Managing CloudTrail Lake by using the Amazon CLI - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing CloudTrail Lake by using the Amazon CLI

The following are example Amazon CLI commands for creating and managing event data stores and queries in CloudTrail Lake.

Create an event data store with the Amazon CLI

Use the create-event-data-store command to create an event data store.

When you create an event data store, the only required parameter is --name, which is used to identify the event data store. You can configure additional optional parameters, including:

  • --advanced-event-selectors - Specifies the type of events to include in the event data store. By default, event data stores log all management events. For more information about advanced event selectors, see AdvancedEventSelector in the CloudTrail API Reference.

  • --kms-key-id - Specifies the AWS KMS key ID to use to encrypt the events delivered by CloudTrail. The value can be an alias name prefixed by alias/, a fully specified ARN to an alias, a fully specified ARN to a key, or a globally unique identifier.

  • --multi-region-enabled - Creates a multi-Region event data store that logs events for all Amazon Web Services Regions in your account. By default, --multi-region-enabled is set, even if the parameter is not added.

  • --organization-enabled - Enables an event data store to collect events for all accounts in an organization. By default, the event data store is not enabled for all accounts in an organization.

  • --billing-mode - Determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store.

    The following are the possible values:

    • EXTENDABLE_RETENTION_PRICING - This billing mode is generally recommended if you ingest less than 25 TB of event data a month and want a flexible retention period of up to 3653 days (about 10 years). The default retention period for this billing mode is 366 days.

    • FIXED_RETENTION_PRICING - This billing mode is recommended if you expect to ingest more than 25 TB of event data per month and need a retention period of up to 2557 days (about 7 years). The default retention period for this billing mode is 2557 days.

    The default value is EXTENDABLE_RETENTION_PRICING.

  • --retention-period - The number of days to keep events in the event data store. Valid values are integers between 7 and 3653 if the --billing-mode is EXTENDABLE_RETENTION_PRICING, or between 7 and 2557 if the --billing-mode is set to FIXED_RETENTION_PRICING. If you do not specify --retention-period, CloudTrail uses the default retention period for the --billing-mode.

  • --start-ingestion - The --start-ingestion parameter starts event ingestion on the event data store when it's created. This parameter is set even if the parameter is not added.

    Specify the --no-start-ingestion if you do not want the event data store to ingest live events. For example, you may want to set this parameter if you are copying events to the event data store and only plan to use the event data to analyze past events. The --no-start-ingestion parameter is only valid if the eventCategory is Management, Data, or ConfigurationItem.

The following examples show how to create different types of event data stores.

Create an event data store for S3 data events with the Amazon CLI

The following example Amazon Command Line Interface (Amazon CLI) create-event-data-store command creates an event data store named my-event-data-store that selects all Amazon S3 data events and is encrypted using a KMS key.

aws cloudtrail create-event-data-store \ --name my-event-data-store \ --kms-key-id "arn:aws:kms:us-east-1:123456789012:alias/KMS_key_alias" \ --advanced-event-selectors '[ { "Name": "Select all S3 data events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3"] } ] } ]'

The following is an example response.

{ "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-ee54-4813-92d5-999aeEXAMPLE", "Name": "my-event-data-store", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Select all S3 data events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3::Object" ] }, { "Field": "resources.ARN", "StartsWith": [ "arn:aws:s3" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 366, "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:alias/KMS_key_alias", "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-09T22:19:39.417000-05:00", "UpdatedTimestamp": "2023-11-09T22:19:39.603000-05:00" }

Create an event data store for Amazon Config configuration items with the Amazon CLI

The following example Amazon CLI create-event-data-store command creates an event data store named config-items-eds that selects Amazon Config configuration items. To collect configuration items, specify that the eventCategory field Equals ConfigurationItem in the advanced event selectors.

aws cloudtrail create-event-data-store \ --name config-items-eds \ --advanced-event-selectors '[ { "Name": "Select Amazon Config configuration items", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["ConfigurationItem"] } ] } ]'

The following is an example response.

{ "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-ee54-4813-92d5-999aeEXAMPLE", "Name": "config-items-eds", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Select Amazon Config configuration items", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "ConfigurationItem" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 366, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-07T19:03:24.277000+00:00", "UpdatedTimestamp": "2023-11-07T19:03:24.468000+00:00" }

Create an organization event data store for management events with the Amazon CLI

The following example Amazon CLI create-event-data-store command creates an organization event data store that collects all management events and sets the --billing-mode parameter to FIXED_RETENTION_PRICING.

aws cloudtrail create-event-data-store --name org-management-eds --organization-enabled --billing-mode FIXED_RETENTION_PRICING

The following is an example response.

{ "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE6-d493-4914-9182-e52a7934b207", "Name": "org-management-eds", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": true, "BillingMode": "FIXED_RETENTION_PRICING", "RetentionPeriod": 2557, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-16T15:30:50.689000+00:00", "UpdatedTimestamp": "2023-11-16T15:30:50.851000+00:00" }

Create event data stores for Insights events with the Amazon CLI

To log Insights events in CloudTrail Lake, you need a destination event data store that collects Insights events and a source event data store that enables Insights and logs management events.

This procedure shows you how to create the destination and source event data stores and then enable Insights events.

  1. Run the aws cloudtrail create-event-data-store command to create a destination event data store that collects Insights events. The value for eventCategory must be Insight. Replace retention-period-days with the number of days you would like to retain events in your event data store. Valid values are integers between 7 and 3653 if the --billing-mode is EXTENDABLE_RETENTION_PRICING, or between 7 and 2557 if the --billing-mode is set to FIXED_RETENTION_PRICING. If you do not specify --retention-period, CloudTrail uses the default retention period for the --billing-mode.

    If you are signed in with the management account for an Amazon Organizations organization, include the --organization-enabled parameter if you want to give your delegated administrator access to the event data store.

    aws cloudtrail create-event-data-store \ --name insights-event-data-store \ --no-multi-region-enabled \ --retention-period retention-period-days \ --advanced-event-selectors '[ { "Name": "Select Insights events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Insight"] } ] } ]'

    The following is an example response.

    { "Name": "insights-event-data-store", "ARN": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE", "AdvancedEventSelectors": [ { "Name": "Select Insights events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Insight" ] } ] } ], "MultiRegionEnabled": false, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": "90", "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-05-08T15:22:33.578000+00:00", "UpdatedTimestamp": "2023-05-08T15:22:33.714000+00:00" }

    You will use the ARN (or ID suffix of the ARN) from the response as the value for the --insights-destination parameter in step 3.

  2. Run the aws cloudtrail create-event-data-store command to create a source event data store that logs management events. By default, event data stores log all management events. You don't need to specify the advanced event selectors if you want to log all management events. Replace retention-period-days with the number of days you would like to retain events in your event data store. Valid values are integers between 7 and 3653 if the --billing-mode is EXTENDABLE_RETENTION_PRICING, or between 7 and 2557 if the --billing-mode is set to FIXED_RETENTION_PRICING. If you do not specify --retention-period, CloudTrail uses the default retention period for the --billing-mode. If you are creating an organization event data store, include the --organization-enabled parameter.

    aws cloudtrail create-event-data-store --name source-event-data-store --retention-period retention-period-days

    The following is an example response.

    { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE9952-4ab9-49c0-b788-f4f3EXAMPLE", "Name": "source-event-data-store", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 90, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-05-08T15:25:35.578000+00:00", "UpdatedTimestamp": "2023-05-08T15:25:35.714000+00:00" }

    You will use the ARN (or ID suffix of the ARN) from the response as the value for the --event-data-store parameter in step 3.

  3. Run the put-insight-selectors command to enable Insights events. Insights selector values can be ApiCallRateInsight, ApiErrorRateInsight, or both. For the --event-data-store parameter, specify the ARN (or ID suffix of the ARN) of the source event data store that logs management events and will enable Insights. For the --insights-destination parameter, specify the ARN (or ID suffix of the ARN) of the destination event data store that will log Insights events.

    aws cloudtrail put-insight-selectors --event-data-store arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE9952-4ab9-49c0-b788-f4f3EXAMPLE --insights-destination arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE --insight-selectors '[{"InsightType": "ApiCallRateInsight"},{"InsightType": "ApiErrorRateInsight"}]'

    The following result shows the Insights event selector that is configured for the event data store.

    { "EventDataStoreARN": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLE9952-4ab9-49c0-b788-f4f3EXAMPLE", "InsightsDestination": "arn:aws:cloudtrail:us-east-1:111122223333:eventdatastore/EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE", "InsightSelectors": [ { "InsightType": "ApiErrorRateInsight" }, { "InsightType": "ApiCallRateInsight" } ] }

    After you enable CloudTrail Insights for the first time on an event data store, it can take up to 7 days for CloudTrail to deliver the first Insights event, if unusual activity is detected.

    CloudTrail Insights analyzes management events that occur in a single Region, not globally. A CloudTrail Insights event is generated in the same Region as its supporting management events are generated.

    For an organization event data store, CloudTrail analyzes management events from each member's account instead of analyzing the aggregation of all management events for the organization.

Additional charges apply for ingesting Insights events in CloudTrail Lake. You will be charged separately if you enable Insights for both trails and event data stores. For information about CloudTrail pricing, see Amazon CloudTrail Pricing.

Import trail events to an event data store with the Amazon CLI

In the Amazon CLI, you can import trail events to an event data store. The procedure in this section demonstrates how to create and configure an event data store by running the create-event-data-store command and then import the events to that event data store by using the start-import command. For more information about importing trail events including information about considerations and required permissions, see Copy trail events to an event data store.

Preparing to import trail events

Before you import trail events, make the following preparations.

  • Be sure you have a role with the required permissions to import trail events to an event data store.

  • Determine the --billing-mode value you want to specify for the event data store. The --billing-mode determines the cost of ingesting and storing events, and the default and maximum retention period for the event data store.

    When you import trail events to CloudTrail Lake, CloudTrail unzips the logs that are stored in gzip (compressed) format. Then CloudTrail copies the events contained in the logs to your event data store. The size of the uncompressed data could be greater than the actual Amazon S3 storage size. To get a general estimate of the size of the uncompressed data, multiply the size of the logs in the S3 bucket by 10. You can use this estimate to choose the --billing-mode value for your use case.

  • Determine the value you want to specify for the --retention-period. CloudTrail will not copy an event if its eventTime is older than the specified retention period.

    To determine the appropriate retention period, take the sum of the oldest event you want to copy in days and the number of days you want to retain the events in the event data store as demonstrated in this equation:

    Retention period = oldest-event-in-days + number-days-to-retain

    For example, if the oldest event you're copying is 45 days old and you want to keep the events in the event data store for a further 45 days, you would set the retention period to 90 days.

  • Decide whether you want to use the event data store to analyze any future events. If you don't want to ingest any future events, include the --no-start-ingestion parameter when you create the event data store. By default, event data store's begin ingesting events when they're created.

To create an event data store and import trail events to that event data store

  1. Run the create-event-data-store command to create the new event data store. In this example, the --retention-period is set to 120 because the oldest event being copied is 90 days old and we want to retain the events for 30 days. The --no-start-ingestion parameter is set because we don't want to ingest any future events. In this example, --billing-mode wasn't set, because we are using the default value EXTENDABLE_RETENTION_PRICING as we expect to ingest less than 25 TB of event data.

    Note

    If you're creating the event data store to replace your trail, we recommend configuring the --advanced-event-selectors to match the event selectors of your trail to ensure you have the same event coverage. By default, event data stores log all management events.

    aws cloudtrail create-event-data-store --name import-trail-eds --retention-period 120 --no-start-ingestion

    The following is the example response:

    { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9", "Name": "import-trail-eds", "Status": "CREATED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 120, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-09T16:52:25.444000+00:00", "UpdatedTimestamp": "2023-11-09T16:52:25.569000+00:00" }

    The initial Status is CREATED so we'll run the get-event-data-store command to verify ingestion is stopped.

    aws cloudtrail get-event-data-store --event-data-store eds-id

    The response shows the Status is now STOPPED_INGESTION, which indicates the event data store is not ingesting live events.

    { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9", "Name": "import-trail-eds", "Status": "STOPPED_INGESTION", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 120, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-09T16:52:25.444000+00:00", "UpdatedTimestamp": "2023-11-09T16:52:25.569000+00:00" }
  2. Run the start-import command to import the trail events to the event data store created in step 1. Specify the ARN (or ID suffix of the ARN) of the event data store as the value for the --destinations parameter. For --start-event-time specify the eventTime for the oldest event you want to copy and for --end-event-time specify the eventTime of the newest event you want to copy. For --import-source specify the S3 URI for the S3 bucket containing your trail logs, the Amazon Web Services Region for the S3 bucket, and the ARN of the role used for importing trail events.

    aws cloudtrail start-import \ --destinations ["arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9"] \ --start-event-time 2023-08-11T16:08:12.934000+00:00 \ --end-event-time 2023-11-09T17:08:20.705000+00:00 \ --import-source {"S3": {"S3LocationUri": "s3://aws-cloudtrail-logs-123456789012-612ff1f6/AWSLogs/123456789012/CloudTrail/","S3BucketRegion":"us-east-1","S3BucketAccessRoleArn": "arn:aws:iam::123456789012:role/service-role/CloudTrailLake-us-east-1-copy-events-eds"}}

    The following is an example response.

    { "CreatedTimestamp": "2023-11-09T17:08:20.705000+00:00", "Destinations": [ "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9" ], "EndEventTime": "2023-11-09T17:08:20.705000+00:00", "ImportId": "EXAMPLEe-7be2-4658-9204-b38c3257fcd1", "ImportSource": { "S3": { "S3BucketAccessRoleArn": "arn:aws:iam::123456789012:role/service-role/CloudTrailLake-us-east-1-copy-events-eds", "S3BucketRegion":"us-east-1", "S3LocationUri": "s3://aws-cloudtrail-logs-123456789012-111ff1f6/AWSLogs/123456789012/CloudTrail/" } }, "ImportStatus": "INITIALIZING", "StartEventTime": "2023-08-11T16:08:12.934000+00:00", "UpdatedTimestamp": "2023-11-09T17:08:20.806000+00:00" }
  3. Run the get-import command to get information about the import.

    aws cloudtrail get-import --import-id import-id

    The following is an example response.

    { "ImportId": "EXAMPLEe-7be2-4658-9204-b38c3EXAMPLE", "Destinations": [ "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEa-4357-45cd-bce5-17ec652719d9" ], "ImportSource": { "S3": { "S3LocationUri": "s3://aws-cloudtrail-logs-123456789012-111ff1f6/AWSLogs/123456789012/CloudTrail/", "S3BucketRegion":"us-east-1", "S3BucketAccessRoleArn": "arn:aws:iam::123456789012:role/service-role/CloudTrailLake-us-east-1-copy-events-eds" } }, "StartEventTime": "2023-08-11T16:08:12.934000+00:00", "EndEventTime": "2023-11-09T17:08:20.705000+00:00", "ImportStatus": "COMPLETED", "CreatedTimestamp": "2023-11-09T17:08:20.705000+00:00", "ImportStatistics": { "PrefixesFound": 1548, "PrefixesCompleted": 1548, "FilesCompleted": 92845, "EventsCompleted": 577249, "FailedEntries": 0 } }

    An import finishes with an ImportStatus of COMPLETED if there were no failures, or FAILED if there were failures.

    If the import had FailedEntries, you can run the list-import-failures command to return a list of failures.

    aws cloudtrail list-import-failures --import-id import-id

    To retry an import that had failures, run the start-import command with only the --import-id parameter. When you retry an import, CloudTrail resumes the import at the location where the failure occurred.

    aws cloudtrail start-import --import-id import-id

Create an integration to log events from outside Amazon with the Amazon CLI

In the Amazon CLI, you create an integration that logs events from outside Amazon in four commands (three if you already have an event data store that meets the criteria). Event data stores that you use as the destinations for an integration must be for a single Region and single account; they cannot be multi-region, they cannot log events for organizations in Amazon Organizations, and they can only include activity events. The event type in the console must be Events from integrations. In the API, the eventCategory value must be ActivityAuditLog. For more information about integrations, see Create an integration with an event source outside of Amazon.

  1. Run create-event-data-store to create an event data store, if you do not already have one or more event data stores that you can use for the integration.

    The following example Amazon CLI command creates an event data store that logs events from outside Amazon. For activity events, the eventCategory field selector value is ActivityAuditLog. The event data store has a retention period of 90 days set. By default, the event data store collects events from all Regions, but because this is collecting non-Amazon events, set it to a single Region by adding the --no-multi-region-enabled option. Termination protection is enabled by default, and the event data store does not collect events for accounts in an organization.

    aws cloudtrail create-event-data-store \ --name my-event-data-store \ --no-multi-region-enabled \ --retention-period 90\ --advanced-event-selectors '[ { "Name": "Select all external events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["ActivityAuditLog"] } ] } ]'

    The following is an example response.

    { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE", "Name": "my-event-data-store", "AdvancedEventSelectors": [ { "Name": "Select all external events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "ActivityAuditLog" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 90, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-10-27T10:55:55.384000-04:00", "UpdatedTimestamp": "2023-10-27T10:57:05.549000-04:00" }

    You'll need the event data store ID (the suffix of the ARN, or EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE in the preceding response example) to go on to the next step and create your channel.

  2. Run the create-channel command to create a channel that allows a partner or source application to send events to an event data store in CloudTrail.

    A channel has the following components:

    Source

    CloudTrail uses this information to determine the partners that are sending event data to CloudTrail on your behalf. A source is required, and can be either Custom for all valid non-Amazon events, or the name of a partner event source. A maximum of one channel is allowed per source.

    For information about the Source values for available partners, see Additional information about integration partners.

    Ingestion status

    The channel status shows when the last events were received from a channel source.

    Destinations

    The destinations are the CloudTrail Lake event data stores that are receiving events from the channel. You can change destination event data stores for a channel.

    To stop receiving events from a source, delete the channel.

    You need the ID of at least one destination event data store to run this command. The valid type of destination is EVENT_DATA_STORE. You can send ingested events to more than one event data store. The following example command creates a channel that sends events to two event data stores, represented by their IDs in the Location attribute of the --destinations parameter. The --destinations, --name, and --source parameters are required. To ingest events from a CloudTrail partner, specify the name of the partner as the value of --source. To ingest events from your own applications outside Amazon, specify Custom as the value of --source.

    aws cloudtrail create-channel \ --region us-east-1 \ --destinations '[{"Type": "EVENT_DATA_STORE", "Location": "EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE"}, {"Type": "EVENT_DATA_STORE", "Location": "EXAMPLEg922-5n2l-3vz1- apqw8EXAMPLE"}]' --name my-partner-channel \ --source $partnerSourceName \

    In the response to your create-channel command, copy the ARN of the new channel. You need the ARN to run the put-resource-policy and put-audit-events commands in the next steps.

  3. Run the put-resource-policy command to attach a resource policy to the channel. Resource policies are JSON policy documents that specify what actions a specified principal can perform on the resource and under what conditions. The accounts defined as principals in the channel's resource policy can call the PutAuditEvents API to deliver events.

    Note

    If you do not create a resource policy for the channel, only the channel owner can call the PutAuditEvents API on the channel.

    The information required for the policy is determined by the integration type.

    • For a direction integration, CloudTrail requires the policy to contain the partner's Amazon account IDs, and requires you to enter the unique external ID provided by the partner. CloudTrail automatically adds the partner's Amazon account IDs to the resource policy when you create an integration using the CloudTrail console. Refer to the partner's documentation to learn how to get the Amazon account numbers required for the policy.

    • For a solution integration, you must specify at least one Amazon account ID as principal, and can optionally enter an external ID to prevent against confused deputy.

    The following are requirements for the resource policy:

    • The resource ARN defined in the policy must match the channel ARN the policy is attached to.

    • The policy contains only one action: cloudtrail-data:PutAuditEvents

    • The policy contains at least one statement. The policy can have a maximum of 20 statements.

    • Each statement contains at least one principal. A statement can have a maximum of 50 principals.

    aws cloudtrail put-resource-policy \ --resource-arn "channelARN" \ --policy "{ "Version": "2012-10-17", "Statement": [ { "Sid": "ChannelPolicy", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::111122223333:root", "arn:aws:iam::444455556666:root", "arn:aws:iam::123456789012:root" ] }, "Action": "cloudtrail-data:PutAuditEvents", "Resource": "arn:aws:cloudtrail:us-east-1:777788889999:channel/EXAMPLE-80b5-40a7-ae65-6e099392355b", "Condition": { "StringEquals": { "cloudtrail:ExternalId": "UniqueExternalIDFromPartner" } } } ] }"

    For more information about resource policies, see Amazon CloudTrail resource-based policy examples.

  4. Run the PutAuditEvents API to ingest your activity events into CloudTrail. You'll need the payload of events that you want CloudTrail to add. Be sure that there is no sensitive or personally-identifying information in event payload before ingesting it into CloudTrail. Note that the PutAuditEvents API uses the cloudtrail-data CLI endpoint, not the cloudtrail endpoint.

    The following examples show how to use the put-audit-events CLI command. The --audit-events and --channel-arn parameters are required. The --external-id parameter is required if an external ID is defined in the resource policy. You need the ARN of the channel that you created in the preceding step. The value of --audit-events is a JSON array of event objects. --audit-events includes a required ID from the event, the required payload of the event as the value of EventData, and an optional checksum to help validate the integrity of the event after ingestion into CloudTrail.

    aws cloudtrail-data put-audit-events \ --channel-arn $ChannelArn \ --external-id $UniqueExternalIDFromPartner \ --audit-events \ id="event_ID",eventData='"{event_payload}"' \ id="event_ID",eventData='"{event_payload}"',eventDataChecksum="optional_checksum"

    The following is an example command with two event examples.

    aws cloudtrail-data put-audit-events \ --channel-arn arn:aws:cloudtrail:us-east-1:123456789012:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE \ --external-id UniqueExternalIDFromPartner \ --audit-events \ id="EXAMPLE3-0f1f-4a85-9664-d50a3EXAMPLE",eventData='"{\"eventVersion\":\0.01\",\"eventSource\":\"custom1.domain.com\", ... \}"' \ id="EXAMPLE7-a999-486d-b241-b33a1EXAMPLE",eventData='"{\"eventVersion\":\0.02\",\"eventSource\":\"custom2.domain.com\", ... \}"',eventDataChecksum="EXAMPLE6e7dd61f3ead...93a691d8EXAMPLE"

    The following example command adds the --cli-input-json parameter to specify a JSON file (custom-events.json) of event payload.

    aws cloudtrail-data put-audit-events --channel-arn $channelArn --external-id $UniqueExternalIDFromPartner --cli-input-json file://custom-events.json --region us-east-1

    The following are the sample contents of the example JSON file, custom-events.json.

    { "auditEvents": [ { "eventData": "{\"version\":\"eventData.version\",\"UID\":\"UID\", \"userIdentity\":{\"type\":\"CustomUserIdentity\",\"principalId\":\"principalId\", \"details\":{\"key\":\"value\"}},\"eventTime\":\"2021-10-27T12:13:14Z\",\"eventName\":\"eventName\", \"userAgent\":\"userAgent\",\"eventSource\":\"eventSource\", \"requestParameters\":{\"key\":\"value\"},\"responseElements\":{\"key\":\"value\"}, \"additionalEventData\":{\"key\":\"value\"}, \"sourceIPAddress\":\"12.34.56.78\",\"recipientAccountId\":\"152089810396\"}", "id": "1" } ] }

You can verify that the integration is working, and CloudTrail is ingesting events from the source correctly, by running the get-channel command. The output of get-channel shows the most recent time stamp that CloudTrail received events.

aws cloudtrail get-channel --channel arn:aws:cloudtrail:us-east-1:01234567890:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE

(Optional) Calculate a checksum value

The checksum that you specify as the value of EventDataChecksum in a PutAuditEvents request helps you verify that CloudTrail receives the event that matches with the checksum; it helps verify the integrity of events. The checksum value is a base64-SHA256 algorithm that you calculate by running the following command.

printf %s "{"eventData": "{\"version\":\"eventData.version\",\"UID\":\"UID\", \"userIdentity\":{\"type\":\"CustomUserIdentity\",\"principalId\":\"principalId\", \"details\":{\"key\":\"value\"}},\"eventTime\":\"2021-10-27T12:13:14Z\",\"eventName\":\"eventName\", \"userAgent\":\"userAgent\",\"eventSource\":\"eventSource\", \"requestParameters\":{\"key\":\"value\"},\"responseElements\":{\"key\":\"value\"}, \"additionalEventData\":{\"key\":\"value\"}, \"sourceIPAddress\":\"source_IP_address\", \"recipientAccountId\":\"recipient_account_ID\"}", "id": "1"}" \ | openssl dgst -binary -sha256 | base64

The command returns the checksum. The following is an example.

EXAMPLEDHjkI8iehvCUCWTIAbNYkOgO/t0YNw+7rrQE=

The checksum value becomes the value of EventDataChecksum in your PutAuditEvents request. If the checksum doesn't match with the one for the provided event, CloudTrail rejects the event with an InvalidChecksum error.

Get an event data store with the Amazon CLI

The following example Amazon CLI get-event-data-store command returns information about the event data store specified by the required --event-data-store parameter, which accepts an ARN or the ID suffix of the ARN.

aws cloudtrail get-event-data-store --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

The following is an example response. Creation and last updated times are in timestamp format.

{ "EventDataStoreARN": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", "Name": "s3-data-events-eds", "Status": "ENABLED", "AdvancedEventSelectors": [ { "Name": "Log DeleteObject API calls for a specific S3 bucket", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "eventName", "Equals": [ "DeleteObject" ] }, { "Field": "resources.ARN", "StartsWith": [ "arn:aws:s3:::bucketName" ] }, { "Field": "readOnly", "Equals": [ "false" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3::Object" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "FIXED_RETENTION_PRICING", "RetentionPeriod": 2557, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-11-09T22:20:36.344000+00:00", "UpdatedTimestamp": "2023-11-09T22:20:36.476000+00:00" }

List all event data stores in an account with the Amazon CLI

The following example Amazon CLI list-event-data-stores command returns information about all event data stores in an account, in the current Region. Optional parameters include --max-results, to specify a maximum number of results that you want the command to return on a single page. If there are more results than your specified --max-results value, run the command again adding the returned NextToken value to get the next page of results.

aws cloudtrail list-event-data-stores

The following is an example response.

{ "EventDataStores": [ { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE7-cad6-4357-a84b-318f9868e969", "Name": "management-events-eds" }, { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE6-88e1-43b7-b066-9c046b4fd47a", "Name": "config-items-eds" }, { "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLEf-b314-4c85-964e-3e43b1e8c3b4", "Name": "s3-data-events" } ] }

Update an event data store with the Amazon CLI

The following examples show how to update an event data store.

Update the billing mode with the Amazon CLI

The --billing-mode for the event data store determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. If an event data store's --billing-mode is set to FIXED_RETENTION_PRICING, you can change the value to EXTENDABLE_RETENTION_PRICING. EXTENDABLE_RETENTION_PRICING is generally recommended if your event data store ingests less than 25 TB of event data per month and you want a flexible retention period of up to 3653 days. For information about pricing, see Amazon CloudTrail Pricing and Managing CloudTrail Lake costs.

Note

You cannot change the --billing-mode value from EXTENDABLE_RETENTION_PRICING to FIXED_RETENTION_PRICING. If the event data store's billing mode is set to EXTENDABLE_RETENTION_PRICING and you want to use FIXED_RETENTION_PRICING instead, you can stop ingestion on the event data store and create a new event data store that uses FIXED_RETENTION_PRICING.

The following example Amazon CLI update-event-data-store command changes the --billing-mode for the event data store from FIXED_RETENTION_PRICING to EXTENDABLE_RETENTION_PRICING. The required --event-data-store parameter value is an ARN (or the ID suffix of the ARN) and is required; other parameters are optional.

aws cloudtrail update-event-data-store \ --region us-east-1 \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE \ --billing-mode EXTENDABLE_RETENTION_PRICING

The following is an example response.

{ "EventDataStoreArn": "event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", "Name": "management-events-eds", "Status": "ENABLED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 2557, "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-10-27T10:55:55.384000-04:00", "UpdatedTimestamp": "2023-10-27T10:57:05.549000-04:00" }

Update the retention mode, enable termination protection, and specify a Amazon KMS key with the Amazon CLI

The following example Amazon CLI update-event-data-store command updates an event data store to change its retention period to 100 days, and enable termination protection. The required --event-data-store parameter value is an ARN (or the ID suffix of the ARN) and is required; other parameters are optional. In this example, the --retention-period parameter is added to change the retention period to 100 days. Optionally, you can choose to enable Amazon Key Management Service encryption and specify an Amazon KMS key by adding --kms-key-id to the command, and specifying a KMS key ARN as the value. --termination-protection-enabled is added to enable termination protection on an event data store that did not have termination protection enabled.

An event data store that logs events from outside Amazon cannot be updated to log Amazon events. Similarly, an event data store that logs Amazon events cannot be updated to log events from outside Amazon.

Note

If you decrease the retention period of an event data store, CloudTrail will remove any events with an eventTime older than the new retention period. For example, if the previous retention period was 365 days and you decrease it to 100 days, CloudTrail will remove events with an eventTime older than 100 days.

aws cloudtrail update-event-data-store \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE \ --retention-period 100 \ --kms-key-id "arn:aws:kms:us-east-1:0123456789:alias/KMS_key_alias" \ --termination-protection-enabled

The following is an example response.

{ "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-ee54-4813-92d5-999aeEXAMPLE", "Name": "my-event-data-store", "Status": "ENABLED", "AdvancedEventSelectors": [ { "Name": "Select all S3 data events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Data" ] }, { "Field": "resources.type", "Equals": [ "AWS::S3::Object" ] }, { "Field": "resources.ARN", "StartsWith": [ "arn:aws:s3" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 100, "KmsKeyId": "arn:aws:kms:us-east-1:0123456789:alias/KMS_key_alias", "TerminationProtectionEnabled": true, "CreatedTimestamp": "2023-10-27T10:55:55.384000-04:00", "UpdatedTimestamp": "2023-10-27T10:57:05.549000-04:00" }

Disable termination protection with the Amazon CLI

By default, termination protection is enabled on an event data store to protect the event data store from accidental deletion. You cannot delete an event data store when termination protection is enabled. If you want to delete the event data store, you must first disable termination protection.

The following example Amazon CLI update-event-data-store command disables termination protection by passing the --no-termination-protection-enabled parameter.

aws cloudtrail update-event-data-store \ --region us-east-1 \ --no-termination-protection-enabled \ --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

The following is an example response.

{ "EventDataStoreArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", "Name": "management-events-eds", "Status": "ENABLED", "AdvancedEventSelectors": [ { "Name": "Default management events", "FieldSelectors": [ { "Field": "eventCategory", "Equals": [ "Management" ] } ] } ], "MultiRegionEnabled": true, "OrganizationEnabled": false, "BillingMode": "EXTENDABLE_RETENTION_PRICING", "RetentionPeriod": 366, "TerminationProtectionEnabled": false, "CreatedTimestamp": "2023-10-27T10:55:55.384000-04:00", "UpdatedTimestamp": "2023-10-27T10:57:05.549000-04:00" }

Stop ingestion on an event data store with the Amazon CLI

The following example Amazon CLI stop-event-data-store-ingestion command stops an event data store from ingesting events. To stop ingestion, the event data store Status must be ENABLED and the eventCategory must be Management, Data, or ConfigurationItem. The event data store is specified by --event-data-store, which accepts an event data store ARN, or the ID suffix of the ARN. After you run stop-event-data-store-ingestion, the state of the event data store changes to STOPPED_INGESTION.

The event data store does count towards your account maximum of ten event data stores when its state is STOPPED_INGESTION.

aws cloudtrail stop-event-data-store-ingestion --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

There is no response if the operation is successful.

Start ingestion on an event data store with the Amazon CLI

The following example Amazon CLI start-event-data-store-ingestion command starts event ingestion on an event data store. To start ingestion, the event data store Status must be STOPPED_INGESTION and the eventCategory must be Management, Data, or ConfigurationItem. The event data store is specified by --event-data-store, which accepts an event data store ARN, or the ID suffix of the ARN. After you run start-event-data-store-ingestion, the state of the event data store changes to ENABLED.

aws cloudtrail start-event-data-store-ingestion --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

There is no response if the operation is successful.

Enable federation on an event data store

To enable federation, run the aws cloudtrail enable-federation command, providing the required --event-data-store and --role parameters. For --event-data-store, provide the event data store ARN (or the ID suffix of the ARN). For --role, provide the ARN for your federation role. The role must exist in your account and provide the required minimum permissions.

aws cloudtrail enable-federation --event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id --role arn:aws:iam::account-id:role/federation-role-name

This example shows how a delegated administrator can enable federation on an organization event data store by specifying the ARN of the event data store in the management account and the ARN of the federation role in the delegated administrator account.

aws cloudtrail enable-federation --event-data-store arn:aws:cloudtrail:region:management-account-id:eventdatastore/eds-id --role arn:aws:iam::delegated-administrator-account-id:role/federation-role-name

Disable federation on an event data store

To disable federation on the event data store, run the aws cloudtrail disable-federation command. The event data store is specified by --event-data-store, which accepts an event data store ARN or the ID suffix of the ARN.

aws cloudtrail disable-federation --event-data-store arn:aws:cloudtrail:region:account-id:eventdatastore/eds-id
Note

If this is an organization event data store, use the account ID for the management account.

Delete an event data store with the Amazon CLI

The following example Amazon CLI delete-event-data-store command disables the event data store specified by --event-data-store, which accepts an event data store ARN, or the ID suffix of the ARN. After you run delete-event-data-store, the final state of the event data store is PENDING_DELETION, and the event data store is automatically deleted after a wait period of 7 days.

After you run delete-event-data-store on an event data store, you cannot run list-queries, describe-query, or get-query-results on queries that are using the disabled data store. The event data store does count towards your account maximum of ten event data stores when it is pending deletion.

Note

You can't delete an event data store if --termination-protection-enabled is set or its FederationStatus is ENABLED.

aws cloudtrail delete-event-data-store --event-data-store arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

There is no response if the operation is successful.

Restore an event data store with the Amazon CLI

The following example Amazon CLI restore-event-data-store command restores an event data store that is pending deletion. The event data store is specified by --event-data-store, which accepts an event data store ARN or the ID suffix of the ARN. You can only restore a deleted event data store within the seven-day wait period after deletion.

aws cloudtrail restore-event-data-store --event-data-store EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE

The response includes information about the event data store, including its ARN, advanced event selectors, and the status of restoration.

List all channels with the Amazon CLI

To list all channels in your account, run the list-channels command. The following is an example.

aws cloudtrail list-channels

Update a channel with the Amazon CLI

To update a channel's name or destination event data stores, run the update-channel command. The --channel parameter is required. You cannot update the source of a channel. The following is an example.

aws cloudtrail update-channel \ --channel aws:cloudtrail:us-east-1:123456789012:channel/EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE \ --name "new-channel-name" \ --destinations '[{"Type": "EVENT_DATA_STORE", "Location": "EXAMPLEf852-4e8f-8bd1-bcf6cEXAMPLE"}, {"Type": "EVENT_DATA_STORE", "Location": "EXAMPLEg922-5n2l-3vz1- apqw8EXAMPLE"}]'

Delete a channel to delete an integration with the Amazon CLI

To stop ingesting partner or other activity events outside Amazon, delete the channel by running the delete-channel command. The ARN or channel ID (the ARN suffix) of the channel that you want to delete is required. The following is an example.

aws cloudtrail delete-channel \ --channel EXAMPLE8-0558-4f7e-a06a-43969EXAMPLE

Start a query with the Amazon CLI

The following example Amazon CLI start-query command runs a query on the event data store specified as an ID in the query statement and delivers the query results to a specified S3 bucket. The --query-statement parameter provides a SQL query, enclosed in single quotation marks. Optional parameters include --delivery-s3uri, to deliver the query results to a specified S3 bucket. For more information about the query language you can use in CloudTrail Lake, see CloudTrail Lake SQL constraints.

aws cloudtrail start-query --query-statement 'SELECT eventID, eventTime FROM EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE LIMIT 10' --delivery-s3uri "s3://aws-cloudtrail-lake-query-results-123456789012-us-east-1"

The response is a QueryId string. To get the status of a query, run describe-query using the QueryId value returned by start-query. If the query is successful, you can run get-query-results to get results.

Output

{ "QueryId": "EXAMPLE2-0add-4207-8135-2d8a4EXAMPLE" }
Note

Queries that run for longer than one hour might time out. You can still get partial results that were processed before the query timed out.

If you are delivering the query results to an S3 bucket using the optional --delivery-s3uri parameter, the bucket policy must grant CloudTrail permission to delivery query results to the bucket. For information about manually editing the bucket policy, see Amazon S3 bucket policy for CloudTrail Lake query results.

Get metadata about a query with the Amazon CLI

The following example Amazon CLI describe-query command gets metadata about a query, including query run time in milliseconds, number of events scanned and matched, total number of bytes scanned, and query status. The BytesScanned value matches the number of bytes for which your account is billed for the query, unless the query is still running. If the query results were delivered to an S3 bucket, the response also provides the S3 URI and the delivery status.

You must specify a value for either the --query-id or the --query-alias parameter. Specifying the --query-alias parameter returns information about the last query run for the alias.

aws cloudtrail describe-query --query-id EXAMPLEd-17a7-47c3-a9a1-eccf7EXAMPLE

The following is an example response.

{ "QueryId": "EXAMPLE2-0add-4207-8135-2d8a4EXAMPLE", "QueryString": "SELECT eventID, eventTime FROM EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE LIMIT 10", "QueryStatus": "RUNNING", "QueryStatistics": { "EventsMatched": 10, "EventsScanned": 1000, "BytesScanned": 35059, "ExecutionTimeInMillis": 3821, "CreationTime": "1598911142" } }

Get query results with the Amazon CLI

The following example Amazon CLI get-query-results command gets event data results of a query. You must specify the --query-id returned by the start-query command. The BytesScanned value matches the number of bytes for which your account is billed for the query, unless the query is still running. Optional parameters include --max-query-results, to specify a maximum number of results that you want the command to return on a single page. If there are more results than your specified --max-query-results value, run the command again adding the returned NextToken value to get the next page of results.

aws cloudtrail get-query-results --query-id EXAMPLEd-17a7-47c3-a9a1-eccf7EXAMPLE

Output

{ "QueryStatus": "RUNNING", "QueryStatistics": { "ResultsCount": 244, "TotalResultsCount": 1582, "BytesScanned":27044 }, "QueryResults": [ { "key": "eventName", "value": "StartQuery", } ], "QueryId": "EXAMPLE2-0add-4207-8135-2d8a4EXAMPLE", "QueryString": "SELECT eventID, eventTime FROM EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE LIMIT 10", "NextToken": "20add42078135EXAMPLE" }

List all queries on an event data store with the Amazon CLI

The following example Amazon CLI list-queries command returns a list of queries and query statuses on a specified event data store for the past seven days. You must specify an ARN or the ID suffix of an ARN value for --event-data-store. Optionally, to shorten the list of results, you can specify a time range, formatted as timestamps, by adding --start-time and --end-time parameters, and a --query-status value. Valid values for QueryStatus include QUEUED, RUNNING, FINISHED, FAILED, or CANCELLED.

list-queries also has optional pagination parameters. Use --max-results to specify a maximum number of results that you want the command to return on a single page. If there are more results than your specified --max-results value, run the command again adding the returned NextToken value to get the next page of results.

aws cloudtrail list-queries --event-data-store EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE --query-status CANCELLED --start-time 1598384589 --end-time 1598384602 --max-results 10

Output

{ "Queries": [ { "QueryId": "EXAMPLE2-0add-4207-8135-2d8a4EXAMPLE", "QueryStatus": "CANCELLED", "CreationTime": 1598911142 }, { "QueryId": "EXAMPLE2-4e89-9230-2127-5dr3aEXAMPLE", "QueryStatus": "CANCELLED", "CreationTime": 1598296624 } ], "NextToken": "20add42078135EXAMPLE" }

Cancel a running query with the Amazon CLI

The following example Amazon CLI cancel-query command cancels a query with a status of RUNNING. You must specify a value for --query-id. When you run cancel-query, the query status might show as CANCELLED even if the cancel-query operation is not yet finished.

Note

A canceled query can incur charges. Your account is still charged for the amount of data that was scanned before you canceled the query.

The following is a CLI example.

aws cloudtrail cancel-query --query-id EXAMPLEd-17a7-47c3-a9a1-eccf7EXAMPLE

Output

QueryId -> (string) QueryStatus -> (string)