AWS account closure and trails
AWS CloudTrail continuously monitors and records events for account activity generated by any user, role, or AWS service for an AWS account. Users can create a CloudTrail trail to receive a copy of these events in a S3 bucket that they own.
CloudTrail is a foundational security service, therefore, trails created by users continue to exist and deliver events even after an AWS account is closed, unless a user explicitly deletes the trails in their AWS account prior to closing it. This ensures that if a user reopens a closed account that user has an unbroken record of account activity. It also provides users with visibility into any final account activity, including the deletion and termination of remaining account resources and services.
Before you close your AWS account, consider the following:
-
Trails continue to exist even after the post-closure period has passed. The post-closure period refers to the 90 days between when you close your account and when AWS permanently closes your AWS account.
-
This behavior also applies to the organization trails that are created by the management account or the delegated administrator, and to multi-Region organization trails that are created in the organization's member accounts.
-
For trails that deliver events to an S3 bucket in the same account, trails continue to exist even after the account is closed. However, since the S3 bucket is deleted when the account is closed, trails do not continue to deliver events.
-
For trails that deliver events to an S3 bucket in a different account, trails continue to exist even after the account is closed. Trails also continue to deliver events to the S3 bucket if events can be delivered. For example, organization trails continue to deliver events to the S3 bucket if you close a member account in an organization, but you do not close the management account.
-
For trails encrypted with AWS KMS keys, trails continue to exist after the account is closed in addition to the KMS keys.
Users have the option to delete trails prior to closing their AWS account, or to contact AWS Support
For information about closing an AWS account, see Close an AWS account in the AWS Account Management Reference Guide.
Note
If CloudTrail log file validation is enabled, users will continue to receive hourly digest files which indicate if any CloudTrail logs were created or not.
CloudTrail Lake event data stores, CloudTrail Lake channels for integrations, CloudTrail service-linked channels, and resources created for trails (for example, Amazon CloudWatch Logs log groups and Amazon S3 buckets existing in the closed account), follow standard AWS behavior for account closure and are permanently deleted after the post-closure period (typically 90 days).