There should be at least one multi-region CloudTrail trail per AWS account
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Ensures an AWS CloudTrail trail is enabled across all AWS regions for each account.
Rationale
The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
Perform the following to enable global (Multi-region) CloudTrail logging:
From the console
- Sign in to the AWS Management Console and open the IAM console
- Click Trails on the left navigation pane
- Click Get Started Now, if present
- Click Add new trail
- Enter a trail name in the
Trail name
box - Set the Apply trail to all regions option to
Yes
- Specify an S3 bucket name in the
S3 bucket box
- Click Create
- If any trails already exist, select the target trail to enable global logging
- Click the pencil (edit) icon next to Apply trail to all regions, click Yes, and click Save.
- Click the pencil (edit) icon next to Management Events
- Click All for the Read/Write Events setting
- Click Save
From the command line
Create or update a trail to enable multi-region CloudTrail logging:
- To create, run:
aws cloudtrail create-trail --name <trail_name> \
--bucket-name <s3_bucket_for_cloudtrail> \
--is-multi-region-trail
- To update, run:
aws cloudtrail update-trail --name <trail_name> \
--is-multi-region-trail