Create an event data store

When you create an event data store in CloudTrail Lake, you choose the type of events to include in your event data store. You can create an event data store to include CloudTrail data or management events, Amazon Config configuration items, or events outside of Amazon. Each event data store type can only contain specific event categories (for example, Amazon Config configuration items), because the event schema is unique to the event category. You can run SQL queries across multiple event data stores using the supported SQL JOIN keywords. For information about running queries across multiple event data stores, see Advanced, multi-table query support.

The following table shows the supported event categories for each event data store type. The eventCategory column shows the value that you would specify in the advanced event selectors to collect events of that type.

You can also create an event data store for Amazon Audit Manager evidence by using the Audit Manager console. For more information about aggregating evidence in CloudTrail Lake using Audit Manager, see Understanding how evidence finder works with CloudTrail Lake in the Amazon Audit Manager User Guide.

The sections which follow describe how to create an event data store using the CloudTrail console. For information about how to create an event data store using the Amazon CLI, see Managing CloudTrail Lake by using the Amazon CLI.