Receiving CloudTrail log files from multiple Regions
You can configure CloudTrail to deliver log files from multiple Regions to a single S3 bucket for a single account. For example, you have a trail in the US West (Oregon) Region that is configured to deliver log files to a S3 bucket, and a CloudWatch Logs log group. When you change an existing single-Region trail to log all Regions, CloudTrail logs events from all Regions that are in a single Amazon partition in your account. CloudTrail delivers log files to the same S3 bucket and CloudWatch Logs log group. As long as CloudTrail has permissions to write to an S3 bucket, the bucket for a multi-Region trail does not have to be in the trail's home Region.
To log events across all Regions in all Amazon partitions in your account, create a multi-Region trail in each partition.
In the console, by default, you create a trail that logs events in all Amazon Web Services Regions in the Amazon partition in which you are working. This is a recommended best practice. To log events in a single Region (not recommended), use the Amazon CLI. To configure an existing single-Region trail to log in all Regions, you must use the Amazon CLI.
To change an existing trail so that it applies to all Regions, add the
--is-multi-region-trail
option to the update-trail command.
aws cloudtrail update-trail --name
my-trail
--is-multi-region-trail
To confirm that the trail now applies to all Regions, the IsMultiRegionTrail
element in the output shows true
.
{ "IncludeGlobalServiceEvents": true, "Name": "
my-trail
", "TrailARN": "arn:aws:cloudtrail:us-east-2
:123456789012
:trail/my-trail
", "LogFileValidationEnabled": false, "IsMultiRegionTrail": true, "IsOrganizationTrail": false, "S3BucketName": "amzn-s3-demo-bucket
" }
Note
When a new Region launches in the aws-cn
partition, CloudTrail
automatically creates a trail in the new Region with the same settings as your original
trail.
For more information, see the following resources: