Creating a trail for an organization

If you have created an organization in Amazon Organizations, you can create a trail that logs all events for all Amazon accounts in that organization. This is sometimes called an organization trail.

The management account for the organization can assign a delegated administrator to create new organization trails or manage existing organization trails. For more information on adding a delegated administrator, see Add a CloudTrail delegated administrator.

The management account for the organization can edit an existing trail in their account, and apply it to an organization, making it an organization trail. Organization trails log events for the management account and all member accounts in the organization. For more information about Amazon Organizations, see Organizations Terminology and Concepts.

When you create an organization trail, a trail with the name that you give it is created in every Amazon account that belongs to your organization. Users with CloudTrail permissions in member accounts can see this trail when they log into the Amazon CloudTrail console from their Amazon accounts, or when they run Amazon CLI commands such as describe-trail. However, users in member accounts do not have sufficient permissions to delete the organization trail, turn logging on or off, change what types of events are logged, or otherwise change the organization trail in any way.

By default, when you create an organization trail in the CloudTrail console, the trail is a multi-Region trail; that is, it logs events from all Regions in each account in the organization, but only in the Amazon partition in which the trail is created. To log events across all Regions in all Amazon partitions in your organization, create a multi-Region organization trail in each partition.

When you create an organization trail in the console, or when you enable CloudTrail as a trusted service in Organizations, this creates a service-linked role to perform logging tasks in your organization's member accounts. This role is named AWSServiceRoleForCloudTrail, and is required for CloudTrail to log events for an organization. If an Amazon account is added to an organization, the organization trail and service-linked role are added to that Amazon account, and logging starts for that account automatically in the organization trail. If an Amazon account is removed from an organization, the organization trail and service-linked role are deleted from the Amazon account that is no longer part of the organization. However, log files for the removed account that were created before the account's removal remain in the Amazon S3 bucket where log files are stored for the trail.

If the management account for an Amazon Organizations organization creates an organization trail, but then is subsequently removed as the organization's management account, any organization trail created using their account becomes a non-organization trail.

In the following example, the organization's management account 111111111111 creates a trail named MyOrganizationTrail for the organization o-exampleorgid. The trail logs activity for all accounts in the organization in the same Amazon S3 bucket. All accounts in the organization can see MyOrganizationTrail in their list of trails, but member accounts cannot remove or modify the organization trail. Only the management account or delegated administrator account can change or delete the trail for the organization. Only the management account can remove a member account from an organization. Similarly, by default, only the management account has access to the Amazon S3 bucket my-organization-bucket for the trail, and the logs contained within it. The high-level bucket structure for log files contains a folder named with the organization ID, and subfolders named with the account IDs for each account in the organization. Events for each member account are logged in the folder that corresponds to the member account ID. If member account 444444444444 is removed from the organization, MyOrganizationTrail and the service-linked role no longer appear in Amazon account 444444444444, and no further events are logged for that account by the organization trail. However, the 444444444444 folder remains in the Amazon S3 bucket, with all logs created before the removal of the account from the organization.

In this example, the ARN of the trail created in the management account is aws:cloudtrail:us-east-2:111111111111:trail/MyOrganizationTrail. This ARN is the ARN for the trail in all member accounts as well.

Organization trails are similar to regular trails in many ways. You can create multiple trails for your organization, and choose whether to create an organization trail in all Regions or a single Region, and what kinds of events you want logged in your organization trail, just as in any other trail. However, there are some differences. For example, when you create a trail in the console and choose whether to log data events for Amazon S3 buckets or Amazon Lambda functions, the only resources listed in the CloudTrail console are those for the management account, but you can add the ARNs for resources in member accounts. Data events for specified member account resources are logged without having to manually configure cross-account access to those resources. For more information about logging management events, Insights events, and data events, see Working with CloudTrail log files.

You can also configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs for an organization trail the same way you would for any other trail. For example, you can analyze the data in an organization trail using Amazon Athena. For more information, see Amazon service integrations with CloudTrail logs.