# Logging API calls with Amazon CloudTrail for Amazon Organizations
Amazon Organizations is integrated with Amazon CloudTrail, a service that provides a record of actions taken by a user, role, or an Amazon service in Amazon Organizations. CloudTrail captures all API calls for Amazon Organizations as events, including calls from the Amazon Organizations console and from code calls to the Amazon Organizations APIs. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Amazon Organizations. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to Amazon Organizations, the IP address it was made from, who made it, when it was made, and additional details.
To learn more about CloudTrail, see the *Amazon CloudTrail User Guide*.
**Important**
You can view all CloudTrail information for Amazon Organizations only in the US East (N. Virginia) Region. If you don't see your Amazon Organizations activity in the CloudTrail console, set your console to **US East (N. Virginia)** using the menu in the upper-right corner. If you query CloudTrail with the Amazon CLI or SDK tools, direct your query to the US East (N. Virginia) endpoint.
## Amazon Organizations information in CloudTrail
CloudTrail is enabled on your Amazon Web Services account when you create the account. When activity occurs in Amazon Organizations, that activity is recorded in a CloudTrail event along with other Amazon service events in **Event history**. You can view, search, and download recent events in your Amazon Web Services account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your Amazon Web Services account, including events for Amazon Organizations, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. When CloudTrail logging is enabled in your Amazon Web Services account, API calls made to Amazon Organizations actions are tracked in CloudTrail log files, where they are written with other Amazon service records. You can configure other Amazon Web Services services to further analyze and act on the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for Creating a Trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail Supported Services and Integrations](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
All Amazon Organizations actions are logged by CloudTrail and are documented in the [Amazon Organizations API Reference](https://docs.amazonaws.cn/organizations/latest/APIReference/). For example, calls to `CreateAccount` (including the `CreateAccountResult` event), `ListHandshakesForAccount`, `CreatePolicy`, and `InviteAccountToOrganization` generate entries in the CloudTrail log files.
Every log entry contains information about who generated the request. The user identity information in the log entry helps you determine the following:
+ Whether the request was made with root user or IAM user credentials
+ Whether the request was made with temporary security credentials for an [IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) or a [federated user](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_providers.html)
+ Whether the request was made by another Amazon service
For more information, see the [CloudTrail userIdentity Element](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
**Note**
CloudTrail will log events in the account that takes a given action (i.e. in member account rather than management account if member account took the action). For example, a member account leaving an organization will be logged in member account trail, and a management account removing a member account will be logged in management account trail.
## Understanding Amazon Organizations log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
### Example log entries: CloseAccount
The following example shows a CloudTrail log entry for a sample `CloseAccount` call that is generated when the API is called and the workflow to close the account starts processing in the background.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
"arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/my-admin-role",
"accountId": "111122223333",
"userName": "my-session-id"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2022-03-18T18:17:06Z"
}
}
},
"eventTime": "2022-03-18T18:17:06Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CloseAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.0.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": {
"accountId": "555555555555"
},
"responseElements": null,
"requestID": "e28932f8-d5da-4d7a-8238-ef74f3d5c09a",
"eventID": "19fe4c10-f57e-4cb7-a2bc-6b5c30233592",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
The following example shows a CloudTrail log entry for a `CloseAccountResult` call after the background workflow to close the account successfully completes.
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "organizations.amazonaws.com"
},
"eventTime": "2022-03-18T18:17:06Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CloseAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "organizations.amazonaws.com",
"userAgent": "organizations.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"closeAccountStatus": {
"accountId": "555555555555",
"state": "SUCCEEDED",
"requestedTimestamp": "Mar 18, 2022 6:16:58 PM",
"completedTimestamp": "Mar 18, 2022 6:16:58 PM"
}
},
"eventCategory": "Management"
}
```
### Example log entries: CreateAccount
The following example shows a CloudTrail log entry for a sample `CreateAccount` call that is generated when the API is called and the workflow to create the account starts processing in the background.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
"arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/my-admin-role",
"accountId": "111122223333",
"userName": "my-session-id"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-09-16T21:16:45Z"
}
}
},
"eventTime": "2018-06-21T22:06:27Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.0.1",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
"requestParameters": {
"tags": [],
"email": "****",
"accountName": "****"
},
"responseElements": {
"createAccountStatus": {
"accountName": "****",
"state": "IN_PROGRESS",
"id": "car-examplecreateaccountrequestid111",
"requestedTimestamp": "Sep 16, 2020 9:20:50 PM"
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
The following example shows a CloudTrail log entry for a `CreateAccount` call after the background workflow to create the account successfully completes.
```
{
"eventVersion": "1.05",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "..."
},
"eventTime": "2020-09-16T21:20:53Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "....",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"createAccountStatus": {
"id": "car-examplecreateaccountrequestid111",
"state": "SUCCEEDED",
"accountName": "****",
"accountId": "444455556666",
"requestedTimestamp": "Sep 16, 2020 9:20:50 PM",
"completedTimestamp": "Sep 16, 2020 9:20:53 PM"
}
}
}
```
The following example shows a CloudTrail log entry that is generated after a `CreateAccount` background workflow fails to create the account.
```
{
"eventVersion": "1.06",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-06-21T22:06:27Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"createAccountStatus": {
"id": "car-examplecreateaccountrequestid111",
"state": "FAILED",
"accountName": "****",
"failureReason": "EMAIL_ALREADY_EXISTS",
"requestedTimestamp": Jun 21, 2018 10:06:27 PM,
"completedTimestamp": Jun 21, 2018 10:07:15 PM
}
}
}
```
### Example log entry: CreateOrganizationalUnit
The following example shows a CloudTrail log entry for a sample `CreateOrganizationalUnit` call.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:40:11Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"requestParameters": {
"name": "OU-Developers-1",
"parentId": "r-a1b2"
},
"responseElements": {
"organizationalUnit": {
"arn": "arn:aws:organizations::111111111111:ou/o-aa111bb222/ou-examplerootid111-exampleouid111",
"id": "ou-examplerootid111-exampleouid111",
"name": "test-cloud-trail",
"path": "o-aa111bb222/r-a1b2/ou-examplerootid111-exampleouid111/"
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### Example log entry: InviteAccountToOrganization
The following example shows a CloudTrail log entry for a sample `InviteAccountToOrganization` call.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:41:17Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "InviteAccountToOrganization",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"requestParameters": {
"notes": "This is a request for Mary's account to join Diego's organization.",
"target": {
"type": "ACCOUNT",
"id": "111111111111"
}
},
"responseElements": {
"handshake": {
"requestedTimestamp": "Jan 18, 2017 9:41:16 PM",
"state": "OPEN",
"arn": "arn:aws:organizations::111111111111:handshake/o-aa111bb222/invite/h-examplehandshakeid111",
"id": "h-examplehandshakeid111",
"parties": [
{
"type": "ORGANIZATION",
"id": "o-aa111bb222"
},
{
"type": "ACCOUNT",
"id": "222222222222"
}
],
"action": "invite",
"expirationTimestamp": "Feb 2, 2017 9:41:16 PM",
"resources": [
{
"resources": [
{
"type": "MASTER_EMAIL",
"value": "diego@example.com"
},
{
"type": "MASTER_NAME",
"value": "Management account for organization"
},
{
"type": "ORGANIZATION_FEATURE_SET",
"value": "ALL"
}
],
"type": "ORGANIZATION",
"value": "o-aa111bb222"
},
{
"type": "ACCOUNT",
"value": "222222222222"
},
{
"type": "NOTES",
"value": "This is a request for Mary's account to join Diego's organization."
}
]
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### Example log entry: AttachPolicy
The following example shows a CloudTrail log entry for a sample `AttachPolicy` call. The response indicates that the call failed because the requested policy type isn't enabled in the root where the request to attach was attempted.
```
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:42:44Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "AttachPolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"errorCode": "PolicyTypeNotEnabledException",
"errorMessage": "The given policy type ServiceControlPolicy is not enabled on the current view",
"requestParameters": {
"policyId": "p-examplepolicyid111",
"targetId": "ou-examplerootid111-exampleouid111"
},
"responseElements": null,
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### Example log entry: Invalid effective policy
The following example shows a CloudTrail log entry for a sample `EffectivePolicyValidation` event. This event is emitted to the management account of the organization whenever an update in the organization creates an invalid effective policy on any account.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "Amazon Internal"
},
"eventTime": "2025-07-17T14:53:40Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "EffectivePolicyValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "Amazon Internal",
"userAgent": "Amazon Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"accountId": "111111111111",
"policyType": "BACKUP_POLICY",
"state": "INVALID",
"requestTimestamp": "Jul 17, 2025, 2:53:40 PM",
"info": "All validation errors listed",
"validationErrors": [
{
"accountPath": "o-aa111bb222/r-a1b2/111111111111/",
"evaluationTimestamp": "Jul 17, 2025, 2:53:40 PM",
"errorCode": "ELEMENTS_TOO_MANY",
"errorMessage": "'hourly_rule' exceeds the allowed maximum limit 10",
"pathToError": "plans/hourly-backup/rules/hourly_rule",
"contributingPolicies": [
"p-examplepolicyid111"
]
}
]
},
"eventCategory": "Management"
}
```
### Example log entry: Valid effective policy
The following example shows a CloudTrail log entry for a sample `EffectivePolicyValidation` event. This event is emitted to the management account of the organization whenever an update in the organization fixes an effective policy on an account which was invalid previously.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111111111111",
"invokedBy": "Amazon Internal"
},
"eventTime": "2025-07-17T14:54:40Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "EffectivePolicyValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "Amazon Internal",
"userAgent": "Amazon Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"accountId": "111111111111",
"policyType": "BACKUP_POLICY",
"state": "VALID",
"requestTimestamp": "Jul 17, 2025, 2:54:40 PM",
"info": "Previous effective policy validation error(s) resolved for this account/policyType"
},
"eventCategory": "Management"
}
```