Amazon CloudTrail with Multi-Region Access Points - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon CloudTrail with Multi-Region Access Points

You can use Amazon CloudTrail to view, search, download, archive, analyze, and respond to account activity across your Amazon infrastructure. With Multi-Region Access Points and CloudTrail logging, you can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity through your Multi-Region Access Point.

How to set up Amazon CloudTrail for Multi-Region Access Points

To enable CloudTrail logging for any operations around creating or maintaining Multi-Region Access Points, you must configure CloudTrail logging to record the events in the US West (Oregon) Region. This is true regardless of which Region you are in when making the request, or what Regions the Multi-Region Access Point supports. All requests to create or maintain a Multi-Region Access Point are routed through the US West (Oregon) Region. You should either add this Region to an existing trail or create a new trail containing this Region and all the Regions associated with the Multi-Region Access Point.

Amazon S3 logs requests made through a Multi-Region Access Point and requests made to the API operations that manage access points, such as CreateMultiRegionAccessPoint and GetMultiRegionAccessPointPolicy. When you log these requests through a Multi-Region Access Point, they appear in your Amazon CloudTrail logs with the hostname of the Multi-Region Access Point. For example, if you make requests to a bucket through a Multi-Region Access Point with the alias mfzwi23gnjvgw.mrap, entries in the CloudTrail log would have a hostname of mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com.

Remember that Multi-Region Access Points serve to route requests to the bucket that responds with the lowest latency. Because of this, when you are looking at the CloudTrail logs for a Multi-Region Access Point, you will see requests being made of the underlying buckets. Some of those requests might be direct requests to the bucket and not routed through the Multi-Region Access Point. This is important to keep in mind when reviewing traffic. When a bucket is in a Multi-Region Access Point, requests can still be made to that bucket directly without going through the Multi-Region Access Point.

There are asynchronous events involved with creating and managing Multi-Region Access Points. Asynchronous requests don't have completion events in the CloudTrail log. For more information about asynchronous requests, see Monitoring and logging requests made to Multi-Region Access Point management APIs.

For more information about Amazon CloudTrail, see What Is Amazon CloudTrail? in the Amazon CloudTrail User Guide.