Create event data source for this query

Question

I am trying to execute this query in cloudwatch lake.

SELECT
    *
FROM
    $EDS_ID 
WHERE
    eventsource = 'signin.amazonaws.com'  
    AND eventname = 'ConsoleLogin'  
    AND Element_at(additionaleventdata, 'MFAUsed' 
    ) = 'No'

But I am not able to create Event Data Source correctly. Because the relevant signin option is not available in the drop-down. Available "Data event type" are like S3, Lambda, etc.

There is no such thing as `cloudwatch lake`. Please edit your question. — Vasyl Herman, Jul 15 '23 at 13:09

Vasyl Herman · Answer 1 · 2023-07-15T13:58:55.930

I suppose you mean CloudTrail Lake and creating Event data store.

You do not need to select the Data Events box. All you need to make it work is the Management events.

Leave all by default when creating Event data store, and test the query:

SELECT
    *
FROM
    e1490c52-11ee-44be-827e-2cefa50780ab
WHERE
    eventName='ConsoleLogin'
    AND eventsource='signin.amazonaws.com'
    AND Element_at(additionaleventdata, 'MFAUsed' 
    ) = 'No'

where e1490c52-11ee-44be-827e-2cefa50780ab is Event data store ID

Create event data source for this query

1 Answers1