Creating multiple trails
You can use CloudTrail log files to troubleshoot operational or security issues in your Amazon account. You can create trails for different users, who can create and manage their own trails. You can configure trails to deliver log files to separate S3 buckets or shared S3 buckets.
Note
The first copy of management events in each Amazon Web Services Region for an account is free. If you create more trails that deliver the same management events to other
destinations, those subsequent deliveries incur CloudTrail costs. For more information about CloudTrail costs, see Amazon CloudTrail Pricing
For example, you might have the following users:
-
A security administrator creates a trail and configures SNS to receive notifications when new log files are delivered.
-
A developer creates a trail and configures CloudWatch alarms to receive notifications for specific API activity.
-
An IT auditor creates a trail and configures SNS and CloudWatch alarms.
-
All log files are delivered to the same S3 bucket.
The following image illustrates this example.
Note
You can create up to five trails per Amazon Web Services Region. A multi-Region trail counts as one trail per Region.
You can use resource-level permissions to manage a user's ability to perform specific operations on CloudTrail.
For example, you might grant one user permission to view trail activity, but restrict the user from starting or stopping logging for a trail. You might grant another user full permission to create and delete trails. This gives you granular control over your trails and user access.
For more information about resource-level permissions, see Examples: Creating and applying policies for actions on specific trails.
For more information about multiple trails, see the CloudTrail FAQs