AWS GovCloud (US) User Guide
AWS GovCloud (US) User Guide

AWS CloudTrail

With AWS CloudTrail, you can monitor your AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.

The following list details the differences for using this service in AWS GovCloud (US) Regions compared to other AWS Regions:

  • For all AWS GovCloud (US) accounts created after 12/15/2014, AWS CloudTrail event log delivery to Amazon S3 is enabled automatically. However, you must set up Amazon SNS notifications. You can turn off logging through the AWS CloudTrail console for the AWS GovCloud (US) Region.

  • If you are using AWS Direct Connect, you must enable CloudTrail in your standard AWS account (not your AWS GovCloud (US) account) and enable logging.

  • The Amazon S3 and Amazon SNS policy statements must refer to the ARN for AWS GovCloud (US) Regions. For more information, see Amazon Resource Names (ARNs) in GovCloud (US) Regions.

  • To enable CloudTrail to write log files to your bucket in AWS GovCloud (US) Regions, you can use the following policy.


    If the bucket already has one or more policies attached, add the statements for CloudTrail access to that policy or policies. We recommend that you evaluate the resulting set of permissions to be sure they are appropriate for the users who will be accessing the bucket.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck20131101", "Effect": "Allow", "Principal": { "Service": "" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws-us-gov:s3:::myBucketName" }, { "Sid": "AWSCloudTrailWrite20131101", "Effect": "Allow", "Principal": { "Service": "" }, "Action": "s3:PutObject", "Resource": "arn:aws-us-gov:s3:::myBucketName/[optional] prefix/AWSLogs/myAccountID/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }

    For more information, see Amazon S3 Bucket Policy and Permissions for SNS Notifications.


    In AWS GovCloud (US) Regions, do not add CloudTrail account IDs of non-isolated regions to your policy templates, or an "Invalid principal in policy" error will occur. Similarly, if you are in a non-isolated region, do not add the CloudTrail account ID for AWS GovCloud (US) to your policy templates.

For more information about CloudTrail, see the CloudTrail documentation.

Services Supported within CloudTrail

The following services are supported within CloudTrail in AWS GovCloud (US) Regions:

AWS Service Support Start Date
Amazon Elasticsearch Service 02/15/2018
Amazon API Gateway 08/01/2017
Amazon EC2 Auto Scaling 12/16/2014
AWS CloudFormation 12/16/2014
AWS CloudHSM Classic 08/05/2015
AWS CloudTrail 12/16/2014
Amazon CloudWatch 12/16/2014
Amazon CloudWatch Events 04/07/2017
Amazon CloudWatch Logs 11/19/2015
AWS CodeDeploy 03/31/2017
AWS Database Migration Service (AWS DMS) 10/28/2015
AWS Direct Connect 10/28/2015
Amazon DynamoDB 05/28/2015
AWS Elastic Beanstalk 12/16/2014
Amazon Elastic Block Store (Amazon EBS) 12/16/2014
Amazon Elastic Compute Cloud (Amazon EC2) 12/16/2014
Elastic Load Balancing 12/16/2014
ElastiCache 01/29/2015
Amazon EMR (Amazon EMR) 12/16/2014
Glacier 12/30/2014
AWS Identity and Access Management (IAM) 12/16/2014
AWS Key Management Service (AWS KMS) 04/29/2015
Amazon Kinesis 12/21/2016
AWS Lambda 05/18/2017
Amazon Redshift 12/16/2014
Amazon RDS 01/22/2015
AWS Security Token Service (AWS STS) 12/16/2014
AWS Server Migration Service (AWS SMS) 06/21/2017
Amazon Simple Storage Service (Amazon S3) 10/01/2015
Amazon Simple Notification Service (Amazon SNS) 12/16/2014
Amazon Simple Queue Service (Amazon SQS) 12/16/2014
Amazon Simple Workflow Service (Amazon SWF) 12/16/2014
AWS Systems Manager 05/23/2017
Amazon Virtual Private Cloud (Amazon VPC) 12/16/2014

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • Not applicable

  • CloudTrail logs do not contain ITAR-regulated data.

  • CloudTrail configuration data may not contain ITAR-regulated data.