AWSConfigRemediation-CreateCloudTrailMultiRegionTrail - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWSConfigRemediation-CreateCloudTrailMultiRegionTrail runbook creates an Amazon CloudTrail (CloudTrail) trail that delivers log files from multiple Amazon Web Services Regions to the Amazon Simple Storage Service (Amazon S3) bucket of your choice.

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.

  • BucketName

    Type: String

    Description: (Required) The name of the Amazon S3 bucket you want to upload logs to.

  • KeyPrefix

    Type: String

    Description: (Optional) The Amazon S3 key prefix that comes after the name of the bucket you designated for log file delivery.

  • TrailName

    Type: String

    Description: (Required) The name of the CloudTrail trail to be created.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • cloudtrail:CreateTrail

  • cloudtrail:StartLogging

  • cloudtrail:GetTrail

  • s3:PutObject

  • s3:GetBucketAcl

  • s3:PutBucketLogging

  • s3:ListBucket

Document Steps

  • aws:executeAwsApi - Accepts the trail name and the Amazon S3 bucket name as input and creates a CloudTrail trail.

  • aws:executeAwsApi - Enables logging on the created trail and starts log delivery to the Amazon S3 bucket you specified.

  • aws:assertAwsResourceProperty - Verifies that the CloudTrail trail has been created.