Working with CloudTrail trails

Trails capture a record of AWS activities, delivering and storing these events in an Amazon S3 bucket, with optional delivery to CloudWatch Logs and Amazon EventBridge.

You can deliver one copy of your ongoing management events to your S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information about CloudTrail pricing, see AWS CloudTrail Pricing. For information about Amazon S3 pricing, see Amazon S3 Pricing.

You can create two types of trails for an AWS account: multi-Region trails and single-Region trails.

Multi-Region trails

When you create a multi-Region trail, CloudTrail records events in all AWS Regions in the AWS partition in which you are working and delivers the CloudTrail event log files to an S3 bucket that you specify. If an AWS Region is added after you create a multi-Region trail, that new Region is automatically included, and events in that Region are logged. Creating a multi-Region trail is a recommended best practice since you capture activity in all Regions in your account. All trails you create using the CloudTrail console are multi-Region. You can convert a single-Region trail to a multi-Region trail by using the AWS CLI. For more information, see Creating a trail in the console and Converting a trail that applies to one Region to apply to all Regions.

Single-Region trails

When you create a single-Region trail, CloudTrail records the events in that Region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify. You can only create a single-Region trail by using the AWS CLI. If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same S3 bucket or to separate buckets. This is the default option when you create a trail using the AWS CLI or the CloudTrail API. For more information, see Creating, updating, and managing trails with the AWS Command Line Interface.

Note

For both types of trails, you can specify an Amazon S3 bucket from any Region.

If you have created an organization in AWS Organizations, you can create an organization trail that logs all events for all AWS accounts in that organization. Organization trails can apply to all AWS Regions, or the current Region. Organization trails must be created using the management account or delegated administrator account, and when specified as applying to an organization, are automatically applied to all member accounts in the organization. Member accounts can see the organization trail, but cannot modify or delete it. By default, member accounts do not have access to the log files for an organization trail in the Amazon S3 bucket. For more information, see Creating a trail for an organization.

Topics

• Creating a trail for your AWS account
• Creating a trail for an organization
• Viewing CloudTrail Insights events for trails
• Copying trail events to CloudTrail Lake
• Getting and viewing your CloudTrail log files
• Configuring Amazon SNS notifications for CloudTrail
• Tips for managing trails
• Controlling user permissions for CloudTrail trails
• Using AWS CloudTrail with interface VPC endpoints
• AWS account closure and trails