Org level CloudTrail with CloudWatch

Question

In the AWS Managment account `1111111` I have enabled `CloudTrail`. All `CloudTrail` logs are sent to the `S3` bucket `XXXX` in the Audit Account `2222222`. This part of the configuration works fine.

I am now trying to enable the `CloudTrail` logs to be sent `CloudWatch` in account `2222222`. Because `CloudTrail` is configure at the Org level in account `1111111` but the `logs` are in an S3 bucket in account `222222` when i try to enable `CloudWatch` I get an error message saying `There is a problem with the role policy`

Has anyone configure something like this before and if they have any idea and what the Role should look like ?

Answer

At this time, CloudTrail can only support sending logs to a CloudWatch log group in the same account. This is owing to the fact that CloudTrail doesn't support AWS Organizations delegated admin feature. An alternative solution would be to use Kinesis or Lambda to automate writing those CloudWatch logs to a log group in another account.

Please look at the Centralized Logging reference architecture to see how your use case can be achieved using other services: https://aws.amazon.com/solutions/implementations/centralized-logging/

Org level CloudTrail with CloudWatch

관련 콘텐츠