- 新しい順
- 投票が多い順
- コメントが多い順
Hi Hannah,
To enable Trusted Access for CloudTrail across your Organization from the CloudTrail Console, you can create an Organization trail, as mentioned in the docs here: [1].
If you enable trusted access by creating a trail from the AWS CloudTrail console, trusted access is configured automatically for you (recommended).
Remember to check the box Enable for all accounts in my organization
, as you can see in the screenshot below:
Furthermore, in my opinion, you should choose to use "Delegated Administrator", since it will be a member account that can perform administrative tasks like creating trails and event data stores on behalf of the entire organization. In that case, you can minimize using your "Management" account to perform administrative tasks.
Alternatives like adding individual policies to accounts or organization units would require more ongoing maintenance and lack centralized visibility compared to using a delegated administrator.
References:
[1] https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudtrail.html#integrate-enable-ta-cloudtrail
[2] https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.html
Thanks,
Atul
関連するコンテンツ
- 質問済み 3年前
- AWS公式更新しました 10ヶ月前
- AWS公式更新しました 4年前
- AWS公式更新しました 4年前
From the choose trail attributes picture above, it looks like the option for 'Enable for all accounts' would allow all accounts in the organisation to access Cloudtrail. So if I only want limited accounts to access Cloudtrail I should use Delegated Administrator. Is that right?
If you need only a few specific accounts to send their logs in CloudTrail, you can simply go with individual policies. Please be mindful that you would need to configure and manage the permissions for it. Ref: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html.
And, using a Delegated Administrator will simply shift the administration responsibilities from Management account to a delegated member account. It won't restrict to a limited set of accounts. If you enable Cloudtrail at the organization level, either it's enabled for all accounts within the organization or none at all. Ref: https://repost.aws/questions/QUthASABVNQlepdjCNc8sEIw/is-it-possible-to-exclude-certain-accounts-when-creating-an-org-wide-cloudtrail
Hope this makes things clear.
Thank you. Can I have multiple member accounts stated in the policy under the Delegated Administrator, so that I have restrict a limited set of accounts using Delegated Administrator.