AWS Organizations
User Guide

AWS CloudTrail and AWS Organizations

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Using AWS CloudTrail, a user in a master account can create an organization trail that logs all events for all AWS accounts in that organization. Organization trails are automatically applied to all member accounts in the organization. Member accounts can see the organization trail, but can't modify or delete it. By default, member accounts don't have access to the log files for the organization trail in the Amazon S3 bucket. This helps you uniformly apply and enforce your event logging strategy across the accounts in your organization. For more information, see Creating a Trail for an Organization in the AWS CloudTrail User Guide.

The following list provides information that you need when integrating AWS CloudTrail with AWS Organizations:

  • To enable trusted access with AWS Organizations: You must sign in with your AWS Organizations master account to create an organization trail. If you create the trail from the AWS CloudTrail console, trusted access is configured automatically for you. If you choose to create an organization trail using the AWS CLI or the AWS API, you must manually configure trusted access. For more information, see Enabling CloudTrail as a trusted service in AWS Organizations in the AWS CloudTrail User Guide.

  • To disable trusted access with AWS Organizations: AWS CloudTrail requires trusted access with AWS Organizations to work with organization trails. If you disable trusted access using AWS Organizations while you're using AWS CloudTrail for organization trails, the trails stop functioning for member accounts because CloudTrail can't access the organization. The organization trails remain, as does the AWSServiceRoleForCloudTrail role created for integration between CloudTrail and AWS Organizations. If you re-enable trusted access, CloudTrail continues to operate as before, without the need for you to reconfigure the trails.

  • Service principal name for AWS CloudTrail: cloudtrail.amazonaws.com.

  • Role name created to synchronize with AWS CloudTrail: AWSServiceRoleForCloudTrail.