Receiving CloudTrail log files from multiple Regions
You can configure CloudTrail to deliver log files from multiple Regions to a single S3 bucket for a single account. For example, you have a trail in the US West (Oregon) Region that is configured to deliver log files to a S3 bucket, and a CloudWatch Logs log group. When you change an existing single-Region trail to log all Regions, CloudTrail logs events from all Regions that are in a single AWS partition in your account. CloudTrail delivers log files to the same S3 bucket and CloudWatch Logs log group. As long as CloudTrail has permissions to write to an S3 bucket, the bucket for a multi-Region trail does not have to be in the trail's home Region.
To log events across all Regions in all AWS partitions in your account, create a multi-Region trail in each partition.
In the console, by default, you create a trail that logs events in all AWS Regions in the AWS partition in which you are working. This is a recommended best practice. To log events in a single Region (not recommended), use the AWS CLI. To configure an existing single-Region trail to log in all Regions, you must use the AWS CLI.
To change an existing trail so that it applies to all Regions, add the
--is-multi-region-trail option to the update-trail command.
aws cloudtrail update-trail --namemy-trail--is-multi-region-trail
To confirm that the trail now applies to all Regions, the IsMultiRegionTrail
element in the output shows true.
{ "IncludeGlobalServiceEvents": true, "Name": "my-trail", "TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail", "LogFileValidationEnabled": false, "IsMultiRegionTrail": true, "IsOrganizationTrail": false, "S3BucketName": "my-bucket" }
Note
When a new Region launches in the aws partition, CloudTrail automatically creates a trail
for you in the new Region with the same settings as your original trail.
For more information, see the following resources:
