AWS CloudTrail Use in AWS Control Tower

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

_— AWS — _What is AWS CloudTrail?

Looking at each of the four Accounts, including the developer sandbox Account we created in the previous article, each has has a multi-region Trail configured in the same Region as we used AWS Control Tower to create our landing zone; in my case us-west-2.

note: It is interesting to observe that AWS Control Tower does not configure an Organization Trail in the Master Account; rather it creates individual Trails in each Account.

Each Trail is configured to store events in an Amazon CloudWatch Log Group (same Account and Region) and in a common Amazon S3 Bucket in the _Log Archive _Account (same Region as we used AWS Control Tower to create our landing zone).

To illustrate AWS CloudTrail in action, we create an AWS EC2 Instance in the any Region in the developer sandbox Account.

We look at the AWS CloudTrail Dashboard (in same Account and Region that the AWS EC2 Instance was created in) and observe the RunInstances Event.

We look at the Amazon CloudWatch Log Group (in same Account and Region that the Trail is configured in) and observe the RunInstances Event.

#aws #aws-control-tower