Tutorial: Create a trail - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tutorial: Create a trail

While the events provided in Event history in the CloudTrail console are useful for reviewing recent management event activity, they are limited to recent activity, and they do not include all possible events that can be recorded by CloudTrail, such as data and Insights events. Additionally, your view of events in the console is limited to the Amazon Region where you are signed in. To create an ongoing record of activity in your Amazon account that captures information for all Amazon Regions, you can create a trail. By default, when you create a trail in the CloudTrail console, the trail logs events in all Amazon Web Services Regions in the Amazon partition in which you are working. Logging events in all Regions in your account is a recommended best practice.

For your first trail, we recommend creating a trail that logs all management events in all Amazon Regions, and does not log any data events. Examples of management events include security events such as IAM CreateUser and AttachRolePolicy events, resource events such as RunInstances and CreateBucket, and many more. You will create an Amazon S3 bucket where you will store the log files for the trail as part of creating the trail in the CloudTrail console.

Note

This tutorial assumes you are creating your first trail. Depending on the number of trails you have in your Amazon account, and how those trails are configured, the following procedure might or might not incur expenses. CloudTrail stores log files in an Amazon S3 bucket, which incurs costs. For more information about pricing, see Amazon CloudTrail Pricing and Amazon S3 Pricing.

To create a trail
  1. Sign in to the Amazon Web Services Management Console and open the CloudTrail console at https://console.amazonaws.cn/cloudtrail/.

  2. In the Region selector, choose the Amazon Region where you want your trail to be created. This is the home Region for the trail.

    Note

    The home Region is the only Amazon Region where you can view and update the trail after it is created, even if the trail logs events in all Amazon Regions.

  3. On the CloudTrail service home page, the Trails page, or the Trails section of the Dashboard page, choose Create trail.

  4. In Trail name, give your trail a name, such as My-Management-Events-Trail. As a best practice, use a name that quickly identifies the purpose of the trail. In this case, you're creating a trail that logs management events.

  5. Leave the default setting for Enable for all accounts in my organization. This option won't be available to change unless you have accounts configured in Organizations.

  6. For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies. Give your bucket a name, such as my-bucket-for-storing-cloudtrail-logs.

    To make it easier to find your logs, create a new folder (also known as a prefix) in an existing bucket to store your CloudTrail logs.

    Note

    The name of your Amazon S3 bucket must be globally unique. For more information, see Bucket naming rules in the Amazon Simple Storage Service User Guide.

  7. Clear the check box to disable Log file SSE-KMS encryption. By default, your log files are encrypted with SSE-S3 encryption. For more information about this setting, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

  8. Leave default settings in Additional settings.

  9. Leave the default settings for CloudWatch Logs. For now, do not send logs to Amazon CloudWatch Logs.

  10. (Optional) In Tags, add one or more custom tags (key-value pairs) to your trail. Tags can help you identify your CloudTrail trails and other resources, such as the Amazon S3 buckets that contain CloudTrail log files. For example, you could attach a tag with the name Compliance and the value Auditing.

    Note

    Though you can add tags to trails when you create them in the CloudTrail console, and you can create an Amazon S3 bucket to store your log files in the CloudTrail console, you cannot add tags to the Amazon S3 bucket from the CloudTrail console. For more information about viewing and changing the properties of an Amazon S3 bucket, including adding tags to a bucket, see the Amazon S3 User Guide.

    When you are finished creating tags, choose Next.

  11. On the Choose log events page, select event types to log. For this trail, keep the default, Management events. In the Management events area, choose to log both Read and Write events, if they are not already selected. Leave the check box for Exclude Amazon KMS events empty, to log all events.

  12. Leave default settings for Data events and Insights events. This trail will not log any data or CloudTrail Insights events. Choose Next.

  13. On the Review and create page, review the settings you've chosen for your trail. Choose Edit for a section to go back and make changes. When you are ready to create your trail, choose Create trail.

  14. The Trails page shows your new trail in the table. Note that the trail is set to Multi-region trail by default, and that logging is turned on for the trail by default.

Plan for next steps

Now that you have a trail, you have access to an ongoing record of events and activities in your Amazon account. This ongoing record helps you meet accounting and auditing needs for your Amazon account. However, there is a lot more you can do with CloudTrail and CloudTrail data.

  • Add additional security for your trail data. CloudTrail automatically applies a certain level of security when you create a trail. However, there are additional steps you can take to help keep your data secure.

  • Create a trail to log data events. If you are interested in logging when objects are added, retrieved, and deleted in one or more Amazon S3 buckets, when items are added, changed, or deleted in DynamoDB tables, or when one or more Amazon Lambda functions are invoked, these are data events. The management event trail you created earlier in this tutorial doesn't log these types of events. You can create a separate trail specifically to log data events for some or all of the supported resource types. For more information, see Data events.

    Note

    Additional charges apply for logging data events. For more information, see Amazon CloudTrail Pricing.

  • Log CloudTrail Insights events on your trail. Amazon CloudTrail Insights help Amazon users identify and respond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events. CloudTrail Insights uses mathematical models to determine the normal levels of API and service event activity for an account. It identifies behavior that is outside normal patterns, generates Insights events, and delivers those events to a /CloudTrail-Insight folder in the chosen destination S3 bucket for your trail. For more information about CloudTrail Insights, see Logging Insights events.

    Note

    Additional charges apply for logging Insights events. For more information, see Amazon CloudTrail Pricing.

  • Set up CloudWatch Logs alarms to alert you when certain events occur. CloudWatch Logs lets you monitor and receive alerts for specific events captured by CloudTrail. For example, you can monitor key security and network-related management events, such as security group changes, failed Amazon Web Services Management Console sign-in events, or changes to IAM policies. For more information, see Monitoring CloudTrail Log Files with Amazon CloudWatch Logs.

  • Use analysis tools to identify trends in your CloudTrail logs. While the filters in Event history can help you find specific events or event types in your recent activity, it does not provide the ability to search through activity over longer time periods. For deeper and more sophisticated analysis, you can use Amazon Athena. For more information, see Querying Amazon CloudTrail Logs in the Amazon Athena User Guide.