AWS CloudTrail
User Guide (Version 1.0)

Overview for Creating a Trail

You can configure the following settings when you create or update a trail with the CloudTrail console or the AWS Command Line Interface (AWS CLI). Both methods follow the same steps:

  1. Create a trail. By default, when you create a trail in a region in the CloudTrail console, the trail applies to all regions.

  2. Create an Amazon S3 bucket or specify an existing bucket where you want the log files delivered. By default, log files from all regions in your account are delivered to the bucket that you specify.

  3. Configure your trail to log read-only, write-only, or all management and data events. By default, trails log all management events.

  4. Create an Amazon SNS topic to receive notifications when log files are delivered. Delivery notifications from all regions are sent to the topic that you specify.

  5. Configure CloudWatch Logs to receive your logs from CloudTrail so that you can monitor for specific log events.

  6. Change the encryption method for your log files from server-side encryption with Amazon S3-managed encryption keys (SSE-S3) to server-side encryption with AWS KMS–managed keys (SSE-KMS).

  7. Turn on integrity validation for log files. This enables the delivery of digest files that you can use to validate the integrity of log files after CloudTrail has delivered them.

  8. Add tags (custom key-value pairs) to your trail.