Centralized CloudTrail Logging

To create a CloudTrail trail with the AWS Management Console

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Choose the region where you want the trail to be created.

  3. Choose Get Started Now.

    Tip

    If you do not see Get Started Now, choose Trails, and then choose Create trail.

  4. On the Create Trail page, for Trail name, type a name for your trail. For more information, see CloudTrail Trail Naming Requirements.

  5. For Apply trail to all regions, choose Yes to receive log files from all regions. This is the default and recommended setting. If you choose No, the trail logs files only from the region in which you create the trail.

  6. For Management events, for Read/Write events, choose if you want your trail to log All, Read-only, Write-only, or None, and then choose Save. By default, trails log all management events. For more information, see Management Events.

  7. For Data events, you can specify logging data events for Amazon S3 buckets, for AWS Lambda functions, or both. By default, trails don't log data events. Additional charges apply for logging data events.

  8. For Storage location, for Create a new S3 bucket, choose Yes to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies.

    Note

    If you chose No, choose an existing S3 bucket. The bucket policy must grant CloudTrail permission to write to it. For information about manually editing the bucket policy, see Amazon S3 Bucket Policy for CloudTrail.

  9. For S3 bucket, type a name for the bucket you want to designate for log file storage. The name must be globally unique. For more information, see Amazon S3 Bucket Naming Requirements.

  10. To configure advanced settings, see Configuring Advanced Settings for Your Trail. Otherwise, choose Create.

  11. The new trail appears on the Trails page. The Trails page shows the trails in your account from all regions. In about 15 minutes, CloudTrail publishes log files that show the AWS API calls made in your account. You can see the log files in the S3 bucket that you specified.

Note: You can't rename a trail after it has been created. Instead, you can delete the trail and create a new one.

Setting Bucket Policy for Multiple Accounts

For a bucket to receive log files from multiple accounts, its bucket policy must grant CloudTrail permission to write log files from all the accounts you specify. This means that you must modify the bucket policy on your destination bucket to grant CloudTrail permission to write log files from each specified account.

To modify bucket permissions so that files can be received from multiple accounts

  1. Sign in to the AWS Management Console using the account that owns the bucket (111111111111 in this example) and open the Amazon S3 console.

  2. Choose the bucket where CloudTrail delivers your log files and then choose Properties.

  3. Choose Permissions.

  4. Choose Edit Bucket Policy.

  5. Modify the existing policy to add a line for each additional account whose log files you want delivered to this bucket. See the following example policy and note the underlined Resource line specifying a second account ID.

Using the Console to Turn on CloudTrail in Additional AWS Accounts

You can use the CloudTrail console to turn on CloudTrail in additional accounts.

  1. Sign into the AWS management console using account 222222222222 credentials and open the AWS CloudTrail console. In the navigation bar, select the region where you want to turn on CloudTrail.

  2. Choose Get Started Now.

  3. On the following page, type a name for your trail in the Trail name box.

  4. For Create a new S3 bucket?, choose No. Use the text box to enter the name of the bucket you created previously for storing log files when you signed in using account 111111111111 credentials. CloudTrail displays a warning asking you if you are sure that you want to specify an S3 bucket in another account. Verify the name of the bucket you entered.

  5. Choose Advanced.

  6. In the Log file prefix field, enter the same prefix you entered for storing log files when you turned on CloudTrail using account 111111111111 credentials. If you choose to use a prefix that is different from the one you entered when you turned on CloudTrail in the first account, you must edit the bucket policy on your destination bucket to allow CloudTrail to write log files to your bucket using this new prefix.

  7. (Optional) Choose Yes or No for SNS notification for every log file delivery?. If you chose Yes, type a name for your Amazon SNS topic in the SNS topic (new) field.

    Note

    Amazon SNS is a regional service, so if you choose to create a topic, that topic will exist in the same region in which you turn on CloudTrail. If you have a trail that applies to all regions, you can pick an Amazon SNS topic in any region as long as you have the correct policy applied to the topic. For more information, see Amazon SNS Topic Policy for CloudTrail.

  8. Choose Turn On.

In about 15 minutes, CloudTrail starts publishing log files that show the AWS calls made in your accounts in this region since you completed the preceding steps.

Source: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html

Previousaws_irNextRoot Account Activity Monitor

Last updated