AWS CloudTrail
The following list details the differences for using AWS CloudTrail in the AWS GovCloud (US) Region compared to other AWS regions:
-
For all AWS GovCloud (US) accounts created after 12/15/2014, AWS CloudTrail event log delivery to Amazon S3 is enabled automatically. However, you must set up Amazon SNS notifications. You can turn off logging through the AWS CloudTrail console for the AWS GovCloud (US) Region.
-
Since AWS GovCloud (US) operates as a single isolated region, the capability to receive CloudTrail log files from multiple regions does not apply.
-
If you are using AWS Direct Connect, you must enable CloudTrail in your AWS account (not your AWS GovCloud (US) account) and enable logging.
-
The Amazon S3 and Amazon SNS policy statements must refer to the ARN for the AWS GovCloud (US) Region. For more information, see Amazon Resource Names (ARNs) in AWS GovCloud (US).
-
To enable CloudTrail to write log files to your bucket in the AWS GovCloud (US) Region, you can use the following policy.
Warning
If the bucket already has one or more policies attached, add the statements for CloudTrail access to that policy or policies. We recommend that you evaluate the resulting set of permissions to be sure they are appropriate for the users who will be accessing the bucket.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck20131101", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws-us-gov:s3:::myBucketName" }, { "Sid": "AWSCloudTrailWrite20131101", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws-us-gov:s3:::myBucketName/[optional] prefix/AWSLogs/myAccountID/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }For more information, see Amazon S3 Bucket Policy and Permissions for SNS Notifications.
Note
In the AWS GovCloud (US) Region, do not add CloudTrail account IDs of non-isolated regions to your policy templates, or an "Invalid principal in policy" error will occur. Similarly, if you are in a non-isolated region, do not add the CloudTrail account ID for AWS GovCloud (US) to your policy templates.
For more information about CloudTrail, see the CloudTrail documentation.
Services Supported within CloudTrail
The following services are supported within CloudTrail in the AWS GovCloud (US) Region:
| AWS Service | Support Start Date |
|---|---|
| Amazon Elasticsearch Service | 02/15/2018 |
| Amazon API Gateway | 08/01/2017 |
| Amazon EC2 Auto Scaling | 12/16/2014 |
| AWS CloudFormation | 12/16/2014 |
| AWS CloudHSM Classic | 08/05/2015 |
| AWS CloudTrail | 12/16/2014 |
| Amazon CloudWatch | 12/16/2014 |
| Amazon CloudWatch Events | 04/07/2017 |
| Amazon CloudWatch Logs | 11/19/2015 |
| AWS CodeDeploy | 03/31/2017 |
| AWS Database Migration Service (AWS DMS) | 10/28/2015 |
| AWS Direct Connect | 10/28/2015 |
| Amazon DynamoDB | 05/28/2015 |
| AWS Elastic Beanstalk | 12/16/2014 |
| Amazon Elastic Block Store (Amazon EBS) | 12/16/2014 |
| Amazon Elastic Compute Cloud (Amazon EC2) | 12/16/2014 |
| Elastic Load Balancing | 12/16/2014 |
| ElastiCache | 01/29/2015 |
| Amazon EMR (Amazon EMR) | 12/16/2014 |
| Amazon Glacier | 12/30/2014 |
| AWS Identity and Access Management (IAM) | 12/16/2014 |
| AWS Key Management Service (AWS KMS) | 04/29/2015 |
| Amazon Kinesis | 12/21/2016 |
| AWS Lambda | 05/18/2017 |
| Amazon Redshift | 12/16/2014 |
| Amazon RDS | 01/22/2015 |
| AWS Security Token Service (AWS STS) | 12/16/2014 |
| AWS Server Migration Service (AWS SMS) | 06/21/2017 |
| Amazon Simple Storage Service (Amazon S3) | 10/01/2015 |
| Amazon Simple Notification Service (Amazon SNS) | 12/16/2014 |
| Amazon Simple Queue Service (Amazon SQS) | 12/16/2014 |
| Amazon Simple Workflow Service (Amazon SWF) | 12/16/2014 |
| AWS Systems Manager | 05/23/2017 |
| Amazon Virtual Private Cloud (Amazon VPC) | 12/16/2014 |
ITAR Boundary
AWS GovCloud has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in the AWS GovCloud (US) Region. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in the AWS GovCloud (US) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:
| ITAR-Regulated Data Permitted | ITAR-Regulated Data Not Permitted |
|---|---|
|
|
