Receiving CloudTrail log files from multiple Regions - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Receiving CloudTrail log files from multiple Regions

When you create a multi-Region trail, CloudTrail logs events from all Regions enabled in your account. CloudTrail delivers log files to the same S3 bucket and CloudWatch Logs log group. As long as CloudTrail has permissions to write to an S3 bucket, the bucket for a multi-Region trail does not have to be in the trail's home Region.

Although most Amazon Web Services Regions are enabled by default for your Amazon Web Services account, you must manually enable certain Regions (also referred to as opt-in Regions). For information about which Regions are enabled by default, see Considerations before enabling and disabling Regions in the Amazon Account Management Reference Guide. For the list of Regions CloudTrail supports, see CloudTrail supported Regions.

After you enable an opt-in Region, CloudTrail creates an identical copy of each multi-Region trail in the opt-in Region that you enabled. For more information, see What happens when you enable an opt-in Region?.

If you later disable an opt-in Region, the copy of the multi-Region trail in that Region will remain. Because your account may have activity in the Region you disabled, such as actions by Amazon Web Services services to remove resources, CloudTrail will continue to capture activity and attempt to deliver events to the S3 bucket for any trails that are not deleted before the Region is disabled.

To convert an existing single-Region trail to a multi-Region trail, you must use the Amazon CLI.

To change an existing trail so that it applies to all enabled Regions, add the --is-multi-region-trail option to the update-trail command.

aws cloudtrail update-trail --name my-trail --is-multi-region-trail

To confirm that the trail is now a multi-Region trail, verify that the IsMultiRegionTrail element in the output shows true.

{
    "IncludeGlobalServiceEvents": true, 
    "Name": "my-trail", 
    "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", 
    "LogFileValidationEnabled": false, 
    "IsMultiRegionTrail": true, 
    "IsOrganizationTrail": false,
    "S3BucketName": "amzn-s3-demo-bucket"
}

For more information, see the following resources: