Understanding multi-Region trails and opt-in Regions
A trail can be applied to all Amazon Web Services Regions that are enabled in your Amazon Web Services account, or can be applied to a single Region. A trail
that applies to all Amazon Web Services Regions that are enabled in your Amazon Web Services account is referred to as a
multi-Region trail. As a best practice, we recommend creating a
multi-Region trail because it captures activity in all enabled Regions. All trails created
using the CloudTrail console are multi-Region trails. You can only create a single-Region trail
using the Amazon CLI or CreateTrail API operation.
Although most Amazon Web Services Regions are enabled by default for your Amazon Web Services account, you must manually enable certain Regions (also referred to as opt-in Regions). For information about which Regions are enabled by default, see Considerations before enabling and disabling Regions in the Amazon Account Management Reference Guide. For the list of Regions CloudTrail supports, see CloudTrail supported Regions.
Topics
What are the advantages of multi-Region trails?
A multi-Region trail has the following advantages:
-
The configuration settings for the trail apply consistently across all enabled Amazon Web Services Regions.
-
You receive CloudTrail events from all enabled Amazon Web Services Regions in a single Amazon S3 bucket and, optionally, in a CloudWatch Logs log group.
-
You manage trail configurations for all enabled Amazon Web Services Regions from one location.
What happens when you create a multi-Region trail?
Creating a multi-Region trail, has the following effects:
-
CloudTrail delivers log files for account activity from all enabled Amazon Web Services Regions to the single Amazon S3 bucket that you specify, and, optionally, to a CloudWatch Logs log group.
-
If you configured an Amazon SNS topic for the trail, SNS notifications about log file deliveries in all enabled Amazon Web Services Regions are sent to that single SNS topic.
-
You can see the multi-Region trail in all enabled Amazon Web Services Regions, but you can only modify the trail in the home Region where it was created.
What happens when you enable an opt-in Region?
After you enable an opt-in Region, CloudTrail creates an identical copy of each multi-Region trail in the opt-in Region that you enabled.
CloudTrail uses a distributed computing model called eventual consistency. Because enabling a Region takes a few minutes to several hours, you may not immediately see all events in the logs for the newly enabled Region. It may take up to several hours for CloudTrail to deliver all logs for the newly enabled Region. During this time, you can view the last 90 days of management events logged in that Region by viewing the CloudTrail Event History, or by running the aws cloudtrail lookup-events --region <region> command. Event history is active by default in your Amazon Web Services account, captures the last 90 days of management events logged in a Region, and does not require a trail.
For information about enabling an opt-in Region for your Amazon Web Services account, see Enable or disable a Region for standalone accounts or Enable or disable a Region in your organization.
What happens when you disable an opt-in Region?
Because your account may have activity in the Region you disabled, such as actions by Amazon Web Services services to remove resources, CloudTrail will continue to capture activity and attempt to deliver events to the S3 bucket for any trails that are not deleted before the Region is disabled.