Creating a trail for your organization in the console - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a trail for your organization in the console

To create an organization trail from the CloudTrail console, you must sign in to the console as a user or role in the management or delegated administrator account that has sufficient permissions. If you don't sign in with the management or delegated administrator account, you won't see the option to apply a trail to an organization when you create or edit a trail from the CloudTrail console.

You can configure an organization trail in multiple ways. For example, you can configure the following details for your organization trail:

  • By default, when you create a trail in the console, the trail logs all Amazon Web Services Regions in the Amazon partition in which you are working. As a best practice, we strongly recommend logging events in all Regions in your Amazon Web Services account. To create a trail for a single Region, use the Amazon CLI. For more information, see How CloudTrail works.

  • Specify whether to apply the trail to your organization. By default, trails aren't applied to organizations. You must choose this option to create an organization trail.

  • Specify which Amazon S3 bucket that receives log files for the organization trail. You can choose an existing Amazon S3 bucket, or create one specifically for the organization trail.

  • For management and data events, specify if you want to log Read events, Write events, or both. CloudTrail Insights events are logged only on management events. You can specify logging data events for resources in the management account by choosing them from the lists in the console, and in member accounts if you specify the ARNs of each resource for which you want to enable data event logging. For more information, see Data events.

To create an organization trail with the Amazon Web Services Management Console
  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

    You must be signed in using an IAM identity in the management or delegated administrator account with sufficient permissions to create an organization trail.

  2. Choose Trails, and then choose Create trail.

  3. On the Create Trail page, for Trail name, type a name for your trail. For more information, see Naming requirements.

  4. Select Enable for all accounts in my organization. You only see this option if you sign in to the console with a user or role in the management or delegated administrator account. To successfully create an organization trail, be sure that the user or role has sufficient permissions.

  5. For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies.

    Note

    If you chose Use existing S3 bucket, specify a bucket in Trail log bucket name, or choose Browse to choose a bucket. You can choose a bucket belonging to any account, however, the bucket policy must grant CloudTrail permission to write to it. For information about manually editing the bucket policy, see Amazon S3 bucket policy for CloudTrail.

    To make it easier to find your logs, create a new folder (also known as a prefix) in an existing bucket to store your CloudTrail logs. Enter the prefix in Prefix.

  6. For Log file SSE-KMS encryption, choose Enabled if you want to encrypt your log files using SSE-KMS encryption instead of SSE-S3 encryption. The default is Enabled. If you don't enable SSE-KMS encryption, your logs are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see Using server-side encryption with Amazon Key Management Service (SSE-KMS). For more information about SSE-S3 encryption, see Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

    If you enable SSE-KMS encryption, choose a New or Existing Amazon KMS key. In Amazon KMS Alias, specify an alias, in the format alias/MyAliasName. For more information, see Updating a resource to use your KMS key.

    Note

    You can also type the ARN of a key from another account. For more information, see Updating a resource to use your KMS key. The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see Configure Amazon KMS key policies for CloudTrail.

  7. In Additional settings, configure the following.

    1. For Log file validation, choose Enabled to have log digests delivered to your S3 bucket. You can use the digest files to verify that your log files did not change after CloudTrail delivered them. For more information, see Validating CloudTrail log file integrity.

    2. For SNS notification delivery, choose Enabled to be notified each time a log is delivered to your bucket. CloudTrail stores multiple events in a log file. SNS notifications are sent for every log file, not for every event. For more information, see Configuring Amazon SNS notifications for CloudTrail.

      If you enable SNS notifications, for Create a new SNS topic, choose New to create a topic, or choose Existing to use an existing topic. If you are creating a trail that applies to all Regions, SNS notifications for log file deliveries from all Regions are sent to the single SNS topic that you create.

      If you choose New, CloudTrail specifies a name for the new topic for you, or you can type a name. If you choose Existing, choose an SNS topic from the drop-down list. You can also enter the ARN of a topic from another Region or from an account with appropriate permissions. For more information, see Amazon SNS topic policy for CloudTrail.

      If you create a topic, you must subscribe to the topic to be notified of log file delivery. You can subscribe from the Amazon SNS console. Due to the frequency of notifications, we recommend that you configure the subscription to use an Amazon SQS queue to handle notifications programmatically. For more information, see the Amazon Simple Notification Service Getting Started Guide.

  8. Optionally, configure CloudTrail to send log files to CloudWatch Logs by choosing Enabled in CloudWatch Logs. For more information, see Sending events to CloudWatch Logs.

    Note

    Only the management account can configure a CloudWatch Logs log group for an organization trail using the console. The delegated administrator can configure a CloudWatch Logs log group using the Amazon CLI or CloudTrail CreateTrail or UpdateTrail API operations.

    1. If you enable integration with CloudWatch Logs, choose New to create a new log group, or Existing to use an existing one. If you choose New, CloudTrail specifies a name for the new log group for you, or you can type a name.

    2. If you choose Existing, choose a log group from the drop-down list.

    3. Choose New to create a new IAM role for permissions to send logs to CloudWatch Logs. Choose Existing to choose an existing IAM role from the drop-down list. The policy statement for the new or existing role is displayed when you expand Policy document. For more information about this role, see Role policy document for CloudTrail to use CloudWatch Logs for monitoring.

      Note

      When you configure a trail, you can choose an S3 bucket and Amazon SNS topic that belong to another account. However, if you want CloudTrail to deliver events to a CloudWatch Logs log group, you must choose a log group that exists in your current account.

  9. For Tags, add one or more custom tags (key-value pairs) to your trail. Tags can help you identify both your CloudTrail trails and the Amazon S3 buckets that contain CloudTrail log files. You can then use resource groups for your CloudTrail resources. For more information, see Amazon Resource Groups and Why use tags for CloudTrail resources?.

  10. On the Choose log events page, choose the event types that you want to log. For Management events, do the following.

    1. For API activity, choose if you want your trail to log Read events, Write events, or both. For more information, see Management events.

    2. Choose Exclude Amazon KMS events to filter Amazon Key Management Service (Amazon KMS) events out of your trail. The default setting is to include all Amazon KMS events.

      The option to log or exclude Amazon KMS events is available only if you log management events on your trail. If you choose not to log management events, Amazon KMS events are not logged, and you cannot change Amazon KMS event logging settings.

      Amazon KMS actions such as Encrypt, Decrypt, and GenerateDataKey typically generate a large volume (more than 99%) of events. These actions are now logged as Read events. Low-volume, relevant Amazon KMS actions such as Disable, Delete, and ScheduleKey (which typically account for less than 0.5% of Amazon KMS event volume) are logged as Write events.

      To exclude high-volume events like Encrypt, Decrypt, and GenerateDataKey, but still log relevant events such as Disable, Delete and ScheduleKey, choose to log Write management events, and clear the check box for Exclude Amazon KMS events.

  11. To log data events, choose Data events. Additional charges apply for logging data events. For more information, see Amazon CloudTrail Pricing.

  12. Important

    Steps 12-16 are for configuring data events using advanced event selectors, which is the default. Advanced event selectors let you configure more data event types and offer fine-grained control over which data events your trail captures. If you opted to use basic event selectors, complete the steps in Configure data event settings using basic event selectors, then return to step 17 of this procedure.

    For Data event type, choose the resource type on which you want to log data events. For more information about available data event types, see Data events.

    Note

    To log data events for Amazon Glue tables created by Lake Formation, choose Lake Formation.

  13. Choose a log selector template. CloudTrail includes predefined templates that log all data events for the resource type. To build a custom log selector template, choose Custom.

    Note

    Choosing a predefined template for S3 buckets enables data event logging for all buckets currently in your Amazon account and any buckets you create after you finish creating the trail. It also enables logging of data event activity performed by any IAM identity in your Amazon account, even if that activity is performed on a bucket that belongs to another Amazon account.

    If the trail applies only to one Region, choosing a predefined template that logs all S3 buckets enables data event logging for all buckets in the same Region as your trail and any buckets you create later in that Region. It will not log data events for Amazon S3 buckets in other Regions in your Amazon account.

    If you are creating a trail for all Regions, choosing a predefined template for Lambda functions enables data event logging for all functions currently in your Amazon account, and any Lambda functions you might create in any Region after you finish creating the trail. If you are creating a trail for a single Region (done by using the Amazon CLI), this selection enables data event logging for all functions currently in that Region in your Amazon account, and any Lambda functions you might create in that Region after you finish creating the trail. It does not enable data event logging for Lambda functions created in other Regions.

    Logging data events for all functions also enables logging of data event activity performed by any IAM identity in your Amazon account, even if that activity is performed on a function that belongs to another Amazon account.

  14. (Optional) In Selector name, enter a name to identify your selector. The selector name is a descriptive name for an advanced event selector, such as "Log data events for only two S3 buckets". The selector name is listed as Name in the advanced event selector and is viewable if you expand the JSON view.

  15. In Advanced event selectors, build an expression for the specific resources on which you want to log data events. You can skip this step if you are using a predefined log template.

    1. Choose from the following fields.

      • readOnly - readOnly can be set to equals a value of true or false. Read-only data events are events that do not change the state of a resource, such as Get* or Describe* events. Write events add, change, or delete resources, attributes, or artifacts, such as Put*, Delete*, or Write* events. To log both read and write events, don't add a readOnly selector.

      • eventName - eventName can use any operator. You can use it to include or exclude any data event logged to CloudTrail, such as PutBucket, PutItem, or GetSnapshotBlock.

      • resources.ARN - You can use any operator with resources.ARN, but if you use equals or does not equal, the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type.

        The following table shows the valid ARN format for each resources.type.

        resources.type resources.ARN
        AWS::DynamoDB::Table1
        arn:partition:dynamodb:region:account_ID:table/table_name
        AWS::Lambda::Function
        arn:partition:lambda:region:account_ID:function:function_name

        AWS::S3::Object2

        arn:partition:s3:::bucket_name/ arn:partition:s3:::bucket_name/object_or_file_name/
        AWS::AppConfig::Configuration
        arn:partition:appconfig:region:account_ID:application/application_ID/environment/environment_ID/configuration/configuration_profile_ID
        AWS::B2BI::Transformer
        arn:partition:b2bi:region:account_ID:transformer/transformer_ID
        AWS::Bedrock::AgentAlias
        arn:partition:bedrock:region:account_ID:agent-alias/agent_ID/alias_ID
        AWS::Bedrock::KnowledgeBase
        arn:partition:bedrock:region:account_ID:knowledge-base/knowledge_base_ID
        AWS::Cassandra::Table
        arn:partition:cassandra:region:account_ID:keyspace/keyspace_name/table/table_name
        AWS::CloudFront::KeyValueStore
        arn:partition:cloudfront:region:account_ID:key-value-store/KVS_name
        AWS::CloudTrail::Channel
        arn:partition:cloudtrail:region:account_ID:channel/channel_UUID
        AWS::CodeWhisperer::Customization
        arn:partition:codewhisperer:region:account_ID:customization/customization_ID
        AWS::CodeWhisperer::Profile
        arn:partition:codewhisperer:region:account_ID:profile/profile_ID
        AWS::Cognito::IdentityPool
        arn:partition:cognito-identity:region:account_ID:identitypool/identity_pool_ID
        AWS::DynamoDB::Stream
        arn:partition:dynamodb:region:account_ID:table/table_name/stream/date_time
        AWS::EC2::Snapshot
        arn:partition:ec2:region::snapshot/snapshot_ID
        AWS::EMRWAL::Workspace
        arn:partition:emrwal:region:account_ID:workspace/workspace_name
        AWS::FinSpace::Environment
        arn:partition:finspace:region:account_ID:environment/environment_ID
        AWS::Glue::Table
        arn:partition:glue:region:account_ID:table/database_name/table_name
        AWS::GreengrassV2::ComponentVersion
        arn:partition:greengrass:region:account_ID:components/component_name
        AWS::GreengrassV2::Deployment
        arn:partition:greengrass:region:account_ID:deployments/deployment_ID
        AWS::GuardDuty::Detector
        arn:partition:guardduty:region:account_ID:detector/detector_ID
        AWS::IoT::Certificate
        arn:partition:iot:region:account_ID:cert/certificate_ID
        AWS::IoT::Thing
        arn:partition:iot:region:account_ID:thing/thing_ID
        AWS::IoTSiteWise::Asset
        arn:partition:iotsitewise:region:account_ID:asset/asset_ID
        AWS::IoTSiteWise::TimeSeries
        arn:partition:iotsitewise:region:account_ID:timeseries/timeseries_ID
        AWS::IoTTwinMaker::Entity
        arn:partition:iottwinmaker:region:account_ID:workspace/workspace_ID/entity/entity_ID
        AWS::IoTTwinMaker::Workspace
        arn:partition:iottwinmaker:region:account_ID:workspace/workspace_ID
        AWS::KendraRanking::ExecutionPlan
        arn:partition:kendra-ranking:region:account_ID:rescore-execution-plan/rescore_execution_plan_ID
        AWS::KinesisVideo::Stream
        arn:partition:kinesisvideo:region:account_ID:stream/stream_name/creation_time
        AWS::ManagedBlockchain::Network
        arn:partition:managedblockchain:::networks/network_name
        AWS::ManagedBlockchain::Node
        arn:partition:managedblockchain:region:account_ID:nodes/node_ID
        AWS::MedicalImaging::Datastore
        arn:partition:medical-imaging:region:account_ID:datastore/data_store_ID
        AWS::NeptuneGraph::Graph
        arn:partition:neptune-graph:region:account_ID:graph/graph_ID
        AWS::PCAConnectorAD::Connector
        arn:partition:pca-connector-ad:region:account_ID:connector/connector_ID
        AWS::QBusiness::Application
        arn:partition:qbusiness:region:account_ID:application/application_ID
        AWS::QBusiness::DataSource
        arn:partition:qbusiness:region:account_ID:application/application_ID/index/index_ID/data-source/datasource_ID
        AWS::QBusiness::Index
        arn:partition:qbusiness:region:account_ID:application/application_ID/index/index_ID
        AWS::QBusiness::WebExperience
        arn:partition:qbusiness:region:account_ID:application/application_ID/web-experience/web_experienc_ID
        AWS::RDS::DBCluster
        arn:partition:rds:region:account_ID:cluster/cluster_name

        AWS::S3::AccessPoint3

        arn:partition:s3:region:account_ID:accesspoint/access_point_name
        AWS::S3ObjectLambda::AccessPoint
        arn:partition:s3-object-lambda:region:account_ID:accesspoint/access_point_name
        AWS::S3Outposts::Object
        arn:partition:s3-outposts:region:account_ID:object_path
        AWS::SageMaker::Endpoint
        arn:partition:sagemaker:region:account_ID:endpoint/endpoint_name
        AWS::SageMaker::ExperimentTrialComponent
        arn:partition:sagemaker:region:account_ID:experiment-trial-component/experiment_trial_component_name
        AWS::SageMaker::FeatureGroup
        arn:partition:sagemaker:region:account_ID:feature-group/feature_group_name
        AWS::SCN::Instance
        arn:partition:scn:region:account_ID:instance/instance_ID
        AWS::ServiceDiscovery::Namespace
        arn:partition:servicediscovery:region:account_ID:namespace/namespace_ID
        AWS::ServiceDiscovery::Service
        arn:partition:servicediscovery:region:account_ID:service/service_ID
        AWS::SNS::PlatformEndpoint
        arn:partition:sns:region:account_ID:endpoint/endpoint_type/endpoint_name/endpoint_ID
        AWS::SNS::Topic
        arn:partition:sns:region:account_ID:topic_name
        AWS::SQS::Queue
        arn:partition:sqs:region:account_ID:queue_name
        AWS::SWF::Domain
        arn:partition:swf:region:account_ID:/domain/domain_name
        AWS::SSMMessages::ControlChannel
        arn:partition:ssmmessages:region:account_ID:control-channel/control_channel_ID
        AWS::ThinClient::Device
        arn:partition:thinclient:region:account_ID:device/device_ID
        AWS::ThinClient::Environment
        arn:partition:thinclient:region:account_ID:environment/environment_ID
        AWS::Timestream::Database
        arn:partition:timestream:region:account_ID:database/database_name
        AWS::Timestream::Table
        arn:partition:timestream:region:account_ID:database/database_name/table/table_name
        AWS::VerifiedPermissions::PolicyStore
        arn:partition:verifiedpermissions:region:account_ID:policy-store/policy_store_ID

        1 For tables with streams enabled, the resources field in the data event contains both AWS::DynamoDB::Stream and AWS::DynamoDB::Table. If you specify AWS::DynamoDB::Table for the resources.type, it will log both DynamoDB table and DynamoDB streams events by default. To exclude streams events, add a filter on the eventName field.

        2 To log all data events for all objects in a specific S3 bucket, use the StartsWith operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it.

        3 To log events on all objects in an S3 access point, we recommend that you use only the access point ARN, don’t include the object path, and use the StartsWith or NotStartsWith operators.

      For more information about the ARN formats of data event resources, see Actions, resources, and condition keys in the Amazon Identity and Access Management User Guide.

    2. For each field, choose + Condition to add as many conditions as you need, up to a maximum of 500 specified values for all conditions. For example, to exclude data events for two S3 buckets from data events that are logged on your trail, you can set the field to resources.ARN, set the operator for does not start with, and then either paste in an S3 bucket ARN, or browse for the S3 buckets for which you do not want to log events.

      To add the second S3 bucket, choose + Condition, and then repeat the preceding instruction, pasting in the ARN for or browsing for a different bucket.

      Note

      You can have a maximum of 500 values for all selectors on a trail. This includes arrays of multiple values for a selector such as eventName. If you have single values for all selectors, you can have a maximum of 500 conditions added to a selector.

      If you have more than 15,000 Lambda functions in your account, you cannot view or select all functions in the CloudTrail console when creating a trail. You can still log all functions with a predefined selector template, even if they are not displayed. If you want to log data events for specific functions, you can manually add a function if you know its ARN. You can also finish creating the trail in the console, and then use the Amazon CLI and the put-event-selectors command to configure data event logging for specific Lambda functions. For more information, see Managing trails with the Amazon CLI.

    3. Choose + Field to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields. For example, do not specify an ARN in one selector to be equal to a value, then specify that the ARN not equal the same value in another selector.

  16. To add another data type on which to log data events, choose Add data event type. Repeat steps 12 through this step to configure advanced event selectors for the data event type.

  17. Choose Insights events if you want your trail to log CloudTrail Insights events.

    In Event type, select Insights events. In Insights events, choose API call rate, API error rate, or both. You must be logging Write management events to log Insights events for API call rate. You must be logging Read or Write management events to log Insights events for API error rate.

    CloudTrail Insights analyzes management events for unusual activity, and logs events when anomalies are detected. By default, trails don't log Insights events. For more information about Insights events, see Logging Insights events. Additional charges apply for logging Insights events. For CloudTrail pricing, see Amazon CloudTrail Pricing.

    Insights events are delivered to a different folder named /CloudTrail-Insightof the same S3 bucket that is specified in the Storage location area of the trail details page. CloudTrail creates the new prefix for you. For example, if your current destination S3 bucket is named S3bucketName/AWSLogs/CloudTrail/, the S3 bucket name with a new prefix is named S3bucketName/AWSLogs/CloudTrail-Insight/.

  18. When you are finished choosing event types to log, choose Next.

  19. On the Review and create page, review your choices. Choose Edit in a section to change the trail settings shown in that section. When you are ready to create the trail, choose Create trail.

  20. The new trail appears on the Trails page. An organization trail might take up to 24 hours to be created in all Regions in all member accounts. The Trails page shows the trails in your account from all Regions. In about 5 minutes, CloudTrail publishes log files that show the Amazon API calls made in your organization. You can see the log files in the Amazon S3 bucket that you specified.

Note

You can't rename a trail after it has been created. Instead, you can delete the trail and create a new one.

Next steps

After you create your trail, you can return to the trail to make changes:

Note

When you configure a trail, you can choose an Amazon S3 bucket and SNS topic that belong to another account. However, if you want CloudTrail to deliver events to a CloudWatch Logs log group, you must choose a log group that exists in your current account.