Create an event data store for Amazon Config configuration items - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create an event data store for Amazon Config configuration items

You can create an event data store to include Amazon Config configuration items, and use the event data store to investigate non-compliant changes to your production environments. With an event data store, you can relate non-compliant rules to the users and resources associated with the changes. A configuration item represents a point-in-time view of the attributes of a supported Amazon resource that exists in your account. Amazon Config creates a configuration item whenever it detects a change to a resource type that it is recording. Amazon Config also creates configuration items when a configuration snapshot is captured.

You can use both Amazon Config and CloudTrail Lake to run queries against your configuration items. You can use Amazon Config to query the current configuration state of Amazon resources based on configuration properties for a single Amazon Web Services account and Amazon Web Services Region, or across multiple accounts and Regions. In contrast, you can use CloudTrail Lake to query across diverse data sources such as CloudTrail events, configuration items, and rule evaluations. CloudTrail Lake queries cover all Amazon Config configuration items including resource configuration and compliance history.

Creating an event data store for configuration items doesn't impact existing Amazon Config advanced queries, or any configured Amazon Config aggregators. You can continue to run advanced queries using Amazon Config, and Amazon Config continues to deliver history files to your S3 buckets.

CloudTrail Lake event data stores incur charges. When you create an event data store, you choose the pricing option you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. For information about CloudTrail pricing and managing Lake costs, see Amazon CloudTrail Pricing and Managing CloudTrail Lake costs.

Limitations

The following limitations apply to event data stores for configuration items.

  • No support for custom configuration items

  • No support for event filtering using advanced event selectors

Prerequisites

Before you create your event data store, set up Amazon Config recording for all your accounts and Regions. You can use Quick Setup, a capability of Amazon Systems Manager, to quickly create a configuration recorder powered by Amazon Config.

Note

You are charged service usage fees when Amazon Config starts recording configurations. For more information about pricing, see Amazon Config Pricing. For information about managing the configuration recorder, see Managing the Configuration Recorder in the Amazon Config Developer Guide.

Additionally, the following actions are recommended, but are not required to create an event data store.

  • Set up an Amazon S3 bucket to receive a configuration snapshot on request and configuration history. For more information about snapshots, see Managing the Delivery Channel and Delivering Configuration Snapshot to an Amazon S3 Bucket in the Amazon Config Developer Guide.

  • Specify the rules that you want Amazon Config to use to evaluate compliance information for the recorded resource types. Several of the CloudTrail Lake sample queries for Amazon Config require Amazon Config Rules to evaluate the compliance state of your Amazon resources. For more information about Amazon Config Rules, see Evaluating Resources with Amazon Config Rules in the Amazon Config Developer Guide.

To create an event data store for configuration items

  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. From the navigation pane, under Lake, choose Event data stores.

  3. Choose Create event data store.

  4. On the Configure event data store page, in General details, enter a name for the event data store. A name is required.

  5. Choose the Pricing option that you want to use for your event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention periods for your event data store. For more information, see Amazon CloudTrail Pricing and Managing CloudTrail Lake costs.

    The following are the available options:

    • One-year extendable retention pricing - Generally recommended if you expect to ingest less than 25 TB of event data per month and want a flexible retention period of up to 10 years. For the first 366 days (the default retention period), storage is included at no additional charge with ingestion pricing. After 366 days, extended retention is available at pay-as-you-go pricing. This is the default option.

      • Default retention period: 366 days

      • Maximum retention period: 3,653 days

    • Seven-year retention pricing - Recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 7 years. Retention is included with ingestion pricing at no additional charge.

      • Default retention period: 2,557 days

      • Maximum retention period: 2,557 days

  6. Specify a retention period for the event data store. Retention periods can be between 7 days and 3,653 days (about 10 years) for the One-year extendable retention pricing option, or between 7 days and 2,557 days (about seven years) for the Seven-year retention pricing option.

    CloudTrail Lake determines whether to retain an event by checking if the eventTime of the event is within the specified retention period. For example, if you specify a retention period of 90 days, CloudTrail will remove events when their eventTime is older than 90 days.

  7. (Optional) To enable encryption using Amazon Key Management Service, choose Use my own Amazon KMS key. Choose New to have an Amazon KMS key created for you, or choose Existing to use an existing KMS key. In Enter KMS alias, specify an alias, in the format alias/MyAliasName. Using your own KMS key requires that you edit your KMS key policy to allow CloudTrail logs to be encrypted and decrypted. For more information, see Configure Amazon KMS key policies for CloudTrail. CloudTrail also supports Amazon KMS multi-Region keys. For more information about multi-Region keys, see Using multi-Region keys in the Amazon Key Management Service Developer Guide.

    Using your own KMS key incurs Amazon KMS costs for encryption and decryption. After you associate an event data store with a KMS key, the KMS key cannot be removed or changed.

    Note

    To enable Amazon Key Management Service encryption for an organization event data store, you must use an existing KMS key for the management account.

  8. (Optional) If you want to query against your event data using Amazon Athena, choose Enable in Lake query federation. Federation lets you view the metadata associated with the event data store in the Amazon Glue Data Catalog and run SQL queries against the event data in Athena. The table metadata stored in the Amazon Glue Data Catalog lets the Athena query engine know how to find, read, and process the data that you want to query. For more information, see Federate an event data store.

    To enable Lake query federation, choose Enable and then do the following:

    1. Choose whether you want to create a new role or use an existing IAM role. Amazon Lake Formation uses this role to manage permissions for the federated event data store. When you create a new role using the CloudTrail console, CloudTrail automatically creates a role with the required permissions. If you choose an existing role, be sure the policy for the role provides the required minimum permissions.

    2. If you are creating a new role, enter a name to identify the role.

    3. If you are using an existing role, choose the role you want to use. The role must exist in your account.

  9. (Optional) In the Tags section, you can add up to 50 tag key pairs to help you identify, sort, and control access to your event data store. For more information about how to use IAM policies to authorize access to an event data store based on tags, see Examples: Denying access to create or delete event data stores based on tags. For more information about how you can use tags in Amazon, see Tagging Amazon resources in the Amazon Web Services General Reference.

  10. Choose Next.

  11. On the Choose events page, choose Amazon events, and then choose Configuration items.

  12. CloudTrail stores the event data store resource in the Region in which you create it, but by default, the configuration items collected in the data store are from all Regions in your account that have recording enabled. Optionally, you can select Include only the current region in my event data store to include only configuration items that are captured in the current Region. If you do not choose this option, your event data store includes configuration items from all Regions that have recording enabled.

  13. To have your event data store collect configuration items from all accounts in an Amazon Organizations organization, select Enable for all accounts in my organization. You must be signed in to the management account or delegated administrator account for the organization to create an event data store that collects configuration items for an organization.

  14. Choose Next to review your choices.

  15. On the Review and create page, review your choices. Choose Edit to make changes to a section. When you're ready to create the event data store, choose Create event data store.

  16. The new event data store is visible in the Event data stores table on the Event data stores page.

    From this point forward, the event data store captures configuration items. Configuration items that occurred before you created the event data store are not in the event data store.

Sample queries

You can now run queries on your new event data store. The Sample queries tab on the CloudTrail console provides example queries to get you started. The following are a few of the sample queries that you can run against your configuration item event data store.

Description Query
Find which user performed an action that resulted in a non-compliant status by joining a configuration item event data store with a CloudTrail event data store.
SELECT element_at(config1.eventData.configuration, 'targetResourceId') as targetResourceId, element_at(config1.eventData.configuration, 'complianceType') as complianceType, config2.eventData.resourceType, cloudtrail.userIdentity FROM config_event_data_store_ID as config1 JOIN config_event_data_store_ID as config2 on element_at(config1.eventData.configuration, 'targetResourceId') = config2.eventData.resourceId JOIN cloudtrail_event_data_store_ID as cloudtrail on config2.eventData.arn = element_at(cloudtrail.resources, 1).arn WHERE element_at(config1.eventData.configuration, 'configRuleList') is not null AND element_at(config1.eventData.configuration, 'complianceType') = 'NON_COMPLIANT' AND cloudtrail.eventTime > '2022-11-14 00:00:00' AND config2.eventData.resourceType = 'AWS::DynamoDB::Table'
Find all Amazon Config rules and return the compliance state from configuration items generated within the past day.
SELECT eventData.configuration, eventData.accountId, eventData.awsRegion, eventData.resourceName, eventData.resourceCreationTime, element_at(eventData.configuration,'complianceType') AS complianceType, element_at(eventData.configuration, 'configRuleList') AS configRuleList, element_at(eventData.configuration, 'resourceId') AS resourceId, element_at(eventData.configuration, 'resourceType') AS resourceType FROM config_event_data_store_ID WHERE eventData.resourceType = 'AWS::Config::ResourceCompliance' AND eventTime > '2022-11-22 00:00:00' ORDER BY eventData.resourceCreationTime DESC limit 10
Find the total count of Amazon Config resources grouped by resource type, account ID, and Region.
SELECT eventData.resourceType, eventData.awsRegion, eventData.accountId, COUNT (*) AS resourceCount FROM config_event_data_store_ID WHERE eventTime > '2022-11-22 00:00:00' GROUP BY eventData.resourceType, eventData.awsRegion, eventData.accountId
Find the resource creation time for all Amazon Config configuration items generated on a specific date.
SELECT eventData.configuration, eventData.accountId, eventData.awsRegion, eventData.resourceId, eventData.resourceName, eventData.resourceType, eventData.availabilityZone, eventData.resourceCreationTime FROM config_event_data_store_ID WHERE eventTime > '2022-11-16 00:00:00' AND eventTime < '2022-11-17 00:00:00' ORDER BY eventData.resourceCreationTime DESC limit 10;

For more information about creating and editing queries, see Create or edit a query.