Controlling user permissions for CloudTrail trails

AWS CloudTrail integrates with AWS Identity and Access Management (IAM) to help you to control access to CloudTrail and other AWS resources that CloudTrail requires. Examples of these resources include Amazon S3 buckets and Amazon Simple Notification Service (Amazon SNS) topics. You can use IAM to control which AWS users can create, configure, or delete CloudTrail trails, start and stop logging, and access the buckets that contain log information. To learn more, see Identity and Access Management for AWS CloudTrail.

The following topics help you understand permissions, policies, and CloudTrail security:

Granting permissions for CloudTrail administration
Amazon S3 bucket naming rules
Amazon S3 bucket policy for CloudTrail
An example of a bucket policy for an organization trail in Creating a trail for an organization with the AWS Command Line Interface.
Amazon SNS topic policy for CloudTrail
Encrypting CloudTrail log files with AWS KMS keys (SSE-KMS)
Required permissions for copying trail events
Required permissions to assign a delegated administrator
Default KMS key policy created in CloudTrail console
Granting permission to view AWS Config information on the CloudTrail console
Sharing CloudTrail log files between AWS accounts
Required permissions for creating an organization trail
Using a previously-existing IAM role to add monitoring of an organization trail to Amazon CloudWatch Logs

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create multiple trails

Supported VPC endpoints