Create a CloudTrail Lake event data store in the AWS console or via CLI, enabling the desired event selectors (management events, data events, or network activity events) and choosing the retention period
Note the event data store ARN; queries are scoped to one or more event data stores identified by this ARN
Start a query using the StartQuery API or console with a SQL SELECT statement targeting the event data store; filter by eventTime, eventName, userIdentity.arn, or errorCode as needed
Poll the query status with GetQueryResults or DescribeQuery until status is FINISHED; results are paginated so iterate using the nextToken returned in each response
Save frequently used queries as named queries in the console for reuse; use query result delivery to S3 for large result sets rather than paginating the API
Attach appropriate IAM policies to restrict who can run queries and access results; CloudTrail Lake query results may contain sensitive principal and resource data
Known gotchas
CloudTrail Lake SQL syntax is a subset of standard SQL; not all SQL functions are supported, and the column names differ from the flat CloudTrail JSON log format
Query costs are billed by data scanned; use eventTime range filters to avoid full-store scans, especially on large event data stores
Management events from global services (IAM, STS) are delivered to the region where the event data store is created, not necessarily your primary region; ensure your data store covers global events
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp