Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing event data stores with the Amazon CLI

This section describes several other commands that you can run to get information about your event data stores, start and stop ingestion on an event data store, and enable and disable federation on an event data store.

Get an event data store with the Amazon CLI

The following example Amazon CLI get-event-data-store command returns information about the event data store specified by the required --event-data-store parameter, which accepts an ARN or the ID suffix of the ARN.

aws cloudtrail get-event-data-store
--event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

The following is an example response. Creation and last updated times are in timestamp format.

{
    "EventDataStoreARN": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE",
    "Name": "s3-data-events-eds",
    "Status": "ENABLED",
    "AdvancedEventSelectors": [
        {
            "Name": "Log DeleteObject API calls for a specific S3 bucket",
            "FieldSelectors": [
                {
                    "Field": "eventCategory",
                    "Equals": [
                        "Data"
                    ]
                },
                {
                    "Field": "eventName",
                    "Equals": [
                        "DeleteObject"
                    ]
                },
                {
                    "Field": "resources.ARN",
                    "StartsWith": [
                        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
                    ]
                },
                {
                    "Field": "readOnly",
                    "Equals": [
                        "false"
                    ]
                },
                {
                    "Field": "resources.type",
                    "Equals": [
                        "AWS::S3::Object"
                    ]
                }
            ]
        }
    ],
    "MultiRegionEnabled": true,
    "OrganizationEnabled": false,
    "BillingMode": "FIXED_RETENTION_PRICING",
    "RetentionPeriod": 2557,
    "TerminationProtectionEnabled": true,
    "CreatedTimestamp": "2023-11-09T22:20:36.344000+00:00",
    "UpdatedTimestamp": "2023-11-09T22:20:36.476000+00:00"
}

List all event data stores in an account with the Amazon CLI

The following example Amazon CLI list-event-data-stores command returns information about all event data stores in an account, in the current Region. Optional parameters include --max-results, to specify a maximum number of results that you want the command to return on a single page. If there are more results than your specified --max-results value, run the command again adding the returned NextToken value to get the next page of results.

aws cloudtrail list-event-data-stores

The following is an example response.

{
    "EventDataStores": [
        {
            "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE7-cad6-4357-a84b-318f9868e969",
            "Name": "management-events-eds"
        },
        {
            "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE6-88e1-43b7-b066-9c046b4fd47a",
            "Name": "config-items-eds"
        },
        {
            "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEf-b314-4c85-964e-3e43b1e8c3b4",
            "Name": "s3-data-events"
        }
    ]
}

Stop ingestion on an event data store with the Amazon CLI

The following example Amazon CLI stop-event-data-store-ingestion command stops an event data store from ingesting events. To stop ingestion, the event data store Status must be ENABLED and the eventCategory must be Management, Data, or ConfigurationItem. The event data store is specified by --event-data-store, which accepts an event data store ARN, or the ID suffix of the ARN. After you run stop-event-data-store-ingestion, the state of the event data store changes to STOPPED_INGESTION.

The event data store does count towards your account maximum of ten event data stores when its state is STOPPED_INGESTION.

aws cloudtrail stop-event-data-store-ingestion
--event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

There is no response if the operation is successful.

Start ingestion on an event data store with the Amazon CLI

The following example Amazon CLI start-event-data-store-ingestion command starts event ingestion on an event data store. To start ingestion, the event data store Status must be STOPPED_INGESTION and the eventCategory must be Management, Data, or ConfigurationItem. The event data store is specified by --event-data-store, which accepts an event data store ARN, or the ID suffix of the ARN. After you run start-event-data-store-ingestion, the state of the event data store changes to ENABLED.

aws cloudtrail start-event-data-store-ingestion --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

There is no response if the operation is successful.

Enable federation on an event data store

To enable federation, run the aws cloudtrail enable-federation command, providing the required --event-data-store and --role parameters. For --event-data-store, provide the event data store ARN (or the ID suffix of the ARN). For --role, provide the ARN for your federation role. The role must exist in your account and provide the required minimum permissions.

aws cloudtrail enable-federation
--event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id
--role arn:aws:iam::account-id:role/federation-role-name

This example shows how a delegated administrator can enable federation on an organization event data store by specifying the ARN of the event data store in the management account and the ARN of the federation role in the delegated administrator account.

aws cloudtrail enable-federation
--event-data-store arn:aws:cloudtrail:region:management-account-id:eventdatastore/eds-id
--role arn:aws:iam::delegated-administrator-account-id:role/federation-role-name

Disable federation on an event data store

To disable federation on the event data store, run the aws cloudtrail disable-federation command. The event data store is specified by --event-data-store, which accepts an event data store ARN or the ID suffix of the ARN.

aws cloudtrail disable-federation
--event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id

Restore an event data store with the Amazon CLI

The following example Amazon CLI restore-event-data-store command restores an event data store that is pending deletion. The event data store is specified by --event-data-store, which accepts an event data store ARN or the ID suffix of the ARN. You can only restore a deleted event data store within the seven-day wait period after deletion.

aws cloudtrail restore-event-data-store
--event-data-store EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

The response includes information about the event data store, including its ARN, advanced event selectors, and the status of restoration.