Troubleshooting AWS CloudTrail identity and access - AWS CloudTrail

Troubleshooting AWS CloudTrail identity and access

Use the following information to help you diagnose and fix common issues that you might encounter when working with CloudTrail and IAM.

I am not authorized to perform an action in CloudTrail

If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password.

The following example error occurs when the mateojackson IAM user tries to use the console to view details about a trail but does not have either the appropriate CloudTrail managed policy (AWSCloudTrail_FullAccess or AWSCloudTrailReadOnlyAccess) or the equivalent permissions applied to his account.

User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: cloudtrail:GetTrailStatus on resource: My-Trail

In this case, Mateo asks his administrator to update his policies to allow him to access trail information and status in the console.

If you are signed in with an IAM user or role that has the AWSCloudTrail_FullAccess managed policy or its equivalent permissions, and you cannot configure AWS Config or Amazon CloudWatch Logs integration with a trail, you might be missing the required permissions for integration with those services. For more information, see Granting permission to view AWS Config information on the CloudTrail console and Granting permission to view and configure Amazon CloudWatch Logs information on the CloudTrail console.

I'm an Administrator and Want to Allow Others to Access CloudTrail

To allow others to access CloudTrail, you must create an IAM entity (user, group, or role) for the person or application that needs access. They will use the credentials for that entity to access AWS. You must then attach a policy to the entity that grants them the correct permissions in CloudTrail. For examples of how to do this, see Granting custom permissions for CloudTrail users and Granting permissions for CloudTrail administration.

I want to allow people outside of my AWS account to access my CloudTrail resources

You can create a role and share CloudTrail information between multiple AWS accounts. For more information, see Sharing CloudTrail log files between AWS accounts.

You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.

To learn more, consult the following: