AWS Organizations
User Guide

Monitoring the Activity in Your Organization

As a best practice, you should monitor your organization to ensure that changes are logged. This helps you to ensure that any unexpected change can be investigated and unwanted changes can be rolled back. AWS Organizations currently supports two AWS services that enable you to monitor your organization and the activity that happens within it.

Logging AWS Organizations API Calls with AWS CloudTrail

AWS Organizations is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Organizations. CloudTrail captures all API calls for AWS Organizations as events, including calls from the AWS Organizations console and from code calls to the AWS Organizations APIs. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Organizations. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that was made to AWS Organizations, the IP address it was made from, who made it, when it was made, and additional details.

To learn more about CloudTrail, see the AWS CloudTrail User Guide.

Important

You can view all CloudTrail information for AWS Organizations only in the US East (N. Virginia) Region. If you don't see your AWS Organizations activity in the CloudTrail console, set your console to US East (N. Virginia) using the menu in the upper-right corner. If you query CloudTrail with the AWS CLI or SDK tools, direct your query to the US East (N. Virginia) endpoint.

AWS Organizations Information in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in AWS Organizations, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. You can view, search, and download recent events in your AWS account. For more information, see Viewing Events with CloudTrail Event History.

For an ongoing record of events in your AWS account, including events for AWS Organizations, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. When CloudTrail logging is enabled in your AWS account, API calls made to AWS Organizations actions are tracked in CloudTrail log files, where they are written with other AWS service records. You can configure other AWS services to further analyze and act on the event data collected in CloudTrail logs. For more information, see the following:

All AWS Organizations actions are logged by CloudTrail and are documented in the AWS Organizations API Reference. For example, calls to CreateAccount (including the CreateAccountResult event), ListHandshakesForAccount, CreatePolicy, and InviteAccountToOrganization generate entries in the CloudTrail log files.

Every log entry contains information about who generated the request. The user identity information in the log entry helps you determine the following:

  • Whether the request was made with root or IAM user credentials

  • Whether the request was made with temporary security credentials for an IAM role or a federated user

  • Whether the request was made by another AWS service

For more information, see the CloudTrail userIdentity Element.

Understanding AWS Organizations Log File Entries

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.

Example Log Entries: CreateAccount

The following example shows a CloudTrail log entry for a sample CreateAccount call that is generated when the API is called.

{ "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AIDAMVNPBQA3EXAMPLE", "arn": "arn:aws:iam::111122223333:user/diego", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "diego" }, "eventTime": "2018-06-21T22:06:27Z", "eventSource": "organizations.amazonaws.com", "eventName": "CreateAccount", "awsRegion": "us-east-1", "sourceIPAddress": "192.168.0.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36", "requestParameters": { "email": "anaya@amazon.com", "accountName": "****" }, "responseElements": { "createAccountStatus": { "accountName": "****", "state": "IN_PROGRESS", "id": "car-examplecreateaccountrequestid111", "requestedTimestamp": "Jun 21, 2018 10:06:27 PM" } }, "requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "eventType": "AwsApiCall", "recipientAccountId": "111111111111" }

The following example shows a CloudTrail log entry for a CreateAccount call after it successfully completed.

{ "eventVersion": "1.06", "userIdentity": { "accountId": "111122223333", "invokedBy": "AWS Internal" }, "eventTime": "2018-06-21T22:06:27Z", "eventSource": "organizations.amazonaws.com", "eventName": "CreateAccountResult", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "readOnly": false, "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "serviceEventDetails": { "createAccountStatus": { "id": "car-examplecreateaccountrequestid111", "state": "SUCCEEDED", "accountName": "****", "accountId": "444455556666", "requestedTimestamp": Jun 21, 2018 10:06:27 PM, "completedTimestamp": Jun 21, 2018 10:07:15 PM } } }

The following example shows a CloudTrail log entry that is generated after a CreateAccount call failed.

{ "eventVersion": "1.06", "userIdentity": { "accountId": "111122223333", "invokedBy": "AWS Internal" }, "eventTime": "2018-06-21T22:06:27Z", "eventSource": "organizations.amazonaws.com", "eventName": "CreateAccountResult", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "readOnly": false, "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "serviceEventDetails": { "createAccountStatus": { "id": "car-examplecreateaccountrequestid111", "state": "FAILED", "accountName": "****", "failureReason": "EMAIL_ALREADY_EXISTS", "requestedTimestamp": Jun 21, 2018 10:06:27 PM, "completedTimestamp": Jun 21, 2018 10:07:15 PM } } }

Example Log Entry: CreateOrganizationalUnit

The following example shows a CloudTrail log entry for a sample CreateOrganizationalUnit call.

{ "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AIDAMVNPBQA3EXAMPLE", "arn": "arn:aws:iam::111111111111:user/diego", "accountId": "111111111111", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "diego" }, "eventTime": "2017-01-18T21:40:11Z", "eventSource": "organizations.amazonaws.com", "eventName": "CreateOrganizationalUnit", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36", "requestParameters": { "name": "OU-Developers-1", "parentId": "r-examplerootid111" }, "responseElements": { "organizationalUnit": { "arn": "arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examplerootid111-exampleouid111", "id": "ou-examplerootid111-exampleouid111", "name": "test-cloud-trail" } }, "requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "eventType": "AwsApiCall", "recipientAccountId": "111111111111" }

Example Log Entry: InviteAccountToOrganization

The following example shows a CloudTrail log entry for a sample InviteAccountToOrganization call.

{ "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AIDAMVNPBQA3EXAMPLE", "arn": "arn:aws:iam::111111111111:user/diego", "accountId": "111111111111", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "diego" }, "eventTime": "2017-01-18T21:41:17Z", "eventSource": "organizations.amazonaws.com", "eventName": "InviteAccountToOrganization", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36", "requestParameters": { "notes": "This is a request for Mary's account to join Diego's organization.", "target": { "type": "ACCOUNT", "id": "111111111111" } }, "responseElements": { "handshake": { "requestedTimestamp": "Jan 18, 2017 9:41:16 PM", "state": "OPEN", "arn": "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", "id": "h-examplehandshakeid111", "parties": [ { "type": "ORGANIZATION", "id": "o-exampleorgid" }, { "type": "ACCOUNT", "id": "222222222222" } ], "action": "invite", "expirationTimestamp": "Feb 2, 2017 9:41:16 PM", "resources": [ { "resources": [ { "type": "MASTER_EMAIL", "value": "diego@example.com" }, { "type": "MASTER_NAME", "value": "Master account for organization" }, { "type": "ORGANIZATION_FEATURE_SET", "value": "ALL" } ], "type": "ORGANIZATION", "value": "o-exampleorgid" }, { "type": "ACCOUNT", "value": "222222222222" }, { "type": "NOTES", "value": "This is a request for Mary's account to join Diego's organization." } ] } }, "requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "eventType": "AwsApiCall", "recipientAccountId": "111111111111" }

Example Log Entry: AttachPolicy

The following example shows a CloudTrail log entry for a sample AttachPolicy call. The response indicates that the call failed because the requested policy type isn't enabled in the root where the request to attach was attempted.

{ "eventVersion": "1.06", "userIdentity": { "type": "IAMUser", "principalId": "AIDAMVNPBQA3EXAMPLE", "arn": "arn:aws:iam::111111111111:user/diego", "accountId": "111111111111", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "diego" }, "eventTime": "2017-01-18T21:42:44Z", "eventSource": "organizations.amazonaws.com", "eventName": "AttachPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36", "errorCode": "PolicyTypeNotEnabledException", "errorMessage": "The given policy type ServiceControlPolicy is not enabled on the current view", "requestParameters": { "policyId": "p-examplepolicyid111", "targetId": "ou-examplerootid111-exampleouid111" }, "responseElements": null, "requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", "eventType": "AwsApiCall", "recipientAccountId": "111111111111" }

Amazon CloudWatch Events

AWS Organizations can work with CloudWatch Events to raise events when administrator-specified actions occur in an organization. For example, because of the sensitivity of such actions, most administrators would want to be warned every time someone creates a new account in the organization or when an administrator of a member account attempts to leave the organization. You can configure CloudWatch Events rules that look for these actions and then send the generated events to administrator-defined targets. Targets can be an Amazon SNS topic that emails or text messages its subscribers. You could also create an AWS Lambda function that logs the details of the action for your later review.

For a tutorial that shows how to enable CloudWatch Events to monitor key activity in your organization, see Tutorial: Monitor Important Changes to Your Organization with CloudWatch Events .

To learn more about CloudWatch Events, including how to configure and enable it, see the Amazon CloudWatch Events User Guide.