [Destinations](#API_StopImport_ResponseSyntax) **
The ARN of the destination event data store.
Type: Array of strings
Array Members: Fixed number of 1 item.
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [EndEventTime](#API_StopImport_ResponseSyntax) **
Used with `StartEventTime` to bound a `StartImport` request, and limit imported trail events to only those events logged within a specified time period.
Type: Timestamp
** [ImportId](#API_StopImport_ResponseSyntax) **
The ID for the import.
Type: String
Length Constraints: Fixed length of 36.
Pattern: `^[a-f0-9\-]+$`
** [ImportSource](#API_StopImport_ResponseSyntax) **
The source S3 bucket for the import.
Type: [ImportSource](API_ImportSource.md) object
** [ImportStatistics](#API_StopImport_ResponseSyntax) **
Returns information on the stopped import.
Type: [ImportStatistics](API_ImportStatistics.md) object
** [ImportStatus](#API_StopImport_ResponseSyntax) **
The status of the import.
Type: String
Valid Values: `INITIALIZING | IN_PROGRESS | FAILED | STOPPED | COMPLETED`
** [StartEventTime](#API_StopImport_ResponseSyntax) **
Used with `EndEventTime` to bound a `StartImport` request, and limit imported trail events to only those events logged within a specified time period.
Type: Timestamp
** [UpdatedTimestamp](#API_StopImport_ResponseSyntax) **
The timestamp of the import's last update.
Type: Timestamp
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ImportNotFoundException **
The specified import was not found.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/StopImport)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/StopImport)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/StopImport)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/StopImport)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/StopImport)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/StopImport)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/StopImport)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/StopImport)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/StopImport)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/StopImport)
# StopLogging
Suspends the recording of AWS API calls and log file delivery for the specified trail. Under most circumstances, there is no need to use this action. You can update a trail without stopping it first. This action is the only way to stop recording. For a trail enabled in all Regions, this operation must be called from the Region in which the trail was created, or an `InvalidHomeRegionException` will occur. This operation cannot be called on the shadow trails (replicated trails in other Regions) of a trail enabled in all Regions.
## Request Syntax
```
{
"Name": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Name](#API_StopLogging_RequestSyntax) **
Specifies the name or the CloudTrail ARN of the trail for which CloudTrail will stop logging AWS API calls. The following is the format of a trail ARN.
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Type: String
Required: Yes
## Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InvalidHomeRegionException **
This exception is thrown when an operation is called on a trail from a Region other than the Region in which the trail was created.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/StopLogging)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/StopLogging)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/StopLogging)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/StopLogging)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/StopLogging)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/StopLogging)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/StopLogging)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/StopLogging)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/StopLogging)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/StopLogging)
# UpdateChannel
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Updates a channel specified by a required channel ARN or UUID.
## Request Syntax
```
{
"Channel": "string",
"Destinations": [
{
"Location": "string",
"Type": "string"
}
],
"Name": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [Channel](#API_UpdateChannel_RequestSyntax) **
The ARN or ID (the ARN suffix) of the channel that you want to update.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
** [Destinations](#API_UpdateChannel_RequestSyntax) **
The ARNs of event data stores that you want to log events arriving through the channel.
Type: Array of [Destination](API_Destination.md) objects
Array Members: Minimum number of 1 item. Maximum number of 200 items.
Required: No
** [Name](#API_UpdateChannel_RequestSyntax) **
Changes the name of the channel.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
Required: No
## Response Syntax
```
{
"ChannelArn": "string",
"Destinations": [
{
"Location": "string",
"Type": "string"
}
],
"Name": "string",
"Source": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [ChannelArn](#API_UpdateChannel_ResponseSyntax) **
The ARN of the channel that was updated.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [Destinations](#API_UpdateChannel_ResponseSyntax) **
The event data stores that log events arriving through the channel.
Type: Array of [Destination](API_Destination.md) objects
Array Members: Minimum number of 1 item. Maximum number of 200 items.
** [Name](#API_UpdateChannel_ResponseSyntax) **
The name of the channel that was updated.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
** [Source](#API_UpdateChannel_ResponseSyntax) **
The event source of the channel that was updated.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Pattern: `.*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ChannelAlreadyExistsException **
This exception is thrown when the provided channel already exists.
HTTP Status Code: 400
** ChannelARNInvalidException **
This exception is thrown when the specified value of `ChannelARN` is not valid.
HTTP Status Code: 400
** ChannelNotFoundException **
This exception is thrown when CloudTrail cannot find the specified channel.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InvalidEventDataStoreCategoryException **
This exception is thrown when event categories of specified event data stores are not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/UpdateChannel)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/UpdateChannel)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/UpdateChannel)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/UpdateChannel)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/UpdateChannel)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/UpdateChannel)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/UpdateChannel)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/UpdateChannel)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/UpdateChannel)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/UpdateChannel)
# UpdateDashboard
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Updates the specified dashboard.
To set a refresh schedule, CloudTrail must be granted permissions to run the `StartDashboardRefresh` operation to refresh the dashboard on your behalf. To provide permissions, run the `PutResourcePolicy` operation to attach a resource-based policy to the dashboard. For more information, see [ Resource-based policy example for a dashboard](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_resource-based-policy-examples.html#security_iam_resource-based-policy-examples-dashboards) in the * AWS CloudTrail User Guide*.
CloudTrail runs queries to populate the dashboard's widgets during a manual or scheduled refresh. CloudTrail must be granted permissions to run the `StartQuery` operation on your behalf. To provide permissions, run the `PutResourcePolicy` operation to attach a resource-based policy to each event data store. For more information, see [Example: Allow CloudTrail to run queries to populate a dashboard](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_resource-based-policy-examples.html#security_iam_resource-based-policy-examples-eds-dashboard) in the * AWS CloudTrail User Guide*.
## Request Syntax
```
{
"DashboardId": "string",
"RefreshSchedule": {
"Frequency": {
"Unit": "string",
"Value": number
},
"Status": "string",
"TimeOfDay": "string"
},
"TerminationProtectionEnabled": boolean,
"Widgets": [
{
"QueryParameters": [ "string" ],
"QueryStatement": "string",
"ViewProperties": {
"string" : "string"
}
}
]
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [DashboardId](#API_UpdateDashboard_RequestSyntax) **
The name or ARN of the dashboard.
Type: String
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
** [RefreshSchedule](#API_UpdateDashboard_RequestSyntax) **
The refresh schedule configuration for the dashboard.
Type: [RefreshSchedule](API_RefreshSchedule.md) object
Required: No
** [TerminationProtectionEnabled](#API_UpdateDashboard_RequestSyntax) **
Specifies whether termination protection is enabled for the dashboard. If termination protection is enabled, you cannot delete the dashboard until termination protection is disabled.
Type: Boolean
Required: No
** [Widgets](#API_UpdateDashboard_RequestSyntax) **
An array of widgets for the dashboard. A custom dashboard can have a maximum of 10 widgets.
To add new widgets, pass in an array that includes the existing widgets along with any new widgets. Run the `GetDashboard` operation to get the list of widgets for the dashboard.
To remove widgets, pass in an array that includes the existing widgets minus the widgets you want removed.
Type: Array of [RequestWidget](API_RequestWidget.md) objects
Required: No
## Response Syntax
```
{
"CreatedTimestamp": number,
"DashboardArn": "string",
"Name": "string",
"RefreshSchedule": {
"Frequency": {
"Unit": "string",
"Value": number
},
"Status": "string",
"TimeOfDay": "string"
},
"TerminationProtectionEnabled": boolean,
"Type": "string",
"UpdatedTimestamp": number,
"Widgets": [
{
"QueryAlias": "string",
"QueryParameters": [ "string" ],
"QueryStatement": "string",
"ViewProperties": {
"string" : "string"
}
}
]
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [CreatedTimestamp](#API_UpdateDashboard_ResponseSyntax) **
The timestamp that shows when the dashboard was created.
Type: Timestamp
** [DashboardArn](#API_UpdateDashboard_ResponseSyntax) **
The ARN for the dashboard.
Type: String
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [Name](#API_UpdateDashboard_ResponseSyntax) **
The name for the dashboard.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9_\-]+$`
** [RefreshSchedule](#API_UpdateDashboard_ResponseSyntax) **
The refresh schedule for the dashboard, if configured.
Type: [RefreshSchedule](API_RefreshSchedule.md) object
** [TerminationProtectionEnabled](#API_UpdateDashboard_ResponseSyntax) **
Indicates whether termination protection is enabled for the dashboard.
Type: Boolean
** [Type](#API_UpdateDashboard_ResponseSyntax) **
The type of dashboard.
Type: String
Valid Values: `MANAGED | CUSTOM`
** [UpdatedTimestamp](#API_UpdateDashboard_ResponseSyntax) **
The timestamp that shows when the dashboard was updated.
Type: Timestamp
** [Widgets](#API_UpdateDashboard_ResponseSyntax) **
An array of widgets for the dashboard.
Type: Array of [Widget](API_Widget.md) objects
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InvalidQueryStatementException **
The query that was submitted has validation errors, or uses incorrect syntax or unsupported keywords. For more information about writing a query, see [Create or edit a query](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-create-edit-query.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** ResourceNotFoundException **
This exception is thrown when the specified resource is not found.
HTTP Status Code: 400
** ServiceQuotaExceededException **
This exception is thrown when the quota is exceeded. For information about CloudTrail quotas, see [Service quotas](https://docs.aws.amazon.com/general/latest/gr/ct.html#limits_cloudtrail) in the * AWS General Reference*.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## Examples
### Example
The following example adds a new widget named `TopServices` to the custom dashboard named `AccountActivityDashboard`. The widgets array includes the two widgets that were already created for the dashboard and the new widget.
```
{
"DashboardId": "AccountActivityDashboard",
"Widgets": [
{
"ViewProperties": {
"Height": "2",
"Width": "4",
"Title": "TopErrors",
"View": "Table"
},
"QueryStatement": "SELECT errorCode, COUNT(*) AS eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' AND (errorCode is not null) GROUP BY errorCode ORDER BY eventCount DESC LIMIT 100",
"QueryParameters": ["$StartTime$", "$EndTime$"]
},
{
"ViewProperties": {
"Height": "2",
"Width": "4",
"Title": "MostActiveRegions",
"View": "PieChart",
"LabelColumn": "awsRegion",
"ValueColumn": "eventCount",
"FilterColumn": "awsRegion"
},
"QueryStatement": "SELECT awsRegion, COUNT(*) AS eventCount FROM eds where eventTime > '?' and eventTime < '?' GROUP BY awsRegion ORDER BY eventCount LIMIT 100",
"QueryParameters": ["$StartTime$", "$EndTime$"]
},
{
"ViewProperties": {
"Height": "2",
"Width": "4",
"Title": "TopServices",
"View": "BarChart",
"LabelColumn": "service",
"ValueColumn": "eventCount",
"FilterColumn": "service",
"Orientation": "Vertical"
},
"QueryStatement": "SELECT replace(eventSource, '.amazonaws.com') AS service, COUNT(*) as eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' GROUP BY eventSource ORDER BY eventCount DESC LIMIT 100",
"QueryParameters": ["$StartTime$", "$EndTime$"]
}
]
}
```
### Example
The following example disables termination protection for a custom dashboard named `AccountActivityDashboard` to allow the dashboard to be deleted. It also turns off the refresh schedule.
```
{
"DashboardId": "AccountActivityDashboard",
"RefreshSchedule": {
"Status": "DISABLED"
},
"TerminationProtectionEnabled": false
}
```
### Example
The following example updates the refresh schedule for a custom dashboard named `AccountActivityDashboard`.
```
{
"DashboardId": "AccountActivityDashboard",
"RefreshSchedule": {
"Frequency": {
"Unit": "HOURS",
"Value": 6
},
"Status": "ENABLED"
}
}
```
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/UpdateDashboard)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/UpdateDashboard)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/UpdateDashboard)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/UpdateDashboard)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/UpdateDashboard)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/UpdateDashboard)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/UpdateDashboard)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/UpdateDashboard)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/UpdateDashboard)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/UpdateDashboard)
# UpdateEventDataStore
**Important**
CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-service-availability-change.html).
Updates an event data store. The required `EventDataStore` value is an ARN or the ID portion of the ARN. Other parameters are optional, but at least one optional parameter must be specified, or CloudTrail throws an error. `RetentionPeriod` is in days, and valid values are integers between 7 and 3653 if the `BillingMode` is set to `EXTENDABLE_RETENTION_PRICING`, or between 7 and 2557 if `BillingMode` is set to `FIXED_RETENTION_PRICING`. By default, `TerminationProtection` is enabled.
For event data stores for CloudTrail events, `AdvancedEventSelectors` includes or excludes management, data, or network activity events in your event data store. For more information about `AdvancedEventSelectors`, see [AdvancedEventSelectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedEventSelector.html).
For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or non-AWS events, `AdvancedEventSelectors` includes events of that type in your event data store.
## Request Syntax
```
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"BillingMode": "string",
"EventDataStore": "string",
"KmsKeyId": "string",
"MultiRegionEnabled": boolean,
"Name": "string",
"OrganizationEnabled": boolean,
"RetentionPeriod": number,
"TerminationProtectionEnabled": boolean
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [AdvancedEventSelectors](#API_UpdateEventDataStore_RequestSyntax) **
The advanced event selectors used to select events for the event data store. You can configure up to five advanced event selectors for each event data store.
Type: Array of [AdvancedEventSelector](API_AdvancedEventSelector.md) objects
Required: No
** [BillingMode](#API_UpdateEventDataStore_RequestSyntax) **
You can't change the billing mode from `EXTENDABLE_RETENTION_PRICING` to `FIXED_RETENTION_PRICING`. If `BillingMode` is set to `EXTENDABLE_RETENTION_PRICING` and you want to use `FIXED_RETENTION_PRICING` instead, you'll need to stop ingestion on the event data store and create a new event data store that uses `FIXED_RETENTION_PRICING`.
The billing mode for the event data store determines the cost for ingesting events and the default and maximum retention period for the event data store.
The following are the possible values:
+ `EXTENDABLE_RETENTION_PRICING` - This billing mode is generally recommended if you want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days.
+ `FIXED_RETENTION_PRICING` - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days.
For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](http://aws.amazon.com/cloudtrail/pricing/) and [Managing CloudTrail Lake costs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html).
Type: String
Valid Values: `EXTENDABLE_RETENTION_PRICING | FIXED_RETENTION_PRICING`
Required: No
** [EventDataStore](#API_UpdateEventDataStore_RequestSyntax) **
The ARN (or the ID suffix of the ARN) of the event data store that you want to update.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: Yes
** [KmsKeyId](#API_UpdateEventDataStore_RequestSyntax) **
Specifies the AWS KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by `alias/`, a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
Disabling or deleting the KMS key, or removing CloudTrail permissions on the key, prevents CloudTrail from logging events to the event data store, and prevents users from querying the data in the event data store that was encrypted with the key. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. Before you disable or delete a KMS key that you are using with an event data store, delete or back up your event data store.
CloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the * AWS Key Management Service Developer Guide*.
Examples:
+ `alias/MyAliasName`
+ `arn:aws:kms:us-east-2:123456789012:alias/MyAliasName`
+ `arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
+ `12345678-1234-1234-1234-123456789012`
Type: String
Length Constraints: Minimum length of 1. Maximum length of 350.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
Required: No
** [MultiRegionEnabled](#API_UpdateEventDataStore_RequestSyntax) **
Specifies whether an event data store collects events from all Regions, or only from the Region in which it was created.
Type: Boolean
Required: No
** [Name](#API_UpdateEventDataStore_RequestSyntax) **
The event data store name.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
Required: No
** [OrganizationEnabled](#API_UpdateEventDataStore_RequestSyntax) **
Specifies whether an event data store collects events logged for an organization in AWS Organizations.
Only the management account for the organization can convert an organization event data store to a non-organization event data store, or convert a non-organization event data store to an organization event data store.
Type: Boolean
Required: No
** [RetentionPeriod](#API_UpdateEventDataStore_RequestSyntax) **
The retention period of the event data store, in days. If `BillingMode` is set to `EXTENDABLE_RETENTION_PRICING`, you can set a retention period of up to 3653 days, the equivalent of 10 years. If `BillingMode` is set to `FIXED_RETENTION_PRICING`, you can set a retention period of up to 2557 days, the equivalent of seven years.
CloudTrail Lake determines whether to retain an event by checking if the `eventTime` of the event is within the specified retention period. For example, if you set a retention period of 90 days, CloudTrail will remove events when the `eventTime` is older than 90 days.
If you decrease the retention period of an event data store, CloudTrail will remove any events with an `eventTime` older than the new retention period. For example, if the previous retention period was 365 days and you decrease it to 100 days, CloudTrail will remove events with an `eventTime` older than 100 days.
Type: Integer
Valid Range: Minimum value of 7. Maximum value of 3653.
Required: No
** [TerminationProtectionEnabled](#API_UpdateEventDataStore_RequestSyntax) **
Indicates that termination protection is enabled and the event data store cannot be automatically deleted.
Type: Boolean
Required: No
## Response Syntax
```
{
"AdvancedEventSelectors": [
{
"FieldSelectors": [
{
"EndsWith": [ "string" ],
"Equals": [ "string" ],
"Field": "string",
"NotEndsWith": [ "string" ],
"NotEquals": [ "string" ],
"NotStartsWith": [ "string" ],
"StartsWith": [ "string" ]
}
],
"Name": "string"
}
],
"BillingMode": "string",
"CreatedTimestamp": number,
"EventDataStoreArn": "string",
"FederationRoleArn": "string",
"FederationStatus": "string",
"KmsKeyId": "string",
"MultiRegionEnabled": boolean,
"Name": "string",
"OrganizationEnabled": boolean,
"RetentionPeriod": number,
"Status": "string",
"TerminationProtectionEnabled": boolean,
"UpdatedTimestamp": number
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [AdvancedEventSelectors](#API_UpdateEventDataStore_ResponseSyntax) **
The advanced event selectors that are applied to the event data store.
Type: Array of [AdvancedEventSelector](API_AdvancedEventSelector.md) objects
** [BillingMode](#API_UpdateEventDataStore_ResponseSyntax) **
The billing mode for the event data store.
Type: String
Valid Values: `EXTENDABLE_RETENTION_PRICING | FIXED_RETENTION_PRICING`
** [CreatedTimestamp](#API_UpdateEventDataStore_ResponseSyntax) **
The timestamp that shows when an event data store was first created.
Type: Timestamp
** [EventDataStoreArn](#API_UpdateEventDataStore_ResponseSyntax) **
The ARN of the event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 256.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [FederationRoleArn](#API_UpdateEventDataStore_ResponseSyntax) **
If Lake query federation is enabled, provides the ARN of the federation role used to access the resources for the federated event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 125.
Pattern: `^[a-zA-Z0-9._/\-:@=\+,\.]+$`
** [FederationStatus](#API_UpdateEventDataStore_ResponseSyntax) **
Indicates the [Lake query federation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-federation.html) status. The status is `ENABLED` if Lake query federation is enabled, or `DISABLED` if Lake query federation is disabled. You cannot delete an event data store if the `FederationStatus` is `ENABLED`.
Type: String
Valid Values: `ENABLING | ENABLED | DISABLING | DISABLED`
** [KmsKeyId](#API_UpdateEventDataStore_ResponseSyntax) **
Specifies the AWS KMS key ID that encrypts the events delivered by CloudTrail. The value is a fully specified ARN to a AWS KMS key in the following format.
`arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
Type: String
Length Constraints: Minimum length of 1. Maximum length of 350.
Pattern: `^[a-zA-Z0-9._/\-:]+$`
** [MultiRegionEnabled](#API_UpdateEventDataStore_ResponseSyntax) **
Indicates whether the event data store includes events from all Regions, or only from the Region in which it was created.
Type: Boolean
** [Name](#API_UpdateEventDataStore_ResponseSyntax) **
The name of the event data store.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 128.
Pattern: `^[a-zA-Z0-9._\-]+$`
** [OrganizationEnabled](#API_UpdateEventDataStore_ResponseSyntax) **
Indicates whether an event data store is collecting logged events for an organization in AWS Organizations.
Type: Boolean
** [RetentionPeriod](#API_UpdateEventDataStore_ResponseSyntax) **
The retention period, in days.
Type: Integer
Valid Range: Minimum value of 7. Maximum value of 3653.
** [Status](#API_UpdateEventDataStore_ResponseSyntax) **
The status of an event data store.
Type: String
Valid Values: `CREATED | ENABLED | PENDING_DELETION | STARTING_INGESTION | STOPPING_INGESTION | STOPPED_INGESTION`
** [TerminationProtectionEnabled](#API_UpdateEventDataStore_ResponseSyntax) **
Indicates whether termination protection is enabled for the event data store.
Type: Boolean
** [UpdatedTimestamp](#API_UpdateEventDataStore_ResponseSyntax) **
The timestamp that shows when the event data store was last updated. `UpdatedTimestamp` is always either the same or newer than the time shown in `CreatedTimestamp`.
Type: Timestamp
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailAccessNotEnabledException **
This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access) in the * AWS Organizations User Guide* and [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** EventDataStoreAlreadyExistsException **
An event data store with that name already exists.
HTTP Status Code: 400
** EventDataStoreARNInvalidException **
The specified event data store ARN is not valid or does not map to an event data store in your account.
HTTP Status Code: 400
** EventDataStoreHasOngoingImportException **
This exception is thrown when you try to update or delete an event data store that currently has an import in progress.
HTTP Status Code: 400
** EventDataStoreNotFoundException **
The specified event data store was not found.
HTTP Status Code: 400
** InactiveEventDataStoreException **
The event data store is inactive.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InvalidEventSelectorsException **
This exception is thrown when the `PutEventSelectors` operation is called with a number of event selectors, advanced event selectors, or data resources that is not valid. The combination of event selectors or advanced event selectors and data resources is not valid. A trail can have up to 5 event selectors. If a trail uses advanced event selectors, a maximum of 500 total values for all conditions in all advanced event selectors is allowed. A trail is limited to 250 data resources. These data resources can be distributed across event selectors, but the overall total cannot exceed 250.
You can:
+ Specify a valid number of event selectors (1 to 5) for a trail.
+ Specify a valid number of data resources (1 to 250) for an event selector. The limit of number of resources on an individual event selector is configurable up to 250. However, this upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors for a trail.
+ Specify up to 500 values for all conditions in all advanced event selectors for a trail.
+ Specify a valid value for a parameter. For example, specifying the `ReadWriteType` parameter with a value of `read-only` is not valid.
HTTP Status Code: 400
** InvalidInsightSelectorsException **
For `PutInsightSelectors`, this exception is thrown when the formatting or syntax of the `InsightSelectors` JSON statement is not valid, or the specified `InsightType` in the `InsightSelectors` statement is not valid. Valid values for `InsightType` are `ApiCallRateInsight` and `ApiErrorRateInsight`. To enable Insights on an event data store, the destination event data store specified by the `InsightsDestination` parameter must log Insights events and the source event data store specified by the `EventDataStore` parameter must log management events.
For `UpdateEventDataStore`, this exception is thrown if Insights are enabled on the event data store and the updated advanced event selectors are not compatible with the configured `InsightSelectors`. If the `InsightSelectors` includes an `InsightType` of `ApiCallRateInsight`, the source event data store must log `write` management events. If the `InsightSelectors` includes an `InsightType` of `ApiErrorRateInsight`, the source event data store must log management events.
HTTP Status Code: 400
** InvalidKmsKeyIdException **
This exception is thrown when the AWS KMS key ARN is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** KmsException **
This exception is thrown when there is an issue with the specified AWS KMS key and the trail or event data store can't be updated.
HTTP Status Code: 400
** KmsKeyNotFoundException **
This exception is thrown when the AWS KMS key does not exist, when the S3 bucket and the AWS KMS key are not in the same Region, or when the AWS KMS key associated with the Amazon SNS topic either does not exist or is not in the same Region.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OrganizationNotInAllFeaturesModeException **
This exception is thrown when AWS Organizations is not configured to support all features. All features must be enabled in Organizations to support creating an organization trail or event data store.
HTTP Status Code: 400
** OrganizationsNotInUseException **
This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/UpdateEventDataStore)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/UpdateEventDataStore)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/UpdateEventDataStore)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/UpdateEventDataStore)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/UpdateEventDataStore)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/UpdateEventDataStore)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/UpdateEventDataStore)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/UpdateEventDataStore)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/UpdateEventDataStore)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/UpdateEventDataStore)
# UpdateTrail
Updates trail settings that control what events you are logging, and how to handle log files. Changes to a trail do not require stopping the CloudTrail service. Use this action to designate an existing bucket for log delivery. If the existing bucket has previously been a target for CloudTrail log files, an IAM policy exists for the bucket. `UpdateTrail` must be called from the Region in which the trail was created; otherwise, an `InvalidHomeRegionException` is thrown.
## Request Syntax
```
{
"CloudWatchLogsLogGroupArn": "string",
"CloudWatchLogsRoleArn": "string",
"EnableLogFileValidation": boolean,
"IncludeGlobalServiceEvents": boolean,
"IsMultiRegionTrail": boolean,
"IsOrganizationTrail": boolean,
"KmsKeyId": "string",
"Name": "string",
"S3BucketName": "string",
"S3KeyPrefix": "string",
"SnsTopicName": "string"
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [CloudWatchLogsLogGroupArn](#API_UpdateTrail_RequestSyntax) **
Specifies a log group name using an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs are delivered. You must use a log group that exists in your account.
Not required unless you specify `CloudWatchLogsRoleArn`.
Type: String
Required: No
** [CloudWatchLogsRoleArn](#API_UpdateTrail_RequestSyntax) **
Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group. You must use a role that exists in your account.
Type: String
Required: No
** [EnableLogFileValidation](#API_UpdateTrail_RequestSyntax) **
Specifies whether log file validation is enabled. The default is false.
When you disable log file integrity validation, the chain of digest files is broken after one hour. CloudTrail does not create digest files for log files that were delivered during a period in which log file integrity validation was disabled. For example, if you enable log file integrity validation at noon on January 1, disable it at noon on January 2, and re-enable it at noon on January 10, digest files will not be created for the log files delivered from noon on January 2 to noon on January 10. The same applies whenever you stop CloudTrail logging or delete a trail.
Type: Boolean
Required: No
** [IncludeGlobalServiceEvents](#API_UpdateTrail_RequestSyntax) **
Specifies whether the trail is publishing events from global services such as IAM to the log files.
Type: Boolean
Required: No
** [IsMultiRegionTrail](#API_UpdateTrail_RequestSyntax) **
Specifies whether the trail applies only to the current Region or to all Regions. The default is false. If the trail exists only in the current Region and this value is set to true, shadow trails (replications of the trail) will be created in the other Regions. If the trail exists in all Regions and this value is set to false, the trail will remain in the Region where it was created, and its shadow trails in other Regions will be deleted. As a best practice, consider using trails that log events in all Regions.
Type: Boolean
Required: No
** [IsOrganizationTrail](#API_UpdateTrail_RequestSyntax) **
Specifies whether the trail is applied to all accounts in an organization in AWS Organizations, or only for the current AWS account. The default is false, and cannot be true unless the call is made on behalf of an AWS account that is the management account for an organization in AWS Organizations. If the trail is not an organization trail and this is set to `true`, the trail will be created in all AWS accounts that belong to the organization. If the trail is an organization trail and this is set to `false`, the trail will remain in the current AWS account but be deleted from all member accounts in the organization.
Only the management account for the organization can convert an organization trail to a non-organization trail, or convert a non-organization trail to an organization trail.
Type: Boolean
Required: No
** [KmsKeyId](#API_UpdateTrail_RequestSyntax) **
Specifies the AWS KMS key ID to use to encrypt the logs and digest files delivered by CloudTrail. The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.
CloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see [Using multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the * AWS Key Management Service Developer Guide*.
Examples:
+ alias/MyAliasName
+ arn:aws:kms:us-east-2:123456789012:alias/MyAliasName
+ arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012
+ 12345678-1234-1234-1234-123456789012
Type: String
Required: No
** [Name](#API_UpdateTrail_RequestSyntax) **
Specifies the name of the trail or trail ARN. If `Name` is a trail name, the string must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
If `Name` is a trail ARN, it must be in the following format.
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Type: String
Required: Yes
** [S3BucketName](#API_UpdateTrail_RequestSyntax) **
Specifies the name of the Amazon S3 bucket designated for publishing log files. See [Amazon S3 Bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html).
Type: String
Required: No
** [S3KeyPrefix](#API_UpdateTrail_RequestSyntax) **
Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. For more information, see [Finding Your CloudTrail Log Files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/get-and-view-cloudtrail-log-files.html#cloudtrail-find-log-files). The maximum length is 200 characters.
Type: String
Required: No
** [SnsTopicName](#API_UpdateTrail_RequestSyntax) **
Specifies the name or ARN of the Amazon SNS topic defined for notification of log file delivery. The maximum length is 256 characters.
Type: String
Required: No
## Response Syntax
```
{
"CloudWatchLogsLogGroupArn": "string",
"CloudWatchLogsRoleArn": "string",
"IncludeGlobalServiceEvents": boolean,
"IsMultiRegionTrail": boolean,
"IsOrganizationTrail": boolean,
"KmsKeyId": "string",
"LogFileValidationEnabled": boolean,
"Name": "string",
"S3BucketName": "string",
"S3KeyPrefix": "string",
"SnsTopicARN": "string",
"SnsTopicName": "string",
"TrailARN": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [CloudWatchLogsLogGroupArn](#API_UpdateTrail_ResponseSyntax) **
Specifies the Amazon Resource Name (ARN) of the log group to which CloudTrail logs are delivered.
Type: String
** [CloudWatchLogsRoleArn](#API_UpdateTrail_ResponseSyntax) **
Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group.
Type: String
** [IncludeGlobalServiceEvents](#API_UpdateTrail_ResponseSyntax) **
Specifies whether the trail is publishing events from global services such as IAM to the log files.
Type: Boolean
** [IsMultiRegionTrail](#API_UpdateTrail_ResponseSyntax) **
Specifies whether the trail exists in one Region or in all Regions.
Type: Boolean
** [IsOrganizationTrail](#API_UpdateTrail_ResponseSyntax) **
Specifies whether the trail is an organization trail.
Type: Boolean
** [KmsKeyId](#API_UpdateTrail_ResponseSyntax) **
Specifies the AWS KMS key ID that encrypts the logs and digest files delivered by CloudTrail. The value is a fully specified ARN to a AWS KMS key in the following format.
`arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012`
Type: String
** [LogFileValidationEnabled](#API_UpdateTrail_ResponseSyntax) **
Specifies whether log file integrity validation is enabled.
Type: Boolean
** [Name](#API_UpdateTrail_ResponseSyntax) **
Specifies the name of the trail.
Type: String
** [S3BucketName](#API_UpdateTrail_ResponseSyntax) **
Specifies the name of the Amazon S3 bucket designated for publishing log files.
Type: String
** [S3KeyPrefix](#API_UpdateTrail_ResponseSyntax) **
Specifies the Amazon S3 key prefix that comes after the name of the bucket you have designated for log file delivery. For more information, see [Finding Your IAM Log Files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/get-and-view-cloudtrail-log-files.html#cloudtrail-find-log-files).
Type: String
** [SnsTopicARN](#API_UpdateTrail_ResponseSyntax) **
Specifies the ARN of the Amazon SNS topic that CloudTrail uses to send notifications when log files are delivered. The following is the format of a topic ARN.
`arn:aws:sns:us-east-2:123456789012:MyTopic`
Type: String
** [SnsTopicName](#API_UpdateTrail_ResponseSyntax) **
*This parameter has been deprecated.*
This field is no longer in use. Use `SnsTopicARN`.
Type: String
** [TrailARN](#API_UpdateTrail_ResponseSyntax) **
Specifies the ARN of the trail that was updated. The following is the format of a trail ARN.
`arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
Type: String
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** CloudTrailAccessNotEnabledException **
This exception is thrown when trusted access has not been enabled between AWS CloudTrail and AWS Organizations. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access) in the * AWS Organizations User Guide* and [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) in the * AWS CloudTrail User Guide*.
HTTP Status Code: 400
** CloudTrailARNInvalidException **
This exception is thrown when an operation is called with an ARN that is not valid.
The following is the format of a trail ARN: `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`
The following is the format of an event data store ARN: `arn:aws:cloudtrail:us-east-2:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE`
The following is the format of a dashboard ARN: `arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash`
The following is the format of a channel ARN: `arn:aws:cloudtrail:us-east-2:123456789012:channel/01234567890`
HTTP Status Code: 400
** CloudTrailInvalidClientTokenIdException **
This exception is thrown when a call results in the `InvalidClientTokenId` error code. This can occur when you are creating or updating a trail to send notifications to an Amazon SNS topic that is in a suspended AWS account.
HTTP Status Code: 400
** CloudWatchLogsDeliveryUnavailableException **
Cannot set a CloudWatch Logs delivery for this Region.
HTTP Status Code: 400
** ConflictException **
This exception is thrown when the specified resource is not ready for an operation. This can occur when you try to run an operation on a resource before CloudTrail has time to fully load the resource, or because another operation is modifying the resource. If this exception occurs, wait a few minutes, and then try the operation again.
HTTP Status Code: 400
** InsufficientDependencyServiceAccessPermissionException **
This exception is thrown when the IAM identity that is used to create the organization resource lacks one or more required permissions for creating an organization resource in a required service.
HTTP Status Code: 400
** InsufficientEncryptionPolicyException **
For the `CreateTrail` `PutInsightSelectors`, `UpdateTrail`, `StartQuery`, and `StartImport` operations, this exception is thrown when the policy on the S3 bucket or AWS KMS key does not have sufficient permissions for the operation.
For all other operations, this exception is thrown when the policy for the AWS KMS key does not have sufficient permissions for the operation.
HTTP Status Code: 400
** InsufficientS3BucketPolicyException **
This exception is thrown when the policy on the S3 bucket is not sufficient.
HTTP Status Code: 400
** InsufficientSnsTopicPolicyException **
This exception is thrown when the policy on the Amazon SNS topic is not sufficient.
HTTP Status Code: 400
** InvalidCloudWatchLogsLogGroupArnException **
This exception is thrown when the provided CloudWatch Logs log group is not valid.
HTTP Status Code: 400
** InvalidCloudWatchLogsRoleArnException **
This exception is thrown when the provided role is not valid.
HTTP Status Code: 400
** InvalidEventSelectorsException **
This exception is thrown when the `PutEventSelectors` operation is called with a number of event selectors, advanced event selectors, or data resources that is not valid. The combination of event selectors or advanced event selectors and data resources is not valid. A trail can have up to 5 event selectors. If a trail uses advanced event selectors, a maximum of 500 total values for all conditions in all advanced event selectors is allowed. A trail is limited to 250 data resources. These data resources can be distributed across event selectors, but the overall total cannot exceed 250.
You can:
+ Specify a valid number of event selectors (1 to 5) for a trail.
+ Specify a valid number of data resources (1 to 250) for an event selector. The limit of number of resources on an individual event selector is configurable up to 250. However, this upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors for a trail.
+ Specify up to 500 values for all conditions in all advanced event selectors for a trail.
+ Specify a valid value for a parameter. For example, specifying the `ReadWriteType` parameter with a value of `read-only` is not valid.
HTTP Status Code: 400
** InvalidHomeRegionException **
This exception is thrown when an operation is called on a trail from a Region other than the Region in which the trail was created.
HTTP Status Code: 400
** InvalidKmsKeyIdException **
This exception is thrown when the AWS KMS key ARN is not valid.
HTTP Status Code: 400
** InvalidParameterCombinationException **
This exception is thrown when the combination of parameters provided is not valid.
HTTP Status Code: 400
** InvalidParameterException **
The request includes a parameter that is not valid.
HTTP Status Code: 400
** InvalidS3BucketNameException **
This exception is thrown when the provided S3 bucket name is not valid.
HTTP Status Code: 400
** InvalidS3PrefixException **
This exception is thrown when the provided S3 prefix is not valid.
HTTP Status Code: 400
** InvalidSnsTopicNameException **
This exception is thrown when the provided SNS topic name is not valid.
HTTP Status Code: 400
** InvalidTrailNameException **
This exception is thrown when the provided trail name is not valid. Trail names must meet the following requirements:
+ Contain only ASCII letters (a-z, A-Z), numbers (0-9), periods (.), underscores (\$1), or dashes (-)
+ Start with a letter or number, and end with a letter or number
+ Be between 3 and 128 characters
+ Have no adjacent periods, underscores or dashes. Names like `my-_namespace` and `my--namespace` are not valid.
+ Not be in IP address format (for example, 192.168.5.4)
HTTP Status Code: 400
** KmsException **
This exception is thrown when there is an issue with the specified AWS KMS key and the trail or event data store can't be updated.
HTTP Status Code: 400
** KmsKeyDisabledException **
*This error has been deprecated.*
This exception is no longer in use.
HTTP Status Code: 400
** KmsKeyNotFoundException **
This exception is thrown when the AWS KMS key does not exist, when the S3 bucket and the AWS KMS key are not in the same Region, or when the AWS KMS key associated with the Amazon SNS topic either does not exist or is not in the same Region.
HTTP Status Code: 400
** NoManagementAccountSLRExistsException **
This exception is thrown when the management account does not have a service-linked role.
HTTP Status Code: 400
** NotOrganizationMasterAccountException **
This exception is thrown when the AWS account making the request to create or update an organization trail or event data store is not the management account for an organization in AWS Organizations. For more information, see [Prepare For Creating a Trail For Your Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html) or [Organization event data stores](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-organizations.html).
HTTP Status Code: 400
** OperationNotPermittedException **
This exception is thrown when the requested operation is not permitted.
HTTP Status Code: 400
** OrganizationNotInAllFeaturesModeException **
This exception is thrown when AWS Organizations is not configured to support all features. All features must be enabled in Organizations to support creating an organization trail or event data store.
HTTP Status Code: 400
** OrganizationsNotInUseException **
This exception is thrown when the request is made from an AWS account that is not a member of an organization. To make this request, sign in using the credentials of an account that belongs to an organization.
HTTP Status Code: 400
** S3BucketDoesNotExistException **
This exception is thrown when the specified S3 bucket does not exist.
HTTP Status Code: 400
** ThrottlingException **
This exception is thrown when the request rate exceeds the limit.
HTTP Status Code: 400
** TrailNotFoundException **
This exception is thrown when the trail with the given name is not found.
HTTP Status Code: 400
** TrailNotProvidedException **
This exception is no longer in use.
HTTP Status Code: 400
** UnsupportedOperationException **
This exception is thrown when the requested operation is not supported.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cloudtrail-2013-11-01/UpdateTrail)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cloudtrail-2013-11-01/UpdateTrail)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cloudtrail-2013-11-01/UpdateTrail)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cloudtrail-2013-11-01/UpdateTrail)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cloudtrail-2013-11-01/UpdateTrail)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cloudtrail-2013-11-01/UpdateTrail)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cloudtrail-2013-11-01/UpdateTrail)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cloudtrail-2013-11-01/UpdateTrail)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cloudtrail-2013-11-01/UpdateTrail)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cloudtrail-2013-11-01/UpdateTrail)