Creating a trail for your organization in the console

To create an organization trail with the AWS Management Console

1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

   You must be signed in using an IAM identity in the management or delegated administrator account with sufficient permissions to create an organization trail.

2. Choose Trails, and then choose Create trail.

3. On the Create Trail page, for Trail name, type a name for your trail. For more information, see Naming requirements for CloudTrail resources, S3 buckets, and KMS keys.

4. Select Enable for all accounts in my organization. You only see this option if you sign in to the console with a user or role in the management or delegated administrator account. To successfully create an organization trail, be sure that the user or role has sufficient permissions.

5. For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies.

   Note

   If you chose Use existing S3 bucket, specify a bucket in Trail log bucket name, or choose Browse to choose a bucket. You can choose a bucket belonging to any account, however, the bucket policy must grant CloudTrail permission to write to it. For information about manually editing the bucket policy, see Amazon S3 bucket policy for CloudTrail.

   To make it easier to find your logs, create a new folder (also known as a prefix) in an existing bucket to store your CloudTrail logs. Enter the prefix in Prefix.

6. For Log file SSE-KMS encryption, choose Enabled if you want to encrypt your log files using SSE-KMS encryption instead of SSE-S3 encryption. The default is Enabled. If you don't enable SSE-KMS encryption, your logs are encrypted using SSE-S3 encryption. For more information about SSE-KMS encryption, see Using server-side encryption with AWS Key Management Service (SSE-KMS). For more information about SSE-S3 encryption, see Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

   If you enable SSE-KMS encryption, choose a New or Existing AWS KMS key. In AWS KMS Alias, specify an alias, in the format alias/MyAliasName. For more information, see Updating a resource to use your KMS key with the console.

   Note

   You can also type the ARN of a key from another account. For more information, see Updating a resource to use your KMS key with the console. The key policy must allow CloudTrail to use the key to encrypt your log files, and allow the users you specify to read log files in unencrypted form. For information about manually editing the key policy, see Configure AWS KMS key policies for CloudTrail.

7. In Additional settings, configure the following.

   1. For Log file validation, choose Enabled to have log digests delivered to your S3 bucket. You can use the digest files to verify that your log files did not change after CloudTrail delivered them. For more information, see Validating CloudTrail log file integrity.

   2. For SNS notification delivery, choose Enabled to be notified each time a log is delivered to your bucket. CloudTrail stores multiple events in a log file. SNS notifications are sent for every log file, not for every event. For more information, see Configuring Amazon SNS notifications for CloudTrail.

      If you enable SNS notifications, for Create a new SNS topic, choose New to create a topic, or choose Existing to use an existing topic. If you are creating a trail that applies to all Regions, SNS notifications for log file deliveries from all Regions are sent to the single SNS topic that you create.

      If you choose New, CloudTrail specifies a name for the new topic for you, or you can type a name. If you choose Existing, choose an SNS topic from the drop-down list. You can also enter the ARN of a topic from another Region or from an account with appropriate permissions. For more information, see Amazon SNS topic policy for CloudTrail.

      If you create a topic, you must subscribe to the topic to be notified of log file delivery. You can subscribe from the Amazon SNS console. Due to the frequency of notifications, we recommend that you configure the subscription to use an Amazon SQS queue to handle notifications programmatically. For more information, see Getting started with Amazon SNS in the Amazon Simple Notification Service Developer Guide.

8. Optionally, configure CloudTrail to send log files to CloudWatch Logs by choosing Enabled in CloudWatch Logs. For more information, see Sending events to CloudWatch Logs.

   Note

   Only the management account can configure a CloudWatch Logs log group for an organization trail using the console. The delegated administrator can configure a CloudWatch Logs log group using the AWS CLI or CloudTrail CreateTrail or UpdateTrail API operations.

   1. If you enable integration with CloudWatch Logs, choose New to create a new log group, or Existing to use an existing one. If you choose New, CloudTrail specifies a name for the new log group for you, or you can type a name.

   2. If you choose Existing, choose a log group from the drop-down list.

   3. Choose New to create a new IAM role for permissions to send logs to CloudWatch Logs. Choose Existing to choose an existing IAM role from the drop-down list. The policy statement for the new or existing role is displayed when you expand Policy document. For more information about this role, see Role policy document for CloudTrail to use CloudWatch Logs for monitoring.

      Note

      When you configure a trail, you can choose an S3 bucket and Amazon SNS topic that belong to another account. However, if you want CloudTrail to deliver events to a CloudWatch Logs log group, you must choose a log group that exists in your current account.

9. For Tags, you can add up to 50 tag key pairs to help you identify, sort, and control access to your trail. Tags can help you identify both your CloudTrail trails and the Amazon S3 buckets that contain CloudTrail log files. You can then use resource groups for your CloudTrail resources. For more information, see AWS Resource Groups and Tags.

10. On the Choose log events page, choose the event types that you want to log. For Management events, do the following.

    1. For API activity, choose if you want your trail to log Read events, Write events, or both. For more information, see Management events.

    2. Choose Exclude AWS KMS events to filter AWS Key Management Service (AWS KMS) events out of your trail. The default setting is to include all AWS KMS events.

       The option to log or exclude AWS KMS events is available only if you log management events on your trail. If you choose not to log management events, AWS KMS events are not logged, and you cannot change AWS KMS event logging settings.

       AWS KMS actions such as Encrypt, Decrypt, and GenerateDataKey typically generate a large volume (more than 99%) of events. These actions are now logged as Read events. Low-volume, relevant AWS KMS actions such as Disable, Delete, and ScheduleKey (which typically account for less than 0.5% of AWS KMS event volume) are logged as Write events.

       To exclude high-volume events like Encrypt, Decrypt, and GenerateDataKey, but still log relevant events such as Disable, Delete and ScheduleKey, choose to log Write management events, and clear the check box for Exclude AWS KMS events.

    3. Choose Exclude Amazon RDS Data API events to filter Amazon Relational Database Service Data API events out of your trail. The default setting is to include all Amazon RDS Data API events. For more information about Amazon RDS Data API events, see Logging Data API calls with AWS CloudTrail in the Amazon RDS User Guide for Aurora.

11. To log data events, choose Data events. Additional charges apply for logging data events. For more information, see AWS CloudTrail Pricing.

12. Important

    Steps 12-16 are for configuring data events using advanced event selectors, which is the default. Advanced event selectors let you configure more resource types and offer fine-grained control over which data events your trail captures. If you plan to log network activity events (in preview), you must use advanced event selectors. If you are using basic event selectors, complete the steps in Configure data event settings using basic event selectors, then return to step 17 of this procedure.

    For Resource type, choose the resource type on which you want to log data events. For more information about available resource types, see Data events.

13. Choose a log selector template. CloudTrail includes predefined templates that log all data events for the resource type. To build a custom log selector template, choose Custom.

    Note

    Choosing a predefined template for S3 buckets enables data event logging for all buckets currently in your AWS account and any buckets you create after you finish creating the trail. It also enables logging of data event activity performed by any IAM identity in your AWS account, even if that activity is performed on a bucket that belongs to another AWS account.

    If the trail applies only to one Region, choosing a predefined template that logs all S3 buckets enables data event logging for all buckets in the same Region as your trail and any buckets you create later in that Region. It will not log data events for Amazon S3 buckets in other Regions in your AWS account.

    If you are creating a trail for all Regions, choosing a predefined template for Lambda functions enables data event logging for all functions currently in your AWS account, and any Lambda functions you might create in any Region after you finish creating the trail. If you are creating a trail for a single Region (done by using the AWS CLI), this selection enables data event logging for all functions currently in that Region in your AWS account, and any Lambda functions you might create in that Region after you finish creating the trail. It does not enable data event logging for Lambda functions created in other Regions.

    Logging data events for all functions also enables logging of data event activity performed by any IAM identity in your AWS account, even if that activity is performed on a function that belongs to another AWS account.

14. (Optional) In Selector name, enter a name to identify your selector. The selector name is a descriptive name for an advanced event selector, such as "Log data events for only two S3 buckets". The selector name is listed as Name in the advanced event selector and is viewable if you expand the JSON view.

15. If you selected Custom, in Advanced event selectors build an expression based on the values of advanced event selector fields.

    Note

    Selectors don't support the use of wildcards like * . To match multiple values with a single condition, you may use StartsWith, EndsWith, NotStartsWith, or NotEndsWith to explicitly match the beginning or end of the event field.

    1. Choose from the following fields.

       • readOnly - readOnly can be set to equals a value of true or false. Read-only data events are events that do not change the state of a resource, such as Get* or Describe* events. Write events add, change, or delete resources, attributes, or artifacts, such as Put*, Delete*, or Write* events. To log both read and write events, don't add a readOnly selector.

       • eventName - eventName can use any operator. You can use it to include or exclude any data event logged to CloudTrail, such as PutBucket, GetItem, or GetSnapshotBlock.

       • resources.ARN - You can use any operator with resources.ARN, but if you use equals or does not equal, the value must exactly match the ARN of a valid resource of the type you've specified in the template as the value of resources.type. For more information, see Filtering data events by resources.ARN.

         Note

         You can't use the resources.ARN field to filter resource types that do not have ARNs.

       For more information about the ARN formats of data event resources, see Actions, resources, and condition keys in the AWS Identity and Access Management User Guide.

    2. For each field, choose + Condition to add as many conditions as you need, up to a maximum of 500 specified values for all conditions. For example, to exclude data events for two S3 buckets from data events that are logged on your event data store, you can set the field to resources.ARN, set the operator for does not start with, and then paste in an S3 bucket ARN for which you do not want to log events.

       To add the second S3 bucket, choose + Condition, and then repeat the preceding instruction, pasting in the ARN for or browsing for a different bucket.

       For information about how CloudTrail evaluates multiple conditions, see How CloudTrail evaluates multiple conditions for a field.

       Note

       You can have a maximum of 500 values for all selectors on an event data store. This includes arrays of multiple values for a selector such as eventName. If you have single values for all selectors, you can have a maximum of 500 conditions added to a selector.

    3. Choose + Field to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields. For example, do not specify an ARN in one selector to be equal to a value, then specify that the ARN not equal the same value in another selector.

16. To add resource type on which to log data events, choose Add data event type. Repeat steps 12 through this step to configure advanced event selectors for the resource type.

17. To log network activity events, choose Network activity events. Network activity events enable VPC endpoint owners to record AWS API calls made using their VPC endpoints from a private VPC to the AWS service. Additional charges apply for logging data events. For more information, see AWS CloudTrail Pricing.

    Note

    Network activity events is in preview release for CloudTrail and is subject to change.

    To log network activity events, do the following:

    1. From Network activity event source, choose the source for network activity events.

    2. In Log selector template, choose a template. You can choose to log all network activity events, log all network activity access denied events, or choose Custom to build a custom log selector to filter on multiple fields, such as eventName and vpcEndpointId.

    3. (Optional) Enter a name to identify the selector. The selector name is listed as Name in the advanced event selector and is viewable if you expand the JSON view.

    4. In Advanced event selectors build expressions by choosing values for Field, Operator, and Value. You can skip this step if you are using a predefined log template.

       1. For excluding or including network activity events, you can choose from the following fields in the console.

          • eventName – You can use any operator with eventName. You can use it to include or exclude any event, such as CreateKey.

          • errorCode – You can use it to filter on an error code. Currently, the only supported errorCode is VpceAccessDenied.

          • vpcEndpointId – Identifies the VPC endpoint that the operation passed through. You can use any operator with vpcEndpointId.

       2. For each field, choose + Condition to add as many conditions as you need, up to a maximum of 500 specified values for all conditions.

       3. Choose + Field to add additional fields as required. To avoid errors, do not set conflicting or duplicate values for fields.

    5. To add another event source for which you want to log network activity events, choose Add network activity event selector.

    6. Optionally, expand JSON view to see your advanced event selectors as a JSON block.

18. Choose Insights events if you want your trail to log CloudTrail Insights events.

    In Event type, select Insights events. In Insights events, choose API call rate, API error rate, or both. You must be logging Write management events to log Insights events for API call rate. You must be logging Read or Write management events to log Insights events for API error rate.

    CloudTrail Insights analyzes management events for unusual activity, and logs events when anomalies are detected. By default, trails don't log Insights events. For more information about Insights events, see Logging Insights events. Additional charges apply for logging Insights events. For CloudTrail pricing, see AWS CloudTrail Pricing.

    Insights events are delivered to a different folder named /CloudTrail-Insightof the same S3 bucket that is specified in the Storage location area of the trail details page. CloudTrail creates the new prefix for you. For example, if your current destination S3 bucket is named amzn-s3-demo-destination-bucket/AWSLogs/CloudTrail/, the S3 bucket name with a new prefix is named amzn-s3-demo-destination-bucket/AWSLogs/CloudTrail-Insight/.

19. When you are finished choosing event types to log, choose Next.

20. On the Review and create page, review your choices. Choose Edit in a section to change the trail settings shown in that section. When you are ready to create the trail, choose Create trail.

21. The new trail appears on the Trails page. An organization trail might take up to 24 hours to be created in all Regions in all member accounts. The Trails page shows the trails in your account from all Regions. In about 5 minutes, CloudTrail publishes log files that show the AWS API calls made in your organization. You can see the log files in the Amazon S3 bucket that you specified.