Home Membership Courses Blog
About Contact

Getting Started with Cross-Account CloudTrail Logging

all aws aws monitoring Jun 17, 2024

Introduction

Cross-account CloudTrail logging is an effective way to centralize and secure your AWS account logs by storing them in a separate AWS account. This ensures that the logs are isolated from the source account, enhancing security and manageability. In this post, we'll cover two approaches to set up cross-account CloudTrail logging: using AWS Organizations and without using AWS Organizations.

What You Need

To get started, you need two AWS accounts:

  • Log Account: Where logs will be stored.
  • Logger Account: Where logs will be sent from.

Approach 1: Using AWS Organizations

AWS Organizations allows you to manage multiple AWS accounts centrally. By enabling CloudTrail across accounts, you can simplify the setup process.

Steps:

  1. Enable AWS Organizations: Ensure your accounts are part of an AWS Organization.
  2. Create a Trail in the Management Account:
    • Navigate to CloudTrail in the AWS Management Console.
    • Create a new trail and select "Enable for all accounts in my organization."
  3. Check Trails in Member Accounts: AWS automatically creates a trail in all member accounts. There’s no need to modify the bucket policy.

Benefits:

  • Simplifies setup by automatically creating trails in member accounts.
  • Centralizes log management.
  • No need to manually update bucket policies.

Considerations:

  • Additional charges may apply if member accounts already have trails (only the first trail within a region is free).

Approach 2: Without Using AWS Organizations

This approach involves manually setting up cross-account logging without the automation provided by AWS Organizations.

Steps:

  1. Configure the Log Account:

    • Create a CloudTrail trail.
    • Set up an S3 bucket to store the logs.

  2. Modify the Bucket Policy:

    • Update the S3 bucket policy to allow the CloudTrail service and specific IAM roles from both accounts to write logs.

    Example bucket policy snippet:

  3. Configure the Logger Account:

    1. Create a CloudTrail trail.
    2. Specify the S3 bucket from the log account as the storage location.
  4. Verify the Logs:
    1. Log in to the log account.
    2. Check that the logs from the logger account are being correctly stored in the specified S3 bucket.

Benefits:

  1. Full control over the setup process.
  2. Enhanced security by isolating logs in a different account.

Considerations:

  1. Requires manual configuration and policy updates.
  2. Slightly more complex setup compared to using AWS Organizations.
      3.  

Conclusion

Cross-account CloudTrail logging is a powerful way to enhance the security and manageability of your AWS logs. Whether you choose to use AWS Organizations for a simplified setup or manually configure the logging, both approaches offer robust solutions for centralizing your log storage. By following these steps, you can ensure your logs are secure and easily accessible for auditing and monitoring purposes.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.

Recent Posts

Understanding Landing Zones in Cloud Environments
all aws all azure all gcp aws governance azure governance gcp governance multi-cloud
Aug 09, 2024
Troubleshooting Security Incidents Using AWS Cognito Logs
all aws
Jul 30, 2024
AWS Security Cookbook Support and Advanced Learning
all aws aws security
Jul 30, 2024

Categories

All Categories all aws all azure all gcp amazon ec2 amazon s3 announcements aws aws analytics aws architecture aws automation aws cloudhsm aws comparison 101 aws compliance aws compute aws containers aws cost management aws developer tools aws devops aws directory aws feature 101 aws governance aws iam aws kms aws management tools aws messaging aws monitoring aws networking aws optimizations aws policies aws principles 101 aws recipes aws security aws serverless aws service 101 aws ssm aws storage aws tools 101 aws vpc azure governance azure networking azure security cloud computing ec2 security gcp governance getting started multi-cloud roadmaps s3 security security updated
Lead Author @ Cloudericks Blogs

Heartin Kanikathottu

Principal Cloud Architect & Author

The Cloudericks blog posts are created and maintained by Heartin Kanikathottu and his team at Cloudericks with a bit of AI help. Heartin is an accomplished Cloud Architect and a prolific international author recognized globally, with one of his books being named all-time 8th best in cloud computing. Read more at heartin.github.io.

Want to askĀ doubts directly to Heartin and team?

Please become a Cloudericks member to join the KEWA group andĀ ask any questions directly to Heartin and the Cloudericks team! You can alsoĀ get access to our courses, cookbooks, quizzes, and the KEWA group!

Special Note: If you purchase any of Heartin's books related to cloud,Ā ask for a complimentary membership to KEWA group.Ā 

Explore Membership