# CloudTrail Lake dashboards **Note** AWS CloudTrail Lake will no longer be open to new customers starting May 31, 2026. If you would like to use CloudTrail Lake, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [CloudTrail Lake availability change](cloudtrail-lake-service-availability-change.md). You can use CloudTrail Lake dashboards to see event trends for the event data stores in your account. CloudTrail Lake offers the following types of dashboards: + **Managed dashboards** – You can view a managed dashboard to see event trends for an event data store that collects management events, data events, or Insights events. These dashboards are automatically available to you and are managed by CloudTrail Lake. CloudTrail offers 14 managed dashboards to choose from. You can manually refresh managed dashboards. You cannot modify, add, or remove the widgets for these dashboards, however, you can save a managed dashboard as a custom dashboard if you want to modify the widgets or set a refresh schedule. + **Custom dashboards** – Custom dashboards allow you to query events in any event data store type. You can add up to 10 widgets to a custom dashboard. You can manually refresh a custom dashboard, or you can set a refresh schedule. + **Highlights dashboards** – Enable the Highlights dashboard to view an at-a-glance overview of the AWS activity collected by the event data stores in your account. The Highlights dashboard is managed by CloudTrail and includes widgets that are relevant to your account. The widgets shown on the Highlights dashboard are unique to each account. These widgets could surface detected abnormal activity or anomalies. For example, your Highlights dashboard could include the **Total cross-account access widget**, which shows if there is an increase in abnormal cross-account activity. CloudTrail updates the Highlights dashboard every 6 hours. The dashboard shows the last 24 hours of data from the last update. Each dashboard consists of one or more widgets and each widget provides a graphical representation of the results of a SQL query. To view the query for a widget, choose **View and edit query** to open up the query editor. When a dashboard is refreshed, CloudTrail Lake runs queries to populate the dashboard's widgets. Because running queries incurs costs, CloudTrail asks you to acknowledge the costs associated with running queries. For more information about CloudTrail pricing, see [CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). **Topics** + [Prerequisites](#lake-dashboard-prerequisites) + [Limitations](#lake-dashboard-limitations) + [Region support](#lake-dashboard-regions) + [Required permissions](#lake-dashboard-permissions) + [View a managed dashboard with the CloudTrail console](lake-dashboard-managed.md) + [Enable the Highlights dashboard with the CloudTrail console](lake-dashboard-highlights.md) + [Disable the Highlights dashboard with the CloudTrail console](lake-dashboard-highlights-disable.md) + [Create a custom dashboard with the CloudTrail console](lake-dashboard-custom.md) + [Set a refresh schedule for a custom dashboard with the CloudTrail console](lake-dashboard-refresh.md) + [Disable the refresh schedule for a custom dashboard with the CloudTrail console](lake-dashboard-refresh-disable.md) + [Change termination protection with the CloudTrail console](lake-dashboard-termination-protection.md) + [Delete a custom dashboard with the CloudTrail console](lake-dashboard-delete.md) + [Create, update, and manage dashboards with the AWS CLI](lake-dashboard-cli.md) ## Prerequisites The following prerequisites apply to CloudTrail Lake dashboards: + To view and use Lake dashboards, you must create at least one CloudTrail Lake event data store. You can create event data stores using the console, AWS CLI, or SDKs. For information about creating an event data store using the console, see [Create an event data store for CloudTrail events with the console](query-event-data-store-cloudtrail.md). For information about creating an event data store using the AWS CLI, see [Create an event data store with the AWS CLI](lake-cli-create-eds.md). + You must have adequate permissions to view, create, update, and refresh dashboards. For more information, see [Required permissions](#lake-dashboard-permissions). ## Limitations The following limitations apply to CloudTrail Lake dashboards: + You can only enable the Highlights dashboard for event data stores that exist in your account. + You can only view managed dashboards for event data stores that exist in your account. + For custom dashboards, you can only add sample widgets or create new widgets that query event data stores that exist in your account. + Delegated administrators for a AWS Organizations organization cannot view or manage dashboards that are owned by the management account. ## Region support The CloudTrail Lake dashboards are supported in all AWS Regions where CloudTrail Lake is supported. The **Activity summary** widget on the **Highlights** dashboard is supported in the following Regions: + Asia Pacific (Tokyo) Region (ap-northeast-1) + US East (N. Virginia) (us-east-1) + US West (Oregon) Region (us-west-1) All other widgets are supported in all AWS Regions where CloudTrail Lake is supported. For information about CloudTrail Lake supported Regions, see [CloudTrail Lake supported Regions](cloudtrail-lake-supported-regions.md). ## Required permissions This section describes the required permissions for CloudTrail Lake dashboards and discusses two types of IAM policies: + Identity-based policies which allow you to perform actions to create, manage, and delete dashboards. + Resource-based policies that allow CloudTrail to run queries on your event data store when the dashboard is refreshed and perform scheduled refreshes of custom dashboards and the Highlights dashboard on your behalf. When you create dashboards using the CloudTrail console, you are given the option to attach resource-based policies. You can also run the AWS CLI [`put-resource-policy`](lake-dashboard-cli-manage.md#lake-dashboard-cli-add-rbp) command to add a resource-based policy to your event data stores or dashboards. ### Identity-based policy requirements Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. To view and manage CloudTrail Lake dashboards, you need one of the following policies: + The [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudTrail_FullAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudTrail_FullAccess.html) managed policy. + The [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html) managed policy. + A custom policy that includes one or more of the specific permissions described in the sections which follow. **Topics** + [Required permissions for creating dashboards](#lake-dashboard-permissions-identity-create) + [Required permissions for updating dashboards](#lake-dashboard-permissions-identity-update) + [Required permissions for refreshing dashboards](#lake-dashboard-permissions-identity-create) #### Required permissions for creating dashboards The following sample policy provides the required minimum permissions for creating dashboards. Replace *partition*, *region*, *account-id*, and *eds-id* with the values for your configuration. + `StartQuery` permission is required only if the request contains widgets. Provide `StartQuery` permissions for all event data stores included in a widget query. + `StartDashboardRefresh` permission is required only if the dashboard has a refresh schedule. + For the Highlights dashboard, the caller must have `StartQuery` permission on all the event data stores in the account. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "cloudtrail:CreateDashboard", "cloudtrail:StartDashboardRefresh", "cloudtrail:StartQuery" ], "Resource": [ "arn:aws:cloudtrail:us-east-1:111111111111:dashboard/*", "arn:aws:cloudtrail:us-east-1:111111111111:eventdatastore/eds-id" ] } ] } ``` ------ #### Required permissions for updating dashboards The following sample policy provides the required minimum permissions for updating dashboards. Replace *partition*, *region*, *account-id*, and *eds-id* with the values for your configuration. + `StartQuery` permission is required only if the request contains widgets. Provide `StartQuery` permissions for all event data stores included in a widget query. + `StartDashboardRefresh` permission is required only if the dashboard has a refresh schedule. + For the Highlights dashboard, the caller must have `StartQuery` permission on all the event data stores in the account. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "cloudtrail:UpdateDashboard", "cloudtrail:StartDashboardRefresh", "cloudtrail:StartQuery" ], "Resource": [ "arn:aws:cloudtrail:us-east-1:111111111111:dashboard/*", "arn:aws:cloudtrail:us-east-1:111111111111:eventdatastore/eds-id" ] } ] } ``` ------ #### Required permissions for refreshing dashboards The following sample policy provides the required minimum permissions for refreshing dashboards. Replace *partition*, *region*, *account-id*, *dashboard-name*, and *eds-id* with the values for your configuration. + For custom dashboards and the Highlights dashboards, the caller must have `cloudtrail:StartDashboardRefresh permissions`. + For managed dashboards, the caller must have `cloudtrail:StartDashboardRefresh` permission and `cloudtrail:StartQuery` permissions for the event data store involved in the refresh. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "cloudtrail:StartDashboardRefresh", "cloudtrail:StartQuery" ], "Resource": [ "arn:aws:cloudtrail:us-east-1:111111111111:dashboard/dashboard-name", "arn:aws:cloudtrail:us-east-1:111111111111:eventdatastore/eds-id" ] } ] } ``` ------ ### Resource-based policies for dashboards and event data stores Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM role trust policies and Amazon S3 bucket policies. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must specify a principal in a resource-based policy. To run queries on a dashboard during a manual or scheduled refresh, you must attach a resource-based policy to every event data store that is associated with a widget on the dashboard. This allows CloudTrail Lake to run the queries on your behalf. When you create a custom dashboard, or enable the **Highlights** dashboard using the CloudTrail console, CloudTrail gives you the option to choose which event data stores you want to apply permissions to. For more information about the resource-based policy, see [Example: Allow CloudTrail to run queries to refresh a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-eds-dashboard). To set a refresh schedule for a dashboard, you must attach a resource-based policy to the dashboard to allow CloudTrail Lake to refresh the dashboard on your behalf. When you set a refresh schedule for a custom dashboard, or enable the **Highlights** dashboard using the CloudTrail console, CloudTrail gives you the option to attach a resource-based policy to your dashboard. For an example policy, see [Resource-based policy example for a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-dashboards). You can attach a resource-based policy using the CloudTrail console, the [AWS CLI](lake-dashboard-cli-manage.md#lake-dashboard-cli-add-rbp), or the [PutResourcePolicy](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutResourcePolicy.html) API operation. ### KMS key permissions to decrypt data in an event data store If an event data store being queried is encrypted with a KMS key, ensure the KMS key policy allows CloudTrail to decrypt the data in the event data store. The following example policy statement allows the CloudTrail service principal to decrypt the event data store. ``` { "Sid": "AllowCloudTrailDecryptAccess", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:Decrypt", "Resource": "*" } ``` # View a managed dashboard with the CloudTrail console CloudTrail Lake provides managed dashboards that show event trends for event data stores that collect management events, data events, and Insights events. These dashboards are managed by CloudTrail Lake. You cannot modify, add, or remove the widgets for these dashboards, however, you can save a managed dashboard as a custom dashboard if you want to modify the widgets or set a refresh schedule. **Note** You can only view managed dashboards for event data stores that exist in your account. **To view a managed dashboard** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Managed and custom dashboards** tab. 1. From **Managed dashboards**, choose the dashboard you want to view. For more information, see [Available managed dashboards](lake-managed-dashboards.md). **Note** The dropdown shows only relevant event data stores for the selected dashboard. For example, if you choose dashboards focused on data events, like S3 data events, the dropdown will only show event data stores that are configured to collect data events. 1. Choose the event data store for the dashboard. CloudTrail will run queries on this dashboard when the dashboard is refreshed. 1. To view the query for a widget, choose **View and edit query** at the bottom of the widget. 1. Choose to filter the dashboard data by an **Absolute range** or **Relative range**. Choose **Absolute range** to select a specific date and time range. Choose **Relative range** to select a predefined time range or a custom range. By default, the dashboard displays event data for the past 24 hours. **Note** CloudTrail Lake queries incur costs based upon the amount of data scanned. To help control costs, you can filter on a narrower time range. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). 1. Choose the refresh icon to populate the graphics for the dashboard's widgets. Each widget indicates the status of the refresh. ## Save a managed dashboard as a custom dashboard You cannot modify a managed dashboard, but you can save a copy as a custom dashboard. This allows you to set a refresh schedule for the dashboard and modify the widgets. **To save a managed dashboard as a custom dashboard** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Managed and custom dashboards** tab. 1. Choose the managed dashboard that you want to create a copy of. 1. Choose **Save as new dashboard**. 1. Provide a name to identify the dashboard. 1. (Optional) In the **Tags** section, you can add up to 50 tag key pairs to help you identify and sort your dashboards. For more information about how you can use tags in AWS, see [Tagging AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *Tagging AWS Resources User Guide*. 1. For **Permissions**, choose the event data stores that you want to apply permissions to. Because CloudTrail runs queries to populate data for the widgets on a dashboard, CloudTrail requires permissions to run queries on the event data store associated with the dashboard's widgets. For each event data store selected in this step, CloudTrail attaches a resource-based policy to the event data store that allows CloudTrail to run queries. You can deselect an event data store if you do not want to allow permissions. 1. Choose **Create dashboard**. After you create the custom dashboard, you can [add widgets](lake-dashboard-custom-widgets.md), [remove widgets](lake-dashboard-custom-widgets-remove.md), and [set a refresh schedule](lake-dashboard-refresh.md) for the dashboard. # Available managed dashboards The section provides information about the available managed dashboards and provides information about the widgets featured on each dashboard. **Topics** + [Security monitoring dashboard](#lake-managed-dashboard-security) + [IAM activity dashboard](#lake-managed-dashboard-iam) + [User activity dashboard](#lake-managed-dashboard-user) + [Enriched events dashboard](#lake-managed-dashboard-enriched-events) + [Error analysis dashboard](#lake-managed-dashboard-error) + [EC2 activity dashboard](#lake-managed-dashboard-ec2) + [Organizations activity dashboard](#lake-managed-dashboard-organizations) + [Resource changes dashboard](#lake-managed-dashboard-resources) + [Data events overview dashboard](#lake-managed-dashboard-data) + [Lambda data events dashboard](#lake-managed-dashboard-lambda) + [DynamoDB data events dashboard](#lake-managed-dashboard-dynamodb) + [S3 data events dashboard](#lake-managed-dashboard-s3) + [Insights events dashboard](#lake-managed-dashboard-insights) + [Management events dashboard](#lake-managed-dashboard-mgmt) + [Overview dashboard](#lake-managed-dashboard-overview) ## Security monitoring dashboard This dashboard provides a centralized view of critical security focused widgets, such as top access denied events, failed console login attempts and their associated IP addresses, root user console login attempts, destructive actions, cross-account access and other critical security focused widgets. It provides quick incident detection and response to enhance your overall security posture. This dashboard is available for event data stores that collect management events and includes the following widgets: **Top access denied events** Tracks the most frequently occurring access-denied events, grouped by API. **Failed ConsoleLogin attempts** Tracks the trend of failed console login attempts over time, with breakdowns on MFA vs Non-MFA authenticated callers. **Failed ConsoleLogin attempts by IP address** Tracks the IP addresses associated with failed console login attempts and displays the top offending IP addresses by failed login count. **Root user ConsoleLogin attempts** Tracks the frequency of console login attempts made by root users over time. **Destructive actions** Tracks the frequency of delete operations over time. **Top cross-account access** Tracks the top cross-account activity by caller account ID and action. **Users who disabled MFA** Tracks the most recent users who disabled MFA. **Recent EC2 SecurityGroup and NetworkAcl changes** Tracks the most recent EC2 SecurityGroup and NetworkAcl changes. **Recent EC2 SecurityGroup changes that allow public access** Tracks the most recent EC2 security groups that have rules allowing public (0.0.0.0/0) access. **Potential CloudTrail disabling actions** Tracks recent actions that risk disrupting CloudTrail logging. ## IAM activity dashboard This dashboard provides visibility into commonly used IAM APIs, API errors, changes to IAM entities, and top caller IP addresses, enabling the identification of unintended IAM actions and compliance issues. This dashboard is available for event data stores that collect management events and includes the following widgets: **Top IAM APIs** Tracks the most frequently used IAM APIs. **Top IAM callers** Tracks the most frequent IAM API callers. **IAM success vs failure trend** Tracks the trend of success and failed IAM API calls over time. **Top IAM API errors** Tracks the most frequent errors in calling IAM APIs. **Top AccessDenied IAM APIs** Tracks the most frequent IAM API calls that failed with access denied errors. **Top IP addresses of IAM calls** Tracks the top source IP addresses from which IAM API calls were made. **Recent IAM policy changes** Tracks the most recent changes to IAM policies, categorized by the specific IAM API operation that facilitated the change, the IAM resource (user, role, or group) associated with the policy change, and the policy name or ARN that was used. **Recent IAM user changes** Tracks the most recent changes to IAM users, categorized by the specific IAM API that facilitates user management, the IAM user affected by the change, and the event time. **Top assumed IAM roles** Tracks the most frequently assumed IAM roles. ## User activity dashboard This dashboard provides visibility into user activity trends, insights into key areas such as top active users, user traffic patterns, users with access denied errors, recent user operations, users who performed destructive activities and IAM policy changes, as well as privileged user actions. It helps detect unintended user actions and security risks. This dashboard is available for event data stores that collect management events and includes the following widgets: **User activity trends by user ARN** Tracks the user activity trend over time by user ARN. **User activity trends by API** Tracks the user activity trend over time by API. **Most recent user activity** Tracks the most recent user actions. **Top users with errors** Tracks the users that have the highest number of errors. **Top users with AccessDenied errors** Tracks the users that have the highest number of AccessDenied errors. **Top users making destructive actions** Tracks the users that are making the highest number of destructive actions. **Top users changing IAM policies** Tracks the IAM users who are frequently performing changes to IAM policies. **Top actions performed by potential IAM privileged users** Tracks the most frequent actions by highly privileged IAM users, such as administrators. ## Enriched events dashboard This enriched events dashboard provides insights on trends across tagged resources, principal activities, and AWS global condition keys. These insights help you analyze the most frequent resource and principal tag distributions as well as frequently used global condition keys in role sessions, requests, and principals in request context. This dashboard is available for event data stores that collect management events and includes the following widgets: **Enriched events over time** Tracks the count of enriched events over time. **Most frequent resource tag key value pairs** Displays the most frequently used resource tag key-value pairs across enriched events. **Most frequent resource tag key value pairs with associated resources and users** Displays the most frequently used resource tag key-value pairs, showing which resources use these tags and which users are associated with them. **Most frequent principal tag key value pairs** Displays the most frequently used principal tag key-value pairs across enriched events. **Most frequent access denied actions grouped by principal tag key value pairs** Displays the most frequent access-denied actions grouped by principal tag key-value pairs across enriched events. **Most frequent principal properties in IAM global condition keys** Displays the most frequently used IAM global condition keys for principal properties, showing their key-value pairs and counts across all events. **Most frequent request properties in IAM global condition keys** Displays the most frequently used IAM global condition keys for request properties, showing their key-value pairs and counts across all events. **Most frequent role session properties in IAM global condition keys** Displays the most frequently used IAM global condition keys for role session properties, showing their key-value pairs and counts across all events. ## Error analysis dashboard This dashboard provides comprehensive insights into error trends across services, APIs, users, error codes, and throttled APIs. The visibility enables prompt identification and troubleshooting of potential availability issues for optimal system performance. This dashboard is available for event data stores that collect management events and includes the following widgets: **Error count by service** Tracks the error count of activities by service. **Error count by API** Tracks the error count of activities by API. **Top errors by error code** Tracks the most frequent errors by error code. **Top errors by error message** Tracks the most frequent errors by error message. **Top AccessDenied errors by API** Tracks the APIs with the most frequently reported access denied errors. **Top throttled errors by API** Tracks the APIs with the most frequently reported throttled errors. **Top users with errors** Tracks the users with the most frequently reported errors. ## EC2 activity dashboard This dashboard provides comprehensive visibility into EC2 management activities, like API trends, access errors, top instance launchers, security changes, and network modifications. The insights help identify security risks and operational issues. This dashboard is available for event data stores that collect management events and includes the following widgets: **EC2 instance management activity overview** Monitors an overview of EC2 instance management activities over a specified time, highlighting key operations such as launches, stops, and terminations. **EC2 API success vs failure trends** Tracks the trend of success and failed EC2 API calls over time. **Top EC2 errors** Tracks the most frequent error codes that occur during EC2 API calls. **Top EC2 AccessDenied events** Tracks EC2 APIs with the most access denied errors. **Top users launching EC2 instances** Tracks the users who are the most active in launching new EC2 instances. **Recent EC2 SecurityGroup and NetworkInterface changes** Tracks the most recent EC2 security group and network interface changes. **Recent VPC management and route table changes** Tracks the most recent VPC management activities and route table changes. **Recent EC2 actions by root user** Tracks the most recent EC2 actions performed by root users with highly privileged permissions. ## Organizations activity dashboard Designed for organization event data stores, this dashboard offers visibility into organizational activities and trends, including insights on active members, account management, access patterns, policy changes, and top services and APIs utilized. This dashboard is available for organization event data stores and includes the following widgets: **Activity trend in the organization** Tracks the overall activity trend across the entire AWS Organizations organization over time, providing visibility into periods of high or low activity levels. **Member account management summary** Tracks the distribution of member account management activities within the organization, categorized based on the counts of each activity type. **Most used services across organization** Tracks the AWS services that have been utilized the most across the organization. **Most active accounts by service** Tracks the most active accounts utilizing an AWS service across the organization. **Most used APIs across organization** Highlights the AWS APIs that have been invoked most frequently across the entire organization. **Most active member accounts** Tracks the member accounts within the organization that have exhibited the highest count of activity. **Access denied errors trend across the organization** Tracks the pattern of access denied errors occurring within the organization over time. **Accounts with most access denied errors ** Tracks the accounts within the organization that have experienced the highest number of access denied errors. **Recent service control policy changes** Tracks the most recent changes made to service control policies (SCPs) within the organization. ## Resource changes dashboard This dashboard provides a comprehensive view of resource management activities, monitoring trends in provisioning, deletion, and modifications across services. It highlights critical changes, including those made through CloudFormation, manually, and to policies like S3 bucket and KMS access. This dashboard is available for event data stores that collect management events and includes the following widgets: **Resource creation and deletion trends** Tracks the creation and deletion of resources within the account over time. **Top users performing resource creation** Tracks the users who are most actively creating new resources. **Top APIs used for resource creation** Tracks the APIs that are most frequently used for creating new resources within the account. **Top APIs used for resource deletion** Tracks the APIs that are most frequently used for deleting resources within the account. **Most recent resources created outside CloudFormation** Tracks new resources created outside of CloudFormation governance, emphasizing changes not managed through CloudFormation templates. **Most recent resource changes made using console** Tracks the most recent changes made to resources via the AWS Management Console. **Most recent S3 bucket access changes** Tracks the most recent S3 bucket access changes. **Most recent KMS key access changes** Tracks the most recent KMS key policy changes. ## Data events overview dashboard This dashboard offers a centralized view of data events in the event data store, including overall activity trends, top services, APIs, regions, throttled data plane APIs, and leading data plane users. This dashboard helps you monitor data plane API activity for auditing and troubleshooting. This dashboard is available for event data stores that collect data events and includes the following widgets: **Overall data events trend** Tracks the trend in overall data events occurring within the account over time. **Top services generating data events** Tracks the services generating the highest volume of data activity within the account. **Top APIs generating data events** Tracks the APIs generating the highest volume of data activity within the account. **Top regions generating data events** Tracks the regions generating the highest volume of data activity within the account. **Top throttled data plane APIs** Tracks the data plane APIs that are experiencing frequent throttling within the account. **Top users of data plane APIs** Tracks the top users who utilize data plane APIs most across the account. ## Lambda data events dashboard This dashboard provides visibility into Lambda data plane API activity, including top users, frequently invoked functions, common API errors. These insights help you audit Lambda usage, detect abnormalities, and mitigate operational or security risks. This dashboard is available for event data stores that collect Lambda data events and includes the following widgets: **Lambda data plane API activity** Tracks the trend in Lambda data plane API activity within the account over time. **Lambda invocations success vs failure trend** Tracks the trend of success and failed Lambda invocations over time. **Top users of Lambda invocations** Tracks the users who make the most invocations of Lambda functions across the account. **Top invoked Lambda functions** Tracks the Lambda functions that are invoked most frequently within the account. **Top 10 Lambda Invoke API errors** Tracks the top 10 errors encountered during Lambda Invoke API calls. **Most throttled users of Lambda invocations** Tracks the users who experience the highest number of throttling events for Lambda invocations. ## DynamoDB data events dashboard This dashboard provides visibility into DynamoDB data plane API activity, including usage trends, top APIs, and throttling patterns involving users and tables. These insights help you audit DynamoDB usage, detect abnormalities, and mitigate operational or security risks. This dashboard is available for event data stores that collect DynamoDB data events and includes the following widgets: **DynamoDB account data activity** Tracks the trend in DynamoDB data events occurring within the account over time. **DynamoDB data plane APIs success vs failure trend** Tracks the trend of success and failed DynamoDB data plane API calls over time. **Top 10 DynamoDB data plane APIs** Lists the top 10 DynamoDB data plane API calls. **Top users of DynamoDB data plane APIs** Tracks the users who make the highest number of calls to DynamoDB data plane APIs within the account. **Top 10 DynamoDB data plane API errors** Tracks the top 10 errors in calling DynamoDB data plane APIs. **Most throttled users of DynamoDB data plane APIs** Tracks the users with most frequent throttling when calling DynamoDB data plane APIs. **Top throttled DynamoDB data plane APIs** Tracks the DynamoDB data plane APIs that are experiencing frequent throttling within the account. **Top throttled DynamoDB tables** Tracks the DynamoDB tables experiencing the highest rates of throttling within the account. ## S3 data events dashboard This dashboard provides visibility into S3 data plane API activity, including usage trends, most accessed S3 objects, top S3 users, and top S3 actions. These insights help you audit S3 usage, detect abnormalities, and mitigate operational or security risks. This dashboard is available for event data stores that collect Amazon S3 data events and includes the following widgets: **S3 account activity** Tracks S3 account activity. **Most accessed objects** Lists the most accessed S3 objects. **S3 top users** Tracks the top S3 users. **Top S3 actions** Tracks the top S3 actions. ## Insights events dashboard This dashboard provides visibility into the overall breakdown of Insights events by type, as well as the top users and services generating these event types. Additionally, it shows the daily count of Insights events and a 30-day historical view of Insights metrics. **Note** After you enable CloudTrail Insights for the first time on the source event data store, it can take up to 7 days for CloudTrail to deliver the first Insights event, if unusual activity is detected. The **Insights Events** dashboard only displays information about the Insights events collected by the selected event data store, which is determined by the configuration of the source event data store. For example, if you configure the source event data store to enable Insights events on `ApiCallRateInsight` but not `ApiErrorRateInsight`, you won't see information about Insights events on `ApiErrorRateInsight`. This dashboard is available for event data stores that collect Insights events and includes the following widgets: **Insight types** Tracks events by Insights type. **Insights by date** Tracks Insights events by date. **API call rate Insights by event source** Tracks API call rate Insights by event source. To view data for this widget, your Insights event data store must be configured to collect Insights on API call rate. **API error rate Insights by event source** Tracks API error rate Insights by event source. To view this widget, your Insights event data store must be configured to collect Insights on API error rate. **Insights by top users** Lists the top users with requests resulting in Insights events. **Insights events** Lists recent Insights events. ## Management events dashboard This dashboard highlights insights on access denied events, destructive actions, console sign-in events, top errors by user, TLS version usage, and outdated TLS calls by user. This dashboard is available for event data stores that collect management events and includes the following widgets: **Top access denied events** Tracks the top events that resulted in access denied errors. **Top errors by user** Tracks the top errors by user. **Console sign-in events** Shows console sign-in events. **Destructive actions** Tracks actions that resulted in destructive actions. **TLS version** Shows the TLS versions. **Outdated TLS calls by user** Tracks calls using outdated TLS versions by user. ## Overview dashboard This dashboard highlights insights on access denied events, destructive actions, console sign-in events, top errors by user, TLS version usage, and outdated TLS calls by user. This dashboard is available for event data stores that collect management events and includes the following widgets: **Account activity** Tracks read and write activity for your account. **Top errors** Lists the most frequent errors. **Most active regions** Shows the most active AWS Regions. **Top services** Shows the top services. **Most throttled events** Lists the most throttled events. **Top users** Lists the top users. # Enable the Highlights dashboard with the CloudTrail console Enable the Highlights dashboard to view an at-a-glance overview of the AWS activity collected by the event data stores in your account. The Highlights dashboard is managed by CloudTrail and includes widgets that are relevant to your account. The widgets shown on the Highlights dashboard are unique to each account. These widgets could surface detected abnormal activity or anomalies. For example, your Highlights dashboard could include the **Total cross-account access widget**, which shows if there is an increase in abnormal cross-account activity. CloudTrail updates the Highlights dashboard every 6 hours. The dashboard shows the last 24 hours of data from the last update. **Note** You can only enable the Highlights dashboard for event data stores that exist in your account. You cannot set a refresh schedule for the Highlights dashboard, or add or remove widgets. ## To enable the Highlights dashboard Use the following procedure to enable the Highlights dashboard. 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Highlights** tab. 1. Because running queries incurs CloudTrail charges, CloudTrail asks you to review the cost information before enabling the **Highlights** dashboard. For information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). Choose **Agree and enable Highlights** to enable the Highlights dashboard. 1. For **Permissions**, choose the event data stores that you want to apply permissions to. CloudTrail requires permissions to run queries on your event data stores and refresh the dashboard on your behalf. To provide permissions, CloudTrail attaches a default resource-based policy to each event data store selected in this step to allow CloudTrail to run queries on the event data store. CloudTrail attaches a resource-based policy to the dashboard to allow CloudTrail to refresh the dashboard every 6 hours. You can modify the resource-based policy for an event data store from its details page. You can modify the resource-based policy for a dashboard by selecting **Edit policy** from the **Actions** menu for the dashboard. 1. Choose **Confirm**. When you enable the **Highlights** dashboard, termination protection is automatically enabled. Termination protection protects a dashboard from being accidentally deleted. You'll need to disable termination protection, if you want to disable the dashboard. # Disable the Highlights dashboard with the CloudTrail console This section describes how to disable the Highlights dashboard. Because termination protection is automatically enabled for the Highlights dashboard, you'll need to first disable termination protection and then disable the Highlights dashboard. **To disable the Highlights dashboard** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Highlights** tab. 1. From **Actions**, choose **Change termination protection**. 1. Choose **Disabled**. 1. Choose **Save**. 1. From **Actions**, choose **Disable Highlights**. # Create a custom dashboard with the CloudTrail console You can create custom dashboards and add up to 10 widgets to each custom dashboard. You can choose to add sample widgets or create new widgets from SQL queries. After you're done adding widgets, you can manually refresh the dashboard or set a refresh schedule. **To create a custom dashboard** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Managed and custom dashboards** tab. 1. Choose **Build my own dashboard**. 1. Provide a dashboard name to identify your dashboard. 1. For **Permissions**, choose the event data stores that you want to apply permissions to. Because CloudTrail runs queries to populate data for the widgets on a dashboard, CloudTrail requires permissions to run queries on the event data stores associated with the dashboard's widgets. For each event data store selected in this step, CloudTrail attaches a resource-based policy to the event data store that allows CloudTrail to run queries on the event data store for this dashboard. 1. (Optional) In the **Tags** section, you can add up to 50 tag key pairs to help you identify and sort your dashboards. For more information about how you can use tags in AWS, see [Tagging AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *Tagging AWS Resources User Guide*. 1. Choose **Create dashboard**. Next, you can add widgets and [set a refresh schedule](lake-dashboard-refresh.md). **Topics** + [Add a sample widget with the CloudTrail console](lake-dashboard-custom-widgets.md) + [Create a new widget from a SQL query with the CloudTrail console](lake-dashboard-custom-widgets-new.md) + [Remove a widget from a dashboard with the CloudTrail console](lake-dashboard-custom-widgets-remove.md) # Add a sample widget with the CloudTrail console This section describes how to add a sample widget to your dashboard. You can add a maximum of 10 widgets to a custom dashboard. **Note** Sample widgets are limited to a single event data store that exists in your account. To query across multiple event data stores in your account, [create a new widget](lake-dashboard-custom-widgets-new.md). **To add a sample widget to a dashboard** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Managed and custom dashboards** tab. 1. In **Custom dashboards**, choose the dashboard that you want to add a widget to. 1. From **Actions**, choose **Edit dashboard**. 1. From **Actions**, choose **Add sample widget**. 1. Choose the event data store you'd like to run the query on. You can only choose event data stores that exist in your account. 1. Choose the sample widget you'd like to add. By default, all sample widgets are shown. You can filter by a widget type (for example, IAM widgets). 1. Choose **View query** to view the query for the selected widget. 1. Choose **Add to dashboard** to add the widget to the dashboard. 1. Choose **Save** to save the dashboard. # Create a new widget from a SQL query with the CloudTrail console This section describes how to create a new widget by writing or pasting a SQL query and choosing a chart type. You can add a maximum of 10 widgets to a custom dashboard. **To create a new widget from a SQL query** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Managed and custom dashboards** tab. 1. In **Custom dashboards**, choose the dashboard that you want to create a widget for. 1. From **Actions**, choose **Edit dashboard**. 1. From **Actions**, choose **Create new widget**. 1. Choose the event data store you'd like to run the query on. You can query across multiple event data stores as long as the event data stores exist in your account. 1. Write or copy the SQL query. You can also provide a natural language prompt in English and choose **Generate query** to produce a SQL query from your prompt. For more information, see [Create CloudTrail Lake queries from natural language prompts](lake-query-generator.md). 1. Choose **Run** to run the query and preview the query results. **Note** When you run queries, you incur charges based on the amount of optimized and compressed data scanned. To help control costs, we recommend that you constrain queries by adding starting and ending `eventTime` timestamps to queries. 1. Choose the **Visualizer** tab to select the chart type for the widget. You can choose from these chart types: table, bar chart, line chart, and pie chart. 1. Choose **Add to dashboard** to add the widget to the dashboard. 1. Choose **Save** to save the dashboard. # Remove a widget from a dashboard with the CloudTrail console This section describes to remove a widget from a custom dashboard. **To remove a widget from a dashboard** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Managed and custom dashboards** tab. 1. In **Custom dashboards**, choose the dashboard for which you want to remove a widget. 1. From **Actions**, choose **Edit dashboard**. 1. On the widget you want to remove, choose the remove icon (![\[Vertical ellipsis icon representing a menu or more options.\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/remove-icon.png)) and then choose **Remove**. 1. Choose **Save** to save the dashboard. # Set a refresh schedule for a custom dashboard with the CloudTrail console This section describes how to set a dashboard refresh schedule. You can set a refresh schedule to allow CloudTrail Lake to refresh a dashboard every 1 hour, 6 hours, 12 hours, or 24 hours (1 day). When you set a refresh schedule using the CloudTrail console, CloudTrail attaches a resource-based policy to the dashboard that allows CloudTrail to refresh the dashboard on your behalf. **To set a refresh schedule** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Managed and custom dashboards** tab. 1. In **Custom dashboards**, choose the dashboard that you want to set a refresh schedule for. 1. Choose the refresh frequency from the dropdown list. 1. To create a refresh schedule, CloudTrail attaches a resource-based policy to the dashboard to allow CloudTrail to refresh the dashboard on your behalf. Expand **Dashboard resource policy** to view the resource-based policy that CloudTrail will attach to the dashboard. 1. Because running queries incurs costs, CloudTrail asks you to confirm that you want CloudTrail to run queries for the scheduled frequency. Choose **Confirm** to set a refresh schedule. # Disable the refresh schedule for a custom dashboard with the CloudTrail console You can disable the refresh schedule if you no longer want CloudTrail to automatically refresh your dashboard, and instead wish to manually refresh your dashboard. **To disable a refresh schedule** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the left navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Managed and custom dashboards** tab. 1. In **Custom dashboards**, choose the dashboard that you want to disable a refresh schedule for. 1. Choose **Disable refresh schedule** from the dropdown list. ![\[Option for disabling refresh schedule\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/ct-lake-disable-schedule.png) # Change termination protection with the CloudTrail console Termination protection prevents a dashboard from accidental deletion. If you want to delete a custom dashboard, or disable the Highlights dashboard, you must disable termination protection. **To turn off termination protection** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the dashboard you want to disable termination protection for. 1. From **Actions**, choose **Change termination protection**. 1. Choose **Disabled**. 1. Choose **Save**. **To turn on termination protection** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the dashboard you want to enable termination protection for. 1. From **Actions**, choose **Change termination protection**. 1. To turn on termination protection, choose **Enabled**. 1. Choose **Save**. # Delete a custom dashboard with the CloudTrail console This section describes how to delete a dashboard using the CloudTrail. **Note** You can't delete an event data store if [termination protection](lake-dashboard-termination-protection.md) is enabled. **To delete a dashboard** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the navigation pane, under **Lake**, choose **Dashboard**. 1. Choose the **Managed and custom dashboards** tab. 1. Choose the custom dashboard you want to delete. 1. From **Actions**, choose **Delete**. 1. Choose **Delete** to confirm you want to delete the dashboard. # Create, update, and manage dashboards with the AWS CLI This section describes the AWS CLI commands you can use to create, update, and manage your CloudTrail Lake dashboards. When using the AWS CLI, remember that your commands run in the AWS Region configured for your profile. If you want to run the commands in a different Region, either change the default Region for your profile, or use the `--region` parameter with the command. ## Available commands for dashboards Commands for creating and updating dashboards in CloudTrail Lake include: + `create-dashboard` to create a custom dashboard or enable the Highlights dashboard. + `update-dashboard` to update a custom dashboard or the Highlights dashboard. + `delete-dashboard` to delete a custom dashboard or the Highlights dashboard. + `get-dashboard` returns information about the specified dashboard. + `list-dashboards` lists all dashboards for your AWS account, or for the specified filter. + `start-dashboard-refresh` starts a refresh of the dashboard. + `get-resource-policy` gets the resource-based policy attached to the dashboard. + `put-resource-policy` attaches a resource-based policy to a dashboard to allow CloudTrail to refresh the dashboard asynchronously on your behalf. You also attach a resource-based policy to an event data store to allow CloudTrail to run queries on the event data store to populate the data for dashboard widgets. + `delete-resource-policy` removes the resource-based policy attached to a dashboard. + `add-tags` adds tags to identify the dashboard. + `remove-tags` removes tags from a dashboard. + `list-tags` lists tags for a dashboard. For a list of available commands for CloudTrail Lake event data stores, see [Available commands for event data stores](lake-eds-cli.md#lake-eds-cli-commands). For a list of available commands for CloudTrail Lake queries, see [Available commands for CloudTrail Lake queries](lake-queries-cli.md#lake-queries-cli-commands). For a list of available commands for CloudTrail Lake integrations, see [Available commands for CloudTrail Lake integrations](lake-integrations-cli.md#lake-integrations-cli-commands). **Topics:** + [Create a dashboard with the AWS CLI](lake-dashboard-cli-create.md) + [Manage dashboards with the AWS CLI](lake-dashboard-cli-manage.md) + [Delete a dashboard with the AWS CLI](lake-dashboard-cli-delete.md) # Create a dashboard with the AWS CLI This section describes how to use the `create-dashboard` command to create a create a custom dashboard or the Highlights dashboard. When using the AWS CLI, remember that your commands run in the AWS Region configured for your profile. If you want to run the commands in a different Region, either change the default Region for your profile, or use the `--region` parameter with the command. CloudTrail runs queries to populate the dashboard's widgets during a manual or scheduled refresh. CloudTrail must be granted permissions to run the `StartQuery` operation on each event data store associated with a dashboard widget. To provide permissions, run the `put-resource-policy` command to attach a resource-based policy to each event data store, or edit the event data store's policy on the CloudTrail console. For an example policy, see [Example: Allow CloudTrail to run queries to refresh a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-eds-dashboard). To set a refresh schedule, CloudTrail must be granted permissions to run the `StartDashboardRefresh` operation to refresh the dashboard on your behalf. To provide permissions, run the `put-resource-policy` operation to attach a resource-based policy to the dashboard, or edit the dashboard's policy on the CloudTrail console. For an example policy, see [Resource-based policy example for a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-dashboards). **Topics** + [Create a custom dashboard with the AWS CLI](#lake-dashboard-cli-create-custom) + [Enable the Highlights dashboard with the AWS CLI](#lake-dashboard-cli-create-highlights) + [View properties for widgets](lake-widget-properties.md) ## Create a custom dashboard with the AWS CLI The following procedure shows how to create a custom dashboard, attach the required resource-based policies to event data stores and the dashboard, and update the dashboard to set and enable a refresh schedule. 1. Run the `create-dashboard` to create a dashboard. When you create a custom dashboard, you can pass in an array with up to 10 widgets. A widget provides a graphical representation of the results for a query. Each widget consists of `ViewProperties`, `QueryStatement`, and `QueryParameters`. + `ViewProperties` – Specifies the properties for the view type. For more information, see [View properties for widgets](lake-widget-properties.md). + `QueryStatement` – The query CloudTrail runs when the dashboard is refreshed. You can query across multiple event data stores as long as the event data stores exist in your account. + `QueryParameters` – The following `QueryParameters` values are supported for custom dashboards: `$Period$`, `$StartTime$`, and `$EndTime$`. To use `QueryParameters` place a `?` in the `QueryStatement` where you want to substitute the parameter. CloudTrail will fill in the parameters when the query is run. The following example creates a dashboard with four widgets, one of each view type. **Note** In the this example, `?` is surrounded with single quotes because it is used with `eventTime`. Depending on the operating system you are running on, you may need to surround single quotes with escape quotes. For more information, see [Using quotation marks and literals with strings in the AWS CLI](https://docs.aws.amazon.com/cli/v1/userguide/cli-usage-parameters-quoting-strings.html). ``` aws cloudtrail create-dashboard --name AccountActivityDashboard \ --widgets '[ { "ViewProperties": { "Height": "2", "Width": "4", "Title": "TopErrors", "View": "Table" }, "QueryStatement": "SELECT errorCode, COUNT(*) AS eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' AND (errorCode is not null) GROUP BY errorCode ORDER BY eventCount DESC LIMIT 100", "QueryParameters": ["$StartTime$", "$EndTime$"] }, { "ViewProperties": { "Height": "2", "Width": "4", "Title": "MostActiveRegions", "View": "PieChart", "LabelColumn": "awsRegion", "ValueColumn": "eventCount", "FilterColumn": "awsRegion" }, "QueryStatement": "SELECT awsRegion, COUNT(*) AS eventCount FROM eds where eventTime > '?' and eventTime < '?' GROUP BY awsRegion ORDER BY eventCount LIMIT 100", "QueryParameters": ["$StartTime$", "$EndTime$"] }, { "ViewProperties": { "Height": "2", "Width": "4", "Title": "AccountActivity", "View": "LineChart", "YAxisColumn": "eventCount", "XAxisColumn": "eventDate", "FilterColumn": "readOnly" }, "QueryStatement": "SELECT DATE_TRUNC('?', eventTime) AS eventDate, IF(readOnly, 'read', 'write') AS readOnly, COUNT(*) as eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' GROUP BY DATE_TRUNC('?', eventTime), readOnly ORDER BY DATE_TRUNC('?', eventTime), readOnly", "QueryParameters": ["$Period$", "$StartTime$", "$EndTime$", "$Period$", "$Period$"] }, { "ViewProperties": { "Height": "2", "Width": "4", "Title": "TopServices", "View": "BarChart", "LabelColumn": "service", "ValueColumn": "eventCount", "FilterColumn": "service", "Orientation": "Horizontal" }, "QueryStatement": "SELECT REPLACE(eventSource, '.amazonaws.com') AS service, COUNT(*) AS eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' GROUP BY eventSource ORDER BY eventCount DESC LIMIT 100", "QueryParameters": ["$StartTime$", "$EndTime$"] } ]' ``` 1. Create a separate file with the resource policy needed for each event data store that is included in a widget's `QueryStatement`. Name the file *policy.json*, with the following example policy statement: Replace *123456789012* with your account ID, *arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDashboard* with the ARN of the dashboard. For more information about resource-based policies for dashboards, see [Example: Allow CloudTrail to run queries to refresh a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-eds-dashboard). 1. Run the `put-resource-policy` command to attach the policy. You can also update an event data store's resource-based policy on the CloudTrail console. The following example attaches a resource-based policy to an event data store. ``` aws cloudtrail put-resource-policy \ --resource-arn eds-arn \ --resource-policy file://policy.json ``` 1. Run the `put-resource-policy` command to attach a resource-based policy to the dashboard. For an example policy, see [Resource-based policy example for a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-dashboards). The following example attaches a resource-based policy to a dashboard. Replace *account-id* with your account ID and *dashboard-arn* with the ARN of the dashboard. ``` aws cloudtrail put-resource-policy \ --resource-arn dashboard-arn \ --resource-policy '{"Version": "2012-10-17", "Statement": [{"Sid": "DashboardPolicy", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "cloudtrail:StartDashboardRefresh", "Condition": { "StringEquals": { "AWS:SourceArn": "dashboard-arn", "AWS:SourceAccount": "account-id"}}}]}' ``` 1. Run the `update-dashboard` command to set and enable a refresh schedule by configuring the `--refresh-schedule` parameter. The `--refresh-schedule` consists of the following optional parameters: + `Frequency` – The `Unit` and `Value` for the schedule. For custom dashboards, the unit can be `HOURS` or `DAYS`. For custom dashboards, the following values are valid when the unit is `HOURS`: `1`, `6`, `12`, `24` For custom dashboards, the only valid value when the unit is `DAYS` is `1`. + `Status` – Specifies whether the refresh schedule is enabled. Set the value to `ENABLED` to enable the refresh schedule, or to `DISABLED` to turn off the refresh schedule. + `TimeOfDay ` – The time of day in UTC to run the schedule; for hourly only refer to minutes; default is 00:00. The following example sets a refresh schedule for every six hours and enables the schedule. ``` aws cloudtrail update-dashboard --dashboard-id AccountActivityDashboard \ --refresh-schedule '{"Frequency": {"Unit": "HOURS", "Value": 6}, "Status": "ENABLED"}' ``` ## Enable the Highlights dashboard with the AWS CLI The following procedure shows how to create the Highlights dashboard, attach the required resource-based policies to your event data stores and the dashboard, and update the dashboard to set and enable the refresh schedule. 1. Run the `create-dashboard` command to create the Highlights dashboard. To create this dashboard, the `--name` must be `AWSCloudTrail-Highlights`. ``` aws cloudtrail create-dashboard --name AWSCloudTrail-Highlights ``` 1. For each event data store in your account, run the `put-resource-policy` command to attach a resource-based policy to the event data store. You can also update an event data store's resource-based policy on the CloudTrail console. For an example policy, see [Example: Allow CloudTrail to run queries to refresh a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-eds-dashboard). The following example attaches a resource-based policy to an event data store. Replace *account-id* with your account ID, *eds-arn* with the ARN of the event data store, and *dashboard-arn* with the ARN of the dashboard. ``` aws cloudtrail put-resource-policy \ --resource-arn eds-arn \ --resource-policy '{"Version": "2012-10-17", "Statement": [{"Sid": "EDSPolicy", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "cloudtrail:StartQuery", "Condition": { "StringEquals": { "AWS:SourceArn": "dashboard-arn", "AWS:SourceAccount": "account-id"}}} ]}' ``` 1. Run the `put-resource-policy` command to attach a resource-based policy to the dashboard. For an example policy, see [Resource-based policy example for a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-dashboards). The following example attaches a resource-based policy to a dashboard. Replace *account-id* with your account ID and *dashboard-arn* with the ARN of the dashboard. ``` aws cloudtrail put-resource-policy \ --resource-arn dashboard-arn \ --resource-policy '{"Version": "2012-10-17", "Statement": [{"Sid": "DashboardPolicy", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "cloudtrail:StartDashboardRefresh", "Condition": { "StringEquals": { "AWS:SourceArn": "dashboard-arn", "AWS:SourceAccount": "account-id"}}}]}' ``` 1. Run the `update-dashboard` command to set and enable a refresh schedule by configuring the `--refresh-schedule` parameter. For the Highlights dashboard, the only valid `UNIT` is `HOURS` and the only valid `Value` is `6`. ``` aws cloudtrail update-dashboard --dashboard-id AWSCloudTrail-Highlights \ --refresh-schedule '{"Frequency": {"Unit": "HOURS", "Value": 6}, "Status": "ENABLED"}' ``` # View properties for widgets This section describes the configurable view properties for the 4 view types: table, line chart, pie chart, and bar chart. **Topics** + [Table](#lake-widget-table) + [Line chart](#lake-widget-linechart) + [Pie chart](#lake-widget-piechart) + [Bar chart](#lake-widget-barchart) ## Table The following example shows a widget configured as a table. ``` { "ViewProperties": { "Height": "2", "Width": "4", "Title": "TopErrors", "View": "Table" }, "QueryStatement": "SELECT errorCode, COUNT(*) AS eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' AND (errorCode is not null) GROUP BY errorCode ORDER BY eventCount DESC LIMIT 100", "QueryParameters": ["$StartTime$", "$EndTime$"] } ``` The following table describes the configurable view properties for a table. | Parameter | Required | Value | | --- | --- | --- | | `Height` | Yes | The height of the table in inches. | | `Width` | Yes | The width of the table in inches. | | `Title` | Yes | The title of the table. | | `View` | Yes | The widget view type. For a table, the value is `Table`. | ## Line chart The following example shows a widget configured as a line chart. ``` { "ViewProperties": { "Height": "2", "Width": "4", "Title": "AccountActivity", "View": "LineChart", "YAxisColumn": "eventCount", "XAxisColumn": "eventDate", "FilterColumn": "readOnly" }, "QueryStatement": "SELECT DATE_TRUNC('?', eventTime) AS eventDate, IF(readOnly, 'read', 'write') AS readOnly, COUNT(*) as eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' GROUP BY DATE_TRUNC('?', eventTime), readOnly ORDER BY DATE_TRUNC('?', eventTime), readOnly", "QueryParameters": ["$Period$", "$StartTime$", "$EndTime$", "$Period$", "$Period$"] } ``` The following table describes the configurable view properties for a line chart. | Parameter | Required | Value | | --- | --- | --- | | `Height` | Yes | The height of the line chart in inches. | | `Width` | Yes | The width of the line chart in inches. | | `Title` | Yes | The title of the line chart. | | `View` | Yes | The widget view type. For a line chart, the value is `LineChart`. | | `YAxisColumn` | Yes | The field from the query results that you want to use for the Y axis column. For example, `eventCount`. | | `XAxisColumn` | Yes | The field from the query results that you want to use for the X axis column. For example, `eventDate`. | | `FilterColumn` | No | The field from the query results that you want to filter on. For example, `readOnly`. | ## Pie chart The following example shows a widget configured as a pie chart. ``` { "ViewProperties": { "Height": "2", "Width": "4", "Title": "MostActiveRegions", "View": "PieChart", "LabelColumn": "awsRegion", "ValueColumn": "eventCount", "FilterColumn": "awsRegion" }, "QueryStatement": "SELECT awsRegion, COUNT(*) AS eventCount FROM eds where eventTime > '?' and eventTime < '?' GROUP BY awsRegion ORDER BY eventCount LIMIT 100", "QueryParameters": ["$StartTime$", "$EndTime$"] } ``` The following table describes configurable view properties for a pie chart. | Parameter | Required | Value | | --- | --- | --- | | `Height` | Yes | The height of the pie chart in inches. | | `Width` | Yes | The width of the pie chart in inches. | | `Title` | Yes | The title of the pie chart. | | `View` | Yes | The widget view type. For a pie chart, the value is `PieChart`. | | `LabelColumn` | Yes | The label for segments in the pie chart. For example, `awsRegion`. | | `ValueColumn` | Yes | The value for the segments in the pie chart. For example, `ValueColumn`. | | `FilterColumn` | No | The field from the query results that you want to filter on. For example, `awsRegion`. | ## Bar chart The following example shows a widget configured as a bar chart. ``` { "ViewProperties": { "Height": "2", "Width": "4", "Title": "TopServices", "View": "BarChart", "LabelColumn": "service", "ValueColumn": "eventCount", "FilterColumn": "service", "Orientation": "Horizontal" }, "QueryStatement": "SELECT REPLACE(eventSource, '.amazonaws.com') AS service, COUNT(*) AS eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' GROUP BY eventSource ORDER BY eventCount DESC LIMIT 100", "QueryParameters": ["$StartTime$", "$EndTime$"] } ``` The following table describes the configurable view properties for a bar chart. | Parameter | Required | Value | | --- | --- | --- | | `Height` | Yes | The height of the bar chart in inches. | | `Width` | Yes | The width of the bar chart in inches. | | `Title` | Yes | The title of the bar chart. | | `View` | Yes | The widget view type. For a bar chart, the value is `BarChart`. | | `LabelColumn` | Yes | The label for bars in the bar chart. For example, `service`. | | `ValueColumn` | Yes | The value for the bars in the bar chart. For example, `eventCount`. | | `FilterColumn` | No | The field from the query results that you want to filter on. For example, `service`. | | `Orientation` | No | The orientation of the bar chart, either `Horizontal` or `Vertical`. | # Manage dashboards with the AWS CLI This section describes several other commands that you can run to manage your dashboards, including getting a dashboard, listing your dashboards, refreshing a dashboard, and updating a dashboard. When using the AWS CLI, remember that your commands run in the AWS Region configured for your profile. If you want to run the commands in a different Region, either change the default Region for your profile, or use the `--region` parameter with the command. **Topics** + [Get a dashboard with the AWS CLI](#lake-dashboard-cli-get) + [List dashboards with the AWS CLI](#lake-dashboard-cli-list) + [Attach a resource-based policy to an event data store or dashboard with the AWS CLI](#lake-dashboard-cli-add-rbp) + [Manually refresh a dashboard with the AWS CLI](#lake-dashboard-cli-refresh) + [Update a dashboard with the AWS CLI](#lake-dashboard-cli-update) ## Get a dashboard with the AWS CLI Run the `get-dashboard` command to return a dashboard. Specify the `--dashboard-id` by providing the dashboard ARN, or the dashboard name. ``` aws cloudtrail get-dashboard --dashboard-id arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash ``` ## List dashboards with the AWS CLI Run the `list-dashboards` command to list the dashboards for your account. + Include the `--type` parameter, to view only the `CUSTOM` or `MANAGED` dashboards. + Include the `--max-results` parameter to limit the number of results. Valid values are 1-100. + Include the `--name-prefix` to return dashboards matching the specified prefix. The following example lists all dashboards. ``` aws cloudtrail list-dashboards ``` This example lists only the `CUSTOM` dashboards. ``` aws cloudtrail list-dashboards --type CUSTOM ``` The next example lists only the `MANAGED` dashboards. ``` aws cloudtrail list-dashboards --type MANAGED ``` The final example lists the dashboards matching the specified prefix. ``` aws cloudtrail list-dashboards --name-prefix ExamplePrefix ``` ## Attach a resource-based policy to an event data store or dashboard with the AWS CLI Run the `put-resource-policy` command to apply a resource-based policy to an event data store or dashboard. ### Attach a resource-based policy to an event data store To run queries on a dashboard during a manual or scheduled refresh, you need to attach a resource-based policy to every event data store that is associated with a widget on the dashboard. This allows CloudTrail Lake to run the queries on your behalf. For more information about the resource-based policy, see [Example: Allow CloudTrail to run queries to refresh a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-eds-dashboard). The following example attaches a resource-based policy to an event data store. Replace *account-id* with your account ID, *eds-arn* with the ARN of the event data store for which CloudTrail will run queries, and *dashboard-arn* with the ARN of the dashboard. ``` aws cloudtrail put-resource-policy \ --resource-arn eds-arn \ --resource-policy '{"Version": "2012-10-17", "Statement": [{"Sid": "EDSPolicy", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "cloudtrail:StartQuery", "Condition": { "StringEquals": { "AWS:SourceArn": "dashboard-arn", "AWS:SourceAccount": "account-id"}}} ]}' ``` ### Attach a resource-based policy to a dashboard To set a refresh schedule for a dashboard, you need to attach a resource-based policy to the dashboard to allow CloudTrail Lake to refresh the dashboard on your behalf. For more information about the resource-based policy, see [Resource-based policy example for a dashboard](security_iam_resource-based-policy-examples.md#security_iam_resource-based-policy-examples-dashboards). The following example attaches a resource-based policy to a dashboard. Replace *account-id* with your account ID and *dashboard-arn* with the ARN of the dashboard. ``` aws cloudtrail put-resource-policy \ --resource-arn dashboard-arn \ --resource-policy '{"Version": "2012-10-17", "Statement": [{"Sid": "DashboardPolicy", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "cloudtrail:StartDashboardRefresh", "Condition": { "StringEquals": { "AWS:SourceArn": "dashboard-arn", "AWS:SourceAccount": "account-id"}}}]}' ``` ## Manually refresh a dashboard with the AWS CLI Run the `start-dashboard-refresh` command to manually refresh the dashboard. Before you can run this command, you must [attach a resource-based policy](#lake-dashboard-cli-add-rbp-eds) to every event data store associated with a dashboard widget. The following example shows how to manually refresh a custom dashboard. ``` aws cloudtrail start-dashboard-refresh \ --dashboard-id dashboard-id \ --query-parameter-values '{"$StartTime$": "2024-11-05T10:45:24.00Z"}' ``` The next example shows how to manually refresh a managed dashboard. Because managed dashboards are configured by CloudTrail, the refresh request needs to include the ID of the event data store that the queries will run on. ``` aws cloudtrail start-dashboard-refresh \ --dashboard-id dashboard-id \ --query-parameter-values '{"$StartTime$": "2024-11-05T10:45:24.00Z", "$EventDataStoreId$": "eds-id"}' ``` ## Update a dashboard with the AWS CLI Run the `update-dashboard` command to update a dashboard. You can update the dashboard to set a refresh schedule, enable or disable a refresh schedule, modify the widgets, and enable or disable termination protection. ### Update the refresh schedule with the AWS CLI The following example updates the refresh schedule for a custom dashboard named `AccountActivityDashboard`. ``` aws cloudtrail update-dashboard --dashboard-id AccountActivityDashboard \ --refresh-schedule '{"Frequency": {"Unit": "HOURS", "Value": 6}, "Status": "ENABLED"}' ``` ### Disable termination protection and the refresh schedule on a custom dashboard with the AWS CLI The following example disables termination protection for a custom dashboard named `AccountActivityDashboard` to allow the dashboard to be deleted. It also turns off the refresh schedule. ``` aws cloudtrail update-dashboard --dashboard-id AccountActivityDashboard \ --refresh-schedule '{ "Status": "DISABLED"}' \ --no-termination-protection-enabled ``` ### Add a widget to a custom dashboard The following example adds a new widget named `TopServices` to the custom dashboard named `AccountActivityDashboard`. The widgets array includes the two widgets that were already created for the dashboard and the new widget. **Note** In the this example, `?` is surrounded with single quotes because it is used with `eventTime`. Depending on the operating system you are running on, you may need to surround single quotes with escape quotes. For more information, see [Using quotation marks and literals with strings in the AWS CLI](https://docs.aws.amazon.com/cli/v1/userguide/cli-usage-parameters-quoting-strings.html). ``` aws cloudtrail update-dashboard --dashboard-id AccountActivityDashboard \ --widgets '[ { "ViewProperties": { "Height": "2", "Width": "4", "Title": "TopErrors", "View": "Table" }, "QueryStatement": "SELECT errorCode, COUNT(*) AS eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' AND (errorCode is not null) GROUP BY errorCode ORDER BY eventCount DESC LIMIT 100", "QueryParameters": ["$StartTime$", "$EndTime$"] }, { "ViewProperties": { "Height": "2", "Width": "4", "Title": "MostActiveRegions", "View": "PieChart", "LabelColumn": "awsRegion", "ValueColumn": "eventCount", "FilterColumn": "awsRegion" }, "QueryStatement": "SELECT awsRegion, COUNT(*) AS eventCount FROM eds where eventTime > '?' and eventTime < '?' GROUP BY awsRegion ORDER BY eventCount LIMIT 100", "QueryParameters": ["$StartTime$", "$EndTime$"] }, { "ViewProperties": { "Height": "2", "Width": "4", "Title": "TopServices", "View": "BarChart", "LabelColumn": "service", "ValueColumn": "eventCount", "FilterColumn": "service", "Orientation": "Vertical" }, "QueryStatement": "SELECT replace(eventSource, '.amazonaws.com') AS service, COUNT(*) as eventCount FROM eds WHERE eventTime > '?' AND eventTime < '?' GROUP BY eventSource ORDER BY eventCount DESC LIMIT 100", "QueryParameters": ["$StartTime$", "$EndTime$"] } ]' ``` # Delete a dashboard with the AWS CLI This section describes how to use the AWS CLI `delete-dashboard` command to delete a CloudTrail Lake dashboard. To delete a dashboard, specify the `--dashboard-id` by providing the dashboard ARN, or the dashboard name. ``` aws cloudtrail delete-dashboard --dashboard-id arn:aws:cloudtrail:us-east-1:123456789012:dashboard/exampleDash ``` There is no response if the operation is successful. **Note** You can't delete a dashboard if `--termination-protection-enabled` is set.