Using the update-trail command to update a trail - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using the update-trail command to update a trail

Important

As of November 22, 2021, Amazon CloudTrail makes Amazon CloudFront events available only in the Region where the event was processed, China (Ningxia) Region, cn-northwest-1.

For trails monitoring global service events, be sure to convert single-Region trails in China (Beijing) Region, cn-north-1, to multi-Region trails, to include events from China (Ningxia) Region, cn-northwest-1. For more information about capturing CloudFront events, see Enabling and disabling global service event logging later in this section.

You can use the update-trail command to change the configuration settings for a trail. You can also use the add-tags and remove-tags commands to add and remove tags for a trail. You can only update trails from the Amazon Region where the trail was created (its Home Region). When using the Amazon CLI, remember that your commands run in the Amazon Region configured for your profile. If you want to run the commands in a different Region, either change the default Region for your profile, or use the --region parameter with the command.

Note

If you use the Amazon CLI or one of the Amazon SDKs to modify a trail, be sure that the trail's bucket policy is up-to-date. In order for your bucket to automatically receive events from a new Amazon Web Services Region, the policy must contain the full service name, cloudtrail.amazonaws.com. For more information, see Amazon S3 bucket policy for CloudTrail.

Converting a trail that applies to one Region to apply to all Regions

To change an existing trail so that it applies to all Regions, use the --is-multi-region-trail option.

aws cloudtrail update-trail --name my-trail --is-multi-region-trail

To confirm that the trail now applies to all Regions, the IsMultiRegionTrail element in the output shows true.

{ "IncludeGlobalServiceEvents": true, "Name": "my-trail", "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", "LogFileValidationEnabled": false, "IsMultiRegionTrail": true, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket" }

Converting a multi-Region trail to a single-Region trail

To change an existing multi-Region trail so that it applies only to the Region in which it was created, use the --no-is-multi-region-trail option.

aws cloudtrail update-trail --name my-trail --no-is-multi-region-trail

To confirm that the trail now applies to a single Region, the IsMultiRegionTrail element in the output shows false.

{ "IncludeGlobalServiceEvents": true, "Name": "my-trail", "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", "LogFileValidationEnabled": false, "IsMultiRegionTrail": false, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket" }

Enabling and disabling global service event logging

To change a trail so that it does not log global service events, use the --no-include-global-service-events option.

aws cloudtrail update-trail --name my-trail --no-include-global-service-events

To confirm that the trail no longer logs global service events, the IncludeGlobalServiceEvents element in the output shows false.

{ "IncludeGlobalServiceEvents": false, "Name": "my-trail", "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", "LogFileValidationEnabled": false, "IsMultiRegionTrail": false, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket" }

To change a trail so that it logs global service events, use the --include-global-service-events option.

To capture CloudFront events, convert single-Region trails in cn-north-1 with global service events turned on to multi-Region trails using the following CLI command. Replace myExistingSingleRegionTrailWithGSE with the appropriate trail name for your configuration.

aws cloudtrail --region cn-north-1 update-trail --name myExistingSingleRegionTrailWithGSE --is-multi-region-trail

Because global service events are only available in the China (Ningxia) Region beginning November 22, 2021, you can also create a single-Region trail in cn-northwest-1 to ensure continued logging of CloudFront events.

aws cloudtrail --region cn-northwest-1 create-trail --include-global-service-events --name mySingleRegionTrail --s3-bucket-name amzn-s3-demo-bucket

Enabling log file validation

To enable log file validation for a trail, use the --enable-log-file-validation option. Digest files are delivered to the Amazon S3 bucket for that trail.

aws cloudtrail update-trail --name my-trail --enable-log-file-validation

To confirm that log file validation is enabled, the LogFileValidationEnabled element in the output shows true.

{ "IncludeGlobalServiceEvents": true, "Name": "my-trail", "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", "LogFileValidationEnabled": true, "IsMultiRegionTrail": false, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket" }

Disabling log file validation

To disable log file validation for a trail, use the --no-enable-log-file-validation option.

aws cloudtrail update-trail --name my-trail-name --no-enable-log-file-validation

To confirm that log file validation is disabled, the LogFileValidationEnabled element in the output shows false.

{ "IncludeGlobalServiceEvents": true, "Name": "my-trail", "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", "LogFileValidationEnabled": false, "IsMultiRegionTrail": false, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket" }

To validate log files with the Amazon CLI, see Validating CloudTrail log file integrity with the Amazon CLI.