AWS CloudTrail - AWS GovCloud (US)
How AWS CloudTrail Differs for AWS GovCloud (US)Documentation for AWS CloudTrailServices Supported within CloudTrailITAR Boundary

AWS CloudTrail

With AWS CloudTrail, you can monitor your AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.

How AWS CloudTrail Differs for AWS GovCloud (US)

The following list details the differences for using this service in AWS GovCloud (US) Regions compared to other AWS Regions:

  • For all AWS GovCloud (US) accounts created after 12/15/2014, AWS CloudTrail event log delivery to Amazon S3 is enabled automatically. However, you must set up Amazon SNS notifications. You can turn off logging through the AWS CloudTrail console for the AWS GovCloud (US) Region.

  • If you are using AWS Direct Connect, you must enable CloudTrail in your standard AWS account (not your AWS GovCloud (US) account) and enable logging.

  • The Amazon S3 and Amazon SNS policy statements must refer to the ARN for AWS GovCloud (US) Regions. For more information, see Amazon Resource Names (ARNs) in GovCloud (US) Regions.

  • To enable CloudTrail to write log files to your bucket in AWS GovCloud (US) Regions, you can use the following policy.

    Warning

    If the bucket already has one or more policies attached, add the statements for CloudTrail access to that policy or policies. We recommend that you evaluate the resulting set of permissions to be sure they are appropriate for the users who will be accessing the bucket. 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20131101",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws-us-gov:s3:::myBucketName"
        },
        {
            "Sid": "AWSCloudTrailWrite20131101",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com" 
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws-us-gov:s3:::myBucketName/[optional] prefix/AWSLogs/myAccountID/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

    For more information, see Amazon S3 Bucket Policy and Permissions for SNS Notifications.

    Note

    In AWS GovCloud (US) Regions, do not add CloudTrail account IDs of non-isolated regions to your policy templates, or an "Invalid principal in policy" error will occur. Similarly, if you are in a non-isolated region, do not add the CloudTrail account ID for AWS GovCloud (US) to your policy templates.

Documentation for AWS CloudTrail

AWS CloudTrail documentation.

Services Supported within CloudTrail

The following services are supported in the AWS GovCloud (US-West) Region:

AWS Service Support Start Date
AWS Certificate Manager 03/25/2016
AWS Certificate Manager Private Certificate Authority 06/06/2019
API Gateway 07/09/2015
Amazon Athena 05/19/2017
Application Auto Scaling 10/31/2016
Amazon Cloud Directory 01/26/2017
AWS CloudFormation 04/02/2014
AWS CloudHSM 01/08/2015
AWS CloudTrail 11/13/2013
AWS CodeBuild 12/01/2016
AWS CodeCommit 01/11/2017
AWS CodeDeploy 12/16/2014
AWS CodePipeline 07/09/2015
Amazon Comprehend 01/17/2018
AWS Config 02/10/2015
AWS DataSync 11/26/2018
AWS Direct Connect 03/08/2014
AWS Database Migration Service 02/04/2016
AWS Directory Service 05/14/2015
Amazon DynamoDB 05/28/2015
Amazon Elastic Compute Cloud 11/13/2013
Amazon Elastic Container Registry 12/21/2015
Amazon Elastic Container Service 04/09/2015
Amazon ElastiCache 09/15/2014
AWS Elastic Beanstalk 03/31/2014
Amazon Elastic File System 06/28/2016
Elastic Load Balancing 04/04/2014
Amazon Elastic Map Reduce (EMR) 04/04/2014
Amazon Elasticsearch Service 10/01/2015
Amazon CloudWatch Events 01/16/2016
Amazon Kinesis Data Firehose 03/17/2016
Amazon S3 Glacier 12/11/2014
AWS Glue 11/07/2017
AWS IoT Greengrass 10/29/2018
Amazon GuardDuty 02/12/2018
AWS Health 11/21/2016
AWS Identity and Access Management 11/13/2013
Amazon Inspector 04/20/2016
AWS IoT 04/11/2016
Amazon Kinesis 04/25/2014
AWS Key Management Service 11/12/2014
AWS Lambda 04/09/2015
AWS License Manager 03/01/2019
Amazon CloudWatch Logs 03/10/2016
AWS Elemental MediaConvert 11/27/2017
AWS Marketplace Marketing Service 08/22/2018
Amazon CloudWatch 04/30/2014
AWS Organizations 02/27/2017
Amazon Polly 11/30/2016
AWS Resource Access Manager 11/20/2018
Amazon Relational Database Service 11/13/2013
Amazon Redshift 06/10/2014
Amazon Rekognition 04/06/2018
AWS Resource Groups 06/29/2018
Amazon Route 53 02/11/2015
Amazon Route 53 Resolver 02/11/2015
Amazon Simple Storage Service 09/01/2015
Amazon SageMaker 01/11/2018
AWS Secrets Manager 04/05/2018
AWS Serverless Application Repository 02/20/2018
AWS Service Catalog 07/06/2016
AWS Server Migration Service 11/14/2016
AWS Snowball 01/25/2019
Amazon Simple Notification Service 10/09/2014
Amazon Simple Queue Service 07/16/2014
AWS Systems Manager 11/13/2013
AWS Step Functions 12/01/2016
AWS Storage Gateway 12/16/2014
AWS Security Token Service 11/13/2013
Amazon Simple Workflow Service 05/13/2014
AWS Resource Groups Tagging API 06/29/2018
Amazon Transcribe 06/28/2018
Amazon Translate 04/04/2018
AWS WAF 04/28/2016
Amazon WorkSpaces 04/09/2015
AWS X-Ray 04/25/2018

The following services are supported in the AWS GovCloud (US-East) Region:

AWS Service Support Start Date
AWS Certificate Manager 03/25/2016
AWS Certificate Manager Private Certificate Authority 06/06/2019
API Gateway 07/09/2015
Amazon Athena 05/19/2017
Application Auto Scaling 10/31/2016
AWS CloudFormation 04/02/2014
AWS CloudHSM 01/08/2015
AWS CloudTrail 11/13/2013
AWS CodeBuild 12/01/2016
AWS CodeCommit 01/11/2017
AWS CodeDeploy 12/16/2014
AWS Config 02/10/2015
AWS Direct Connect 03/08/2014
AWS Database Migration Service 02/04/2016
AWS Directory Service 05/14/2015
Amazon DynamoDB 05/28/2015
Amazon Elastic Compute Cloud 11/13/2013
Amazon Elastic Container Registry 12/21/2015
Amazon Elastic Container Service 04/09/2015
Amazon ElastiCache 09/15/2014
AWS Elastic Beanstalk 03/31/2014
Elastic Load Balancing 04/04/2014
Amazon Elastic Map Reduce (EMR) 04/04/2014
Amazon Elasticsearch Service 10/01/2015
Amazon CloudWatch Events 01/16/2016
Amazon Kinesis Data Firehose 03/17/2016
Amazon S3 Glacier 12/11/2014
AWS Glue 11/07/2017
AWS Identity and Access Management 11/13/2013
Amazon Inspector 04/20/2016
Amazon Kinesis 04/25/2014
AWS Key Management Service 11/12/2014
AWS Lambda 04/09/2015
AWS License Manager 03/01/2019
Amazon CloudWatch Logs 03/10/2016
AWS Marketplace Marketing Service 08/22/2018
Amazon CloudWatch 04/30/2014
AWS Resource Access Manager 11/20/2018
Amazon Relational Database Service 11/13/2013
Amazon Redshift 06/10/2014
AWS Resource Groups 06/29/2018
Amazon Route 53 Resolver 02/11/2015
Amazon Simple Storage Service 09/01/2015
AWS Secrets Manager 04/05/2018
AWS Serverless Application Repository 02/20/2018
AWS Server Migration Service 11/14/2016
AWS Snowball 01/25/2019
Amazon Simple Notification Service 10/09/2014
Amazon Simple Queue Service 07/16/2014
AWS Systems Manager 11/13/2013
AWS Step Functions 12/01/2016
AWS Security Token Service 11/13/2013
Amazon Simple Workflow Service 05/13/2014
AWS Resource Groups Tagging API 06/29/2018
Amazon Transcribe 06/28/2018

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted

  • This service boundary exists entirely within the GovCloud regions and all export-controlled Content entered, processed, and created within Service will exist in the GovCloud regions.

  • CloudTrail logs do not contain ITAR-regulated data.

  • CloudTrail configuration data may not contain ITAR-regulated data.