AWS CloudTrail issue
Hi AWS, we have deployed an SCP and it is restricting us to create any AWS resources outside of approved four AWS regions i.e. us-east-1, us-east-2, us-west-1 and us-west-2. But one of the issues we are currently facing is that CloudTrail was setup to be deployed in all regions initially for every AWS account which are part of the AWS Organization when we first started working.
Is there a way to write the AWS Config rule so that CloudTrail should be used only in the 4 regions instead of all regions without deleting all current trail?
Please help
- Language
- English
- Newest
- Most votes
- Most comments
Do you mean that AWS Config should flag trails that log events outside your preferred four regions as non-compliant, unless they are the regional manifestations of the single organisation trail you deployed via AWS Organizations?
Or do you mean that you want to have your organisation trail stop logging outside the four regions?
Hi
- If you encounter issues, check the AWS Config rule evaluation results for detailed error messages.
- Refer to the AWS Config documentation for custom rules and remediation actions: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html
- For CloudTrail trail management: https://docs.aws.amazon.com/cloudtrail/
Relevant content
- asked 2 years ago
- asked 7 months ago
- asked 2 years ago
- asked 2 years ago
Service-linked roles (SLRs) like the ones CloudTrail uses are exempt from the effects of SCPs, so your SCP won't hurt the organisation trail. Is your question then about having AWS Config flag trails as non-compliant when discovered doing logging in regions other than the 4 you want to use?
Delete what @arglaws1995?
Hi Leo K, I need to know if there is a way to delete the CloudTrail for regions which are not approved and keep the rest?
It's strongly recommended to keep your organisation trail active in all regions that are enabled. It won't do any harm, because the event data is delivered to a single S3 bucket in a single region (and not in the non-preferred regions), but it can be a life-saver (figuratively speaking) if or when something unintended happens in the remote regions. It also won't incur practically any costs, when there are no events to record in the remote regions. To answer your question specifically, it isn't possible to configure the single trail to operate in multiple specific regions.