Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Using AWS Organizations can you create a Cloudtrail Lake in a different account than the Management account

1

Looking at the user guide, it seems to imply you can only create the datalake in the management account; which seems counter-intutive since using Control Tower they used to create the combined Cloudtail log in a seperate Log Archive account. Ideally, I'd like to place it in a Security account which seems like where it would belong. Am I missing anything?

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store.html

To have your event data store collect events from all accounts in an AWS Organizations organization, select Enable for all accounts in my organization. You must be signed in to the management account for the organization to create an event data store that collects events for an organization.

Argomenti
Gestione e amministrazione
Tag
Organizzazioni AWSAWS CloudTrail
Lingua
English
larryjkl
posta 2 anni fa908 visualizzazioni
4 Risposte
0
Risposta accettata

CloudTrail now supports Delegated admin capability. You may create an organization level Lake now from the designated Delegated admin account. https://aws.amazon.com/about-aws/whats-new/2022/11/aws-cloudtrail-delegated-account-support-aws-organizations/

AWS
Gokultn
con risposta un anno fa
0

Correct, it must be created from the management account as it's for centralized management collecting events from all of the AWS Account in an AWS Org setup. In terms of support for this feature, there'e an open feature enhancement requesting this for future releases.

AWS
nael
con risposta 2 anni fa
0

hey @gokultn trying to create an Org Lake in a delegated admin account but still get messaging saying I must be signed in from management account when I hit create button after selecting include all org events. Is any particular IAM permission also needed?

axa
con risposta un anno fa
0

actually I think its a bug, you cannot change an existing event data store to capture events from all accounts after becoming a delegated admin (even tho console gives you the option to). you can create a new event data store that does capture from all accounts though.

axa
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente