Deliver CloudTrail logs from accounts into a single Amazon S3 bucket

  • For example, you have four AWS accounts with account IDs 111111111111, 222222222222, 333333333333, and 444444444444, and you want to configure CloudTrail to deliver log files from all four of these accounts to a bucket belonging to account 111111111111:

    1. Turn on CloudTrail in the account where the destination bucket will belong (111111111111 in this example). Do not turn on CloudTrail in any other accounts yet.

    2. Update the bucket policy on your destination bucket to grant cross-account permissions to CloudTrail.

    3. Turn on CloudTrail in the other accounts you want (222222222222, 333333333333, and 444444444444 in this example).

    4. Configure CloudTrail in the other accounts to use the same bucket belonging to the account that you specified in step 1 (111111111111 in this example).

PreviousSetting up an automated system to manage the access keys in the company's AWS accountNextTroubleshooting Elastic Beanstalk Logs

Last updated