AWS::CloudTrail::EventDataStore
Creates a new event data store.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::CloudTrail::EventDataStore", "Properties" : { "AdvancedEventSelectors" :
[ AdvancedEventSelector, ... ]
, "KmsKeyId" :String
, "MultiRegionEnabled" :Boolean
, "Name" :String
, "OrganizationEnabled" :Boolean
, "RetentionPeriod" :Integer
, "Tags" :[ Tag, ... ]
, "TerminationProtectionEnabled" :Boolean
} }
YAML
Type: AWS::CloudTrail::EventDataStore Properties: AdvancedEventSelectors:
- AdvancedEventSelector
KmsKeyId:String
MultiRegionEnabled:Boolean
Name:String
OrganizationEnabled:Boolean
RetentionPeriod:Integer
Tags:- Tag
TerminationProtectionEnabled:Boolean
Properties
AdvancedEventSelectors
-
The advanced event selectors to use to select the events for the data store. You can configure up to five advanced event selectors for each event data store.
For more information about how to use advanced event selectors to log CloudTrail events, see Log events by using advanced event selectors in the CloudTrail User Guide.
For more information about how to use advanced event selectors to include AWS Config configuration items in your event data store, see Create an event data store for AWS Config configuration items in the CloudTrail User Guide.
For more information about how to use advanced event selectors to include non-AWS events in your event data store, see Create an integration to log events from outside AWS in the CloudTrail User Guide.
Required: No
Type: List of AdvancedEventSelector
Update requires: No interruption
KmsKeyId
-
Specifies the AWS KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by
alias/
, a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.Important Disabling or deleting the KMS key, or removing CloudTrail permissions on the key, prevents CloudTrail from logging events to the event data store, and prevents users from querying the data in the event data store that was encrypted with the key. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed. Before you disable or delete a KMS key that you are using with an event data store, delete or back up your event data store.
CloudTrail also supports AWS KMS multi-Region keys. For more information about multi-Region keys, see Using multi-Region keys in the AWS Key Management Service Developer Guide.
Examples:
-
alias/MyAliasName
-
arn:aws:kms:us-east-2:123456789012:alias/MyAliasName
-
arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012
-
12345678-1234-1234-1234-123456789012
Required: No
Type: String
Minimum:
1
Maximum:
350
Pattern:
^[a-zA-Z0-9._/\-:]+$
Update requires: No interruption
-
MultiRegionEnabled
-
Specifies whether the event data store includes events from all regions, or only from the region in which the event data store is created.
Required: No
Type: Boolean
Update requires: No interruption
Name
-
The name of the event data store.
Required: No
Type: String
Minimum:
3
Maximum:
128
Pattern:
^[a-zA-Z0-9._\-]+$
Update requires: No interruption
OrganizationEnabled
-
Specifies whether an event data store collects events logged for an organization in AWS Organizations.
Required: No
Type: Boolean
Update requires: No interruption
RetentionPeriod
-
The retention period of the event data store, in days. You can set a retention period of up to 2557 days, the equivalent of seven years.
Required: No
Type: Integer
Minimum:
7
Maximum:
2557
Update requires: No interruption
Tags
-
A list of tags.
Required: No
Type: List of Tag
Maximum:
200
Update requires: No interruption
TerminationProtectionEnabled
-
Specifies whether termination protection is enabled for the event data store. If termination protection is enabled, you cannot delete the event data store until termination protection is disabled.
Required: No
Type: Boolean
Update requires: No interruption
Return values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref
returns the resource name.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt.
CreatedTimestamp
-
When you pass the logical ID of this resource to the intrinsic
Ref
function,Ref
returns the time stamp of the creation of the event data store, such as1248496624
. EventDataStoreArn
When you pass the logical ID of this resource to the intrinsic
Ref
function,Ref
returns the ARN of the CloudTrail event data store, such asarn:aws:cloudtrail:us-east-1:12345678910:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE
.Status
-
When you pass the logical ID of this resource to the intrinsic
Ref
function,Ref
returns the status of the event data store, such asENABLED
. UpdatedTimestamp
-
When you pass the logical ID of this resource to the intrinsic
Ref
function,Ref
returns the time stamp that updates were made to an event data store, such as1598296624
.
Examples
Example
The following example creates an event data store that logs events in all regions. For information about CloudTrail Lake event data stores, see Working with CloudTrail Lake in the AWS CloudTrail User Guide.
JSON
{ "Parameters": { "Name": { "Type": "String" } }, "Conditions": { "IsOrganizationsSupported": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "AWS::Partition" }, "aws-cn" ] } ] } }, "Resources": { "myEventDataStore": { "Type": "AWS::CloudTrail::EventDataStore", "Properties": { "Name": { "Ref": "Name" }, "MultiRegionEnabled": true, "RetentionPeriod": 30, "OrganizationEnabled": { "Fn::If": [ "IsOrganizationsSupported", true, { "Ref": "AWS::NoValue" } ] }, "TerminationProtectionEnabled": false, "KmsKeyId": { "Fn::ImportValue": "EventDataStoreKeyTest" }, "Tags": [ { "Key": "TagKeyIntTest", "Value": "TagValueIntTest" }, { "Key": "TagKeyIntTest2", "Value": "TagValueIntTest2" } ], "AdvancedEventSelectors": [ { "Name": "AdvancedEventSelectors1", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ] } } }, "Outputs": { "myEventDataStoreArn": { "Description": "The event data store ARN", "Value": { "Fn::GetAtt": [ "myEventDataStore", "EventDataStoreArn" ] } } } }
YAML
Parameters: Name: Type: String Conditions: IsOrganizationsSupported: !Not [!Equals [Ref: "AWS::Partition", "aws-cn"]] Resources: myEventDataStore: Type: AWS::CloudTrail::EventDataStore Properties: Name: !Ref Name MultiRegionEnabled: true RetentionPeriod: 30 OrganizationEnabled: Fn::If: - IsOrganizationsSupported - true - !Ref "AWS::NoValue" TerminationProtectionEnabled: false KmsKeyId: Fn::ImportValue: EventDataStoreKeyTest Tags: - Key: "TagKeyIntTest" Value: "TagValueIntTest" - Key: "TagKeyIntTest2" Value: "TagValueIntTest2" AdvancedEventSelectors: - Name: "AdvancedEventSelectors1" FieldSelectors: - Field: "eventCategory" Equals: [ "Management" ] Outputs: myEventDataStoreArn: Description: The eventdatastore ARN Value: 'Fn::GetAtt': - myEventDataStore - EventDataStoreArn