Receiving CloudTrail log files from multiple regions - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Receiving CloudTrail log files from multiple regions

You can configure CloudTrail to deliver log files from multiple regions to a single S3 bucket for a single account. For example, you have a trail in the US West (Oregon) Region that is configured to deliver log files to a S3 bucket, and a CloudWatch Logs log group. When you change an existing single-region trail to log all regions, CloudTrail logs events from all regions in your account. CloudTrail delivers log files to the same S3 bucket and CloudWatch Logs log group. As long as CloudTrail has permissions to write to an S3 bucket, the bucket for a multi-region trail does not have to be in the trail's home region.

In the console, by default, you create a trail that logs events in all Amazon Regions. This is a recommended best practice. To log events in a single region (not recommended), use the Amazon CLI. To configure an existing single-region trail to log in all regions, you must use the Amazon CLI.

To change an existing trail so that it applies to all Regions, add the --is-multi-region-trail option to the update-trail command.

aws cloudtrail update-trail --name my-trail --is-multi-region-trail

To confirm that the trail now applies to all Regions, the IsMultiRegionTrail element in the output shows true.

{ "IncludeGlobalServiceEvents": true, "Name": "my-trail", "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", "LogFileValidationEnabled": false, "IsMultiRegionTrail": true, "IsOrganizationTrail": false, "S3BucketName": "my-bucket" }
Note

When a new region launches in the aws-cn partition, CloudTrail automatically creates a trail in the new region with the same settings as your original trail.

For more information, see the following resources: