AWS CloudTrail
With AWS CloudTrail, you can monitor your AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.
How AWS CloudTrail Differs for AWS GovCloud (US)
The following list details the differences for using this service in AWS GovCloud (US) Regions compared to other AWS Regions:
-
For all AWS GovCloud (US) accounts created after 12/15/2014, AWS CloudTrail event log delivery to Amazon S3 is enabled automatically. However, you must set up Amazon SNS notifications. You can turn off logging through the AWS CloudTrail console for the AWS GovCloud (US) Region.
-
If you are using AWS Direct Connect, you must enable CloudTrail in your standard AWS account (not your AWS GovCloud (US) account) and enable logging.
-
The Amazon S3 and Amazon SNS policy statements must refer to the ARN for AWS GovCloud (US) Regions. For more information, see Amazon Resource Names (ARNs) in GovCloud (US) Regions.
-
To enable CloudTrail to write log files to your bucket in AWS GovCloud (US) Regions, you can use the following policy.
Warning If the bucket already has one or more policies attached, add the statements for CloudTrail access to that policy or policies. We recommend that you evaluate the resulting set of permissions to be sure they are appropriate for the users who will be accessing the bucket.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck20131101", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws-us-gov:s3:::
myBucketName
" }, { "Sid": "AWSCloudTrailWrite20131101", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws-us-gov:s3:::myBucketName
/[optional] prefix
/AWSLogs/myAccountID
/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }For more information, see Amazon S3 Bucket Policy and Permissions for SNS Notifications.
Note In AWS GovCloud (US) Regions, do not add CloudTrail account IDs of non-isolated regions to your policy templates, or an "Invalid principal in policy" error will occur. Similarly, if you are in a non-isolated region, do not add the CloudTrail account ID for AWS GovCloud (US) to your policy templates.
Documentation for AWS CloudTrail
Services Supported within CloudTrail
The following services are supported in the AWS GovCloud (US-West) Region:
AWS Service | Support Start Date |
---|---|
AWS Certificate Manager | 03/25/2016 |
AWS Certificate Manager Private Certificate Authority | 06/06/2019 |
API Gateway | 07/09/2015 |
Amazon Athena | 05/19/2017 |
Application Auto Scaling | 10/31/2016 |
Amazon Cloud Directory | 01/26/2017 |
AWS CloudFormation | 04/02/2014 |
AWS CloudHSM | 01/08/2015 |
AWS CloudTrail | 11/13/2013 |
AWS CodeBuild | 12/01/2016 |
AWS CodeCommit | 01/11/2017 |
AWS CodeDeploy | 12/16/2014 |
AWS CodePipeline | 07/09/2015 |
Amazon Comprehend | 01/17/2018 |
AWS Config | 02/10/2015 |
AWS DataSync | 11/26/2018 |
AWS Direct Connect | 03/08/2014 |
AWS Database Migration Service | 02/04/2016 |
AWS Directory Service | 05/14/2015 |
Amazon DynamoDB | 05/28/2015 |
Amazon Elastic Compute Cloud | 11/13/2013 |
Amazon Elastic Container Registry | 12/21/2015 |
Amazon Elastic Container Service | 04/09/2015 |
Amazon ElastiCache | 09/15/2014 |
AWS Elastic Beanstalk | 03/31/2014 |
Amazon Elastic File System | 06/28/2016 |
Elastic Load Balancing | 04/04/2014 |
Amazon Elastic Map Reduce (EMR) | 04/04/2014 |
Amazon Elasticsearch Service | 10/01/2015 |
Amazon CloudWatch Events | 01/16/2016 |
Amazon Kinesis Data Firehose | 03/17/2016 |
Amazon S3 Glacier | 12/11/2014 |
AWS Glue | 11/07/2017 |
AWS IoT Greengrass | 10/29/2018 |
Amazon GuardDuty | 02/12/2018 |
AWS Health | 11/21/2016 |
AWS Identity and Access Management | 11/13/2013 |
Amazon Inspector | 04/20/2016 |
AWS IoT | 04/11/2016 |
Amazon Kinesis | 04/25/2014 |
AWS Key Management Service | 11/12/2014 |
AWS Lambda | 04/09/2015 |
AWS License Manager | 03/01/2019 |
Amazon CloudWatch Logs | 03/10/2016 |
AWS Elemental MediaConvert | 11/27/2017 |
AWS Marketplace Marketing Service | 08/22/2018 |
Amazon CloudWatch | 04/30/2014 |
AWS Organizations | 02/27/2017 |
Amazon Polly | 11/30/2016 |
AWS Resource Access Manager | 11/20/2018 |
Amazon Relational Database Service | 11/13/2013 |
Amazon Redshift | 06/10/2014 |
Amazon Rekognition | 04/06/2018 |
AWS Resource Groups | 06/29/2018 |
Amazon Route 53 | 02/11/2015 |
Amazon Route 53 Resolver | 02/11/2015 |
Amazon Simple Storage Service | 09/01/2015 |
Amazon SageMaker | 01/11/2018 |
AWS Secrets Manager | 04/05/2018 |
AWS Serverless Application Repository | 02/20/2018 |
AWS Service Catalog | 07/06/2016 |
AWS Server Migration Service | 11/14/2016 |
AWS Snowball | 01/25/2019 |
Amazon Simple Notification Service | 10/09/2014 |
Amazon Simple Queue Service | 07/16/2014 |
AWS Systems Manager | 11/13/2013 |
AWS Step Functions | 12/01/2016 |
AWS Storage Gateway | 12/16/2014 |
AWS Security Token Service | 11/13/2013 |
Amazon Simple Workflow Service | 05/13/2014 |
AWS Resource Groups Tagging API | 06/29/2018 |
Amazon Transcribe | 06/28/2018 |
Amazon Translate | 04/04/2018 |
AWS WAF | 04/28/2016 |
Amazon WorkSpaces | 04/09/2015 |
AWS X-Ray | 04/25/2018 |
The following services are supported in the AWS GovCloud (US-East) Region:
AWS Service | Support Start Date |
---|---|
AWS Certificate Manager | 03/25/2016 |
AWS Certificate Manager Private Certificate Authority | 06/06/2019 |
API Gateway | 07/09/2015 |
Amazon Athena | 05/19/2017 |
Application Auto Scaling | 10/31/2016 |
AWS CloudFormation | 04/02/2014 |
AWS CloudHSM | 01/08/2015 |
AWS CloudTrail | 11/13/2013 |
AWS CodeBuild | 12/01/2016 |
AWS CodeCommit | 01/11/2017 |
AWS CodeDeploy | 12/16/2014 |
AWS Config | 02/10/2015 |
AWS Direct Connect | 03/08/2014 |
AWS Database Migration Service | 02/04/2016 |
AWS Directory Service | 05/14/2015 |
Amazon DynamoDB | 05/28/2015 |
Amazon Elastic Compute Cloud | 11/13/2013 |
Amazon Elastic Container Registry | 12/21/2015 |
Amazon Elastic Container Service | 04/09/2015 |
Amazon ElastiCache | 09/15/2014 |
AWS Elastic Beanstalk | 03/31/2014 |
Elastic Load Balancing | 04/04/2014 |
Amazon Elastic Map Reduce (EMR) | 04/04/2014 |
Amazon Elasticsearch Service | 10/01/2015 |
Amazon CloudWatch Events | 01/16/2016 |
Amazon Kinesis Data Firehose | 03/17/2016 |
Amazon S3 Glacier | 12/11/2014 |
AWS Glue | 11/07/2017 |
AWS Identity and Access Management | 11/13/2013 |
Amazon Inspector | 04/20/2016 |
Amazon Kinesis | 04/25/2014 |
AWS Key Management Service | 11/12/2014 |
AWS Lambda | 04/09/2015 |
AWS License Manager | 03/01/2019 |
Amazon CloudWatch Logs | 03/10/2016 |
AWS Marketplace Marketing Service | 08/22/2018 |
Amazon CloudWatch | 04/30/2014 |
AWS Resource Access Manager | 11/20/2018 |
Amazon Relational Database Service | 11/13/2013 |
Amazon Redshift | 06/10/2014 |
AWS Resource Groups | 06/29/2018 |
Amazon Route 53 Resolver | 02/11/2015 |
Amazon Simple Storage Service | 09/01/2015 |
AWS Secrets Manager | 04/05/2018 |
AWS Serverless Application Repository | 02/20/2018 |
AWS Server Migration Service | 11/14/2016 |
AWS Snowball | 01/25/2019 |
Amazon Simple Notification Service | 10/09/2014 |
Amazon Simple Queue Service | 07/16/2014 |
AWS Systems Manager | 11/13/2013 |
AWS Step Functions | 12/01/2016 |
AWS Security Token Service | 11/13/2013 |
Amazon Simple Workflow Service | 05/13/2014 |
AWS Resource Groups Tagging API | 06/29/2018 |
Amazon Transcribe | 06/28/2018 |
ITAR Boundary
AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:
ITAR-Regulated Data Permitted | ITAR-Regulated Data Not Permitted |
---|---|
|
|