Amazon Web Services account closure and trails
Amazon CloudTrail continuously monitors and records events for account activity generated by any user, role, or Amazon Web Services service for an Amazon Web Services account. Users can create a CloudTrail trail to receive a copy of these events in a S3 bucket that they own.
CloudTrail is a foundational security service, therefore, trails created by users continue to exist and deliver events even after an Amazon Web Services account is closed, unless a user explicitly deletes the trails in their Amazon Web Services account prior to closing it. This behavior also applies to the organization trails that are created by the management account or the delegated administrator, and to multi-Region organization trails that are then created in the organization's member accounts. This ensures that if a user reopens a closed account that user has an unbroken record of account activity. It also provides users with visibility into any final account activity, including the deletion and termination of remaining account resources and services.
Users have the option to delete trails prior to closing their Amazon Web Services account, or to contact Amazon Web Services Support
For more information about closing an Amazon Web Services account, see Close an Amazon Web Services account.
Note
If CloudTrail log file validation is enabled, users will continue to receive hourly digest files which indicate if any CloudTrail logs were created or not.
CloudTrail Lake event data stores, CloudTrail Lake channels for integrations, CloudTrail service-linked channels, and resources created for trails (for example, Amazon CloudWatch Logs log groups and Amazon S3 buckets existing in the closed account), follow standard Amazon behavior for account closure and are permanently deleted after the post-closure period (typically 90 days).