Troubleshooting issues with an organization trail

From the CloudTrail console, check the trail's details page. If there's an issue with the S3 bucket, the details page includes a warning that delivery to the S3 bucket failed.

From the Amazon CLI, run the get-trail-status command. If there's a failure, the command output includes the LatestDeliveryError field, which displays any Amazon S3 error that CloudTrail encountered when attempting to deliver log files to the designated bucket. This error occurs only when there is a problem with the destination S3 bucket, and does not occur for requests that time out. To resolve the issue, fix the bucket policy so that CloudTrail can write to the bucket; or create a new bucket, and then call update-trail to specify the new bucket. For information about the organization bucket policy, see Create or update an Amazon S3 bucket to use to store the log files for an organization trail.

From the CloudTrail console, check the trail's details page. If there's an issue with CloudWatch Logs, the details page includes a warning that indicates CloudWatch Logs delivery failed.

From the Amazon CLI, run the get-trail-status command. If there's a failure, the command output includes the LatestCloudWatchLogsDeliveryError field, which displays any CloudWatch Logs error that CloudTrail encountered when attempting to deliver logs to CloudWatch Logs. To resolve the issue, fix the CloudWatch Logs role policy. For information about the CloudWatch Logs role policy, see Role policy document for CloudTrail to use CloudWatch Logs for monitoring.

Check the home Region for the trail to see if it is an opt-in Region

Although most Amazon Web Services Regions are enabled by default for your Amazon Web Services account, you must manually enable certain Regions (also referred to as opt-in Regions). For information about which Regions are enabled by default, see Considerations before enabling and disabling Regions in the Amazon Account Management Reference Guide. For the list of Regions CloudTrail supports, see CloudTrail supported Regions.

If the organization trail is multi-Region and the home Region is an opt-in Region, member accounts will not send activity to the organization trail unless they opt into the Amazon Web Services Region where the multi-Region trail was created. For example, if you create a multi-Region trail and choose the Europe (Spain) Region as the home Region for the trail, only member accounts that enabled the Europe (Spain) Region for their account will send their account activity to the organization trail. To resolve the issue, enable the opt-in Region in each member account in your organization. For information about enabling an opt-in Region, see Enable or disable a Region in your organization in the Amazon Account Management Reference Guide.

Check if the organization resource-based policy conflicts with the CloudTrail service-linked role policy

CloudTrail uses the service-linked role named AWSServiceRoleForCloudTrail to support organization trails. This service-linked role allows CloudTrail to perform actions on organization resources, such as organizations:DescribeOrganization. If the organization's resource-based policy denies an action that is allowed in the service-linked role policy, CloudTrail will not be able to perform the action even though it is allowed in the service-linked role policy. To resolve the issue, fix the organization's resource-based policy so that it doesn't deny actions that are allowed in the service-linked role policy.

From the CloudTrail console, check the trail's details page. If there's an authorization failure, the details page includes a warning SNS authorization failed and indicates to fix the SNS topic policy.

From the Amazon CLI, run the get-trail-status command. If there's an authorization failure, the command output includes the LastNotificationError field with a value of AuthorizationError. To resolve the issue, fix the Amazon SNS topic policy. For information about the Amazon SNS topic policy, see Amazon SNS topic policy for CloudTrail.