Using the update-trail
command to update a trail
Important
As of November 22, 2021, Amazon CloudTrail makes Amazon CloudFront events available only in the Region where the event was processed, China (Ningxia) Region, cn-northwest-1.
For trails monitoring global service events, be sure to convert single-Region trails in China (Beijing) Region, cn-north-1, to multi-Region trails, to include events from China (Ningxia) Region, cn-northwest-1. For more information about capturing CloudFront events, see Enabling and disabling global service event logging later in this section.
You can use the update-trail
command to change the configuration settings
for a trail. You can also use the add-tags and
remove-tags commands to add and remove tags for a trail. You can
only update trails from the Amazon Region where the trail was created (its Home Region).
When using the Amazon CLI, remember that your commands run in the Amazon Region configured for
your profile. If you want to run the commands in a different Region, either change the
default Region for your profile, or use the --region parameter with
the command.
Note
If you use the Amazon CLI or one of the Amazon SDKs to modify a trail, be sure that the
trail's bucket policy is up-to-date. In order for your bucket to automatically
receive events from a new Amazon Web Services Region, the policy must contain the full service
name, cloudtrail.amazonaws.com
. For more information, see Amazon S3 bucket policy for CloudTrail.
Topics
Converting a trail that applies to one Region to apply to all Regions
To change an existing trail so that it applies to all Regions, use the
--is-multi-region-trail
option.
aws cloudtrail update-trail --name
my-trail
--is-multi-region-trail
To confirm that the trail now applies to all Regions, the
IsMultiRegionTrail
element in the output shows
true
.
{ "IncludeGlobalServiceEvents": true, "Name": "
my-trail
", "TrailARN": "arn:aws:cloudtrail:us-east-2
:123456789012
:trail/my-trail
", "LogFileValidationEnabled": false, "IsMultiRegionTrail": true, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket
" }
Converting a multi-Region trail to a single-Region trail
To change an existing multi-Region trail so that it applies only to the Region in
which it was created, use the --no-is-multi-region-trail
option.
aws cloudtrail update-trail --name
my-trail
--no-is-multi-region-trail
To confirm that the trail now applies to a single Region, the
IsMultiRegionTrail
element in the output shows
false
.
{ "IncludeGlobalServiceEvents": true, "Name": "
my-trail
", "TrailARN": "arn:aws:cloudtrail:us-east-2
:123456789012
:trail/my-trail
", "LogFileValidationEnabled": false, "IsMultiRegionTrail": false, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket
" }
Enabling and disabling global service event logging
To change a trail so that it does not log global service events, use the
--no-include-global-service-events
option.
aws cloudtrail update-trail --name
my-trail
--no-include-global-service-events
To confirm that the trail no longer logs global service events, the
IncludeGlobalServiceEvents
element in the output shows false
.
{ "IncludeGlobalServiceEvents": false, "Name": "
my-trail
", "TrailARN": "arn:aws:cloudtrail:us-east-2
:123456789012
:trail/my-trail
", "LogFileValidationEnabled": false, "IsMultiRegionTrail": false, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket
" }
To change a trail so that it logs global service events, use the
--include-global-service-events
option.
To capture CloudFront events, convert single-Region trails in
cn-north-1
with global service events turned on to multi-Region trails using the
following CLI command. Replace myExistingSingleRegionTrailWithGSE
with the appropriate trail name for your configuration.
aws cloudtrail --region cn-north-1 update-trail --name
myExistingSingleRegionTrailWithGSE
--is-multi-region-trail
Because global service events are only available in the China (Ningxia) Region beginning
November 22, 2021, you can also create a single-Region trail in cn-northwest-1
to ensure
continued logging of CloudFront events.
aws cloudtrail --region cn-northwest-1 create-trail --include-global-service-events --name
mySingleRegionTrail
--s3-bucket-nameamzn-s3-demo-bucket
Enabling log file validation
To enable log file validation for a trail, use the
--enable-log-file-validation
option. Digest files are delivered to
the Amazon S3 bucket for that trail.
aws cloudtrail update-trail --name
my-trail
--enable-log-file-validation
To confirm that log file validation is enabled, the
LogFileValidationEnabled
element in the output shows
true
.
{ "IncludeGlobalServiceEvents": true, "Name": "
my-trail
", "TrailARN": "arn:aws:cloudtrail:us-east-2
:123456789012
:trail/my-trail
", "LogFileValidationEnabled": true, "IsMultiRegionTrail": false, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket
" }
Disabling log file validation
To disable log file validation for a trail, use the
--no-enable-log-file-validation
option.
aws cloudtrail update-trail --name
my-trail-name
--no-enable-log-file-validation
To confirm that log file validation is disabled, the
LogFileValidationEnabled
element in the output shows
false
.
{ "IncludeGlobalServiceEvents": true, "Name": "
my-trail
", "TrailARN": "arn:aws:cloudtrail:us-east-2
:123456789012
:trail/my-trail
", "LogFileValidationEnabled": false, "IsMultiRegionTrail": false, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket
" }
To validate log files with the Amazon CLI, see Validating CloudTrail log file integrity with the Amazon CLI.