Working with CloudTrail trails
Trails capture a record of Amazon activities, delivering and storing these events in an Amazon S3 bucket, with optional delivery to CloudWatch Logs and Amazon EventBridge.
You can deliver one copy of your ongoing management events to your S3 bucket at no
charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more
information about CloudTrail pricing, see Amazon CloudTrail Pricing
You can create both multi-Region and single-Region trails for your Amazon Web Services account.
- Multi-Region trails
-
When you create a multi-Region trail, CloudTrail records events in all Amazon Web Services Regions in the Amazon partition in which you are working and delivers the CloudTrail event log files to an S3 bucket that you specify. If an Amazon Web Services Region is added after you create a multi-Region trail, that new Region is automatically included, and events in that Region are logged. Creating a multi-Region trail is a recommended best practice since you capture activity in all Regions in your account. All trails you create using the CloudTrail console are multi-Region. You can convert a single-Region trail to a multi-Region trail by using the Amazon CLI. For more information, see Creating a trail in the console and Converting a trail that applies to one Region to apply to all Regions.
- Single-Region trails
-
When you create a single-Region trail, CloudTrail records the events in that Region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify. You can only create a single-Region trail by using the Amazon CLI. If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same S3 bucket or to separate buckets. This is the default option when you create a trail using the Amazon CLI or the CloudTrail API. For more information, see Creating, updating, and managing trails with the Amazon CLI.
Note
For both types of trails, you can specify an Amazon S3 bucket from any Region.
If you have created an organization in Amazon Organizations, you can create an organization trail that logs all events for all Amazon accounts in that organization. Organization trails can apply to all Amazon Regions, or the current Region. Organization trails must be created using the management account or delegated administrator account, and when specified as applying to an organization, are automatically applied to all member accounts in the organization. Member accounts can see the organization trail, but cannot modify or delete it. By default, member accounts do not have access to the log files for an organization trail in the Amazon S3 bucket. For more information, see Creating a trail for an organization.
Topics
- Creating a trail for your Amazon Web Services account
- Creating a trail for an organization
- Viewing CloudTrail Insights events for trails
- Copying trail events to CloudTrail Lake
- Getting and viewing your CloudTrail log files
- Configuring Amazon SNS notifications for CloudTrail
- Using Amazon CloudTrail with interface VPC endpoints
- Naming requirements for CloudTrail resources, S3 buckets, and KMS keys
- Amazon Web Services account closure and trails