AWS CloudTrail
User Guide (Version 1.0)

Creating a Trail for an Organization

If you have created an organization in AWS Organizations, you can create a trail that will log all events for all AWS accounts in that organization. This is sometimes referred to as an organization trail. You can also choose to edit an existing trail in the master account and apply it to an organization, making it an organization trail. Organization trails log events for the master account and all member accounts in the organization. For more information about AWS Organizations, see Organizations Terminology and Concepts.

Note

You must be logged in with the master account for the organization in order to create an organization trail. You must also have sufficient permissions for the IAM user or role in the master account in order to successfully create an organization trail. If you do not have sufficient permissions, you will not see the option to apply a trail to an organization.

When you create an organization trail, a trail with the name that you give it will be created in every AWS account that belongs to your organization. Users with CloudTrail permissions in member accounts will be able to see this trail when they log into the AWS CloudTrail console from their AWS accounts, or when they run AWS CLI commands such as describe-trail. However, users in member accounts will not have sufficient permissions to delete the organization trail, turn logging on or off, change what types of events are logged, or otherwise alter the organization trail in any way.

When you create an organization trail in the console, or when you enable CloudTrail as a trusted service in the Organizations, this creates a service-linked role to perform logging tasks in your organization's member accounts. This role is named AWSServiceRoleForCloudTrail, and is required for CloudTrail to successfully log events for an organization. If an AWS account is added to an organization, the organization trail and service-linked role will be added to that AWS account, and logging will begin for that account automatically in the organization trail. If an AWS account is removed from an organization, the organization trail and service-linked role will be deleted from the AWS account that is no longer part of the organization. However, log files for that removed account created prior to the account's removal will still remain in the Amazon S3 bucket where log files are stored for the trail.

In the following example, a user in the master account 111111111111 creates a trail named MyOrganizationTrail for the organization o-exampleorgid. The trail logs activity for all accounts in the organization in the same Amazon S3 bucket. All accounts in the organization can see MyOrganizationTrail in their list of trails, but member accounts will not be able to remove or modify the organization trail. Only the master account will be able to change or delete the trail for the organization, just as only the master account can remove a member account from an organization. Similarly, by default, only the master account has access to the Amazon S3 bucket my-organization-bucket for the trail and the logs contained within it. The high-level bucket structure for log files contains a folder named with the organization ID, with subfolders named with the account IDs for each account in the organization. Events for each member account are logged in the folder that corresponds to the member account ID. If member account 444444444444 is removed from the organization at some point in the future, MyOrganizationTrail and the service-linked role will no longer appear in AWS account 444444444444, and no further events will be logged for that account by the organization trail. However, the 444444444444 folder remains in the Amazon S3 bucket, with all logs created before the removal of the account from the organization.


            A conceptual overview of a sample organization in Organizations, and how that
                organization is logged by an organization trail CloudTrail, and what the resulting
                high-level folder structure is in the Amazon S3 bucket

In this example, the ARN of the trail created in the master account is aws:cloudtrail:us-east-2:111111111111:trail/MyOrganizationTrail. This ARN is the ARN for the trail in all member accounts as well.

Organization trails are similar to regular trails in many ways. You can create multiple trails for your organization, and choose whether to create an organization trail in all regions or a single region, and what kinds of events you want logged in your organization trail, just as in any other trail. However, there are some differences. For example, when creating a trail in the console and choosing whether to log data events for Amazon S3 buckets or AWS Lambda functions, the only resources listed in the CloudTrail console are those for the master account, but you can add the ARNs for resources in member accounts. Data events for specified member account resources will be logged without having to manually configure cross-account access to those resources. For more information about logging management events and data events, see Logging Data and Management Events for Trails.

You can also configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs for an organization trail the same way you would for any other trail. For example, you can analyze the data in an organization trail using Amazon Athena. For more information, see AWS Service Integrations With CloudTrail Logs.