Prerequisites - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Before you begin, you must complete the following prerequisites and setup.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services
  1. Open and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Grant permissions to use the CloudTrail console

To create and update CloudTrail resources in the console, you need to grant permissions to use the CloudTrail console.

The following Amazon managed policies are available for CloudTrail:

  • AWSCloudTrail_FullAccess – This policy provides full access to CloudTrail actions on CloudTrail resources, such as trails, event data stores, and channels. This policy provides the required permissions to create, update, and delete CloudTrail trails, event data stores, and channels.

    This policy also provides permissions to manage the Amazon S3 bucket, the log group for CloudWatch Logs, and an Amazon SNS topic for a trail. However, the AWSCloudTrail_FullAccess managed policy doesn't provide permissions to delete the Amazon S3 bucket, the log group for CloudWatch Logs, or an Amazon SNS topic. For information about managed policies for other Amazon services, see the Amazon Managed Policy Reference Guide.


    The AWSCloudTrail_FullAccess policy isn't intended to be shared broadly across your Amazon Web Services account. Users with this role can turn off or reconfigure the most sensitive and important auditing functions in their Amazon Web Services accounts. For this reason, you must only apply this policy to account administrators. You must closely control and monitor use of this policy.

  • AWSCloudTrail_ReadOnlyAccess – This policy grants permissions to view the CloudTrail console, including recent events and event history. This policy also allows you to view existing trails, event data stores, and channels. Roles and users with this policy can download the event history, but they can't create or update trails, event data stores, or channels.

For more information about granting permissions, see Granting permissions for CloudTrail administration.