Create trails in additional accounts - Amazon CloudTrail
Using the console to create trails in additional accounts Using the CLI to turn on CloudTrail in additional accounts
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create trails in additional accounts

You can use the console or the Amazon CLI to create trails in additional Amazon Web Services accounts and aggregate their log files to one Amazon S3 bucket. Alternatively, you could create an organization trail to log all Amazon Web Services accounts that are part of an organization in Amazon Organizations. For more information, see Creating a trail for an organization.

Using the console to create trails in additional Amazon accounts

You can use the CloudTrail console to create trails in additional accounts.

  1. Sign in to Amazon Web Services Management Console with the account for which you want to create a trail. Follow the steps in Creating a trail in the console to create a trail using the console.

  2. For Storage location, choose Use existing S3 bucket. Use the text box to enter the name of the bucket you're using to store log files across accounts.

    Note

    The bucket policy must grant CloudTrail permission to write to it. For information about manually editing the bucket policy, see Setting bucket policy for multiple accounts.

    Use existing S3 bucket

  3. For Prefix, enter the prefix you are using to store log files across accounts. If you choose to use a prefix that is different from what you specified in your bucket policy, you must edit the bucket policy on your destination bucket to allow CloudTrail to write log files to your bucket using this new prefix.

Using the CLI to create a trail in additional Amazon accounts

You can use the Amazon command line tools to create trails in additional accounts and aggregate their log files to one Amazon S3 bucket. For more information about these tools, see cloudtrail in the Amazon CLI Command Reference.

Create a trail by using the create-trail command, specifying the following:

  • --name specifies the name of the trail.

  • --s3-bucket-name specifies the Amazon S3 bucket you are using to store log files across accounts.

  • --s3-prefix specifies a prefix for the log file delivery path (optional).

  • --is-multi-region-trail specifies that this trail will log events in all Amazon Regions in the partition in which you are working.

You can create one trail for each Region in which an account is running Amazon resources.

The following example command shows how to create a trail for your additional accounts by using the Amazon CLI. To have log files for these account delivered to the bucket you created in your first account (111111111111 in this example), specify the bucket name in the --s3-bucket-name option. Amazon S3 bucket names are globally unique. 

aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket --is-multi-region-trail

When you run the command, you will see output similar to the following:

{
    "IncludeGlobalServiceEvents": true, 
    "Name": "AWSCloudTrailExample", 
    "TrailARN": "arn:aws:cloudtrail:us-east-2:222222222222:trail/my-trail", 
    "LogFileValidationEnabled": false, 
    "IsMultiRegionTrail": true, 
    "IsOrganizationTrail": false,
    "S3BucketName": "MyBucketBelongingToAccount111111111111"
}

For more information about using CloudTrail from the Amazon command line tools, see the CloudTrail command line reference.