How to turn on Trusted Access on CloudTrail
-
I am wondering where about on CloudTrail I can turn on Trusted Access as directerd by AWS Organisation->Services page. When I click
a window prompted me enable trusted access using the CloudTrail console.
-
I am also not sure if I should use Trusted Access, Delegated Admnistrator or just add a policy to the organisation unit account to allow permission to CloudTrail.
- Newest
- Most votes
- Most comments
Hi Hannah,
To enable Trusted Access for CloudTrail across your Organization from the CloudTrail Console, you can create an Organization trail, as mentioned in the docs here: [1].
If you enable trusted access by creating a trail from the AWS CloudTrail console, trusted access is configured automatically for you (recommended).
Remember to check the box Enable for all accounts in my organization, as you can see in the screenshot below:
Furthermore, in my opinion, you should choose to use "Delegated Administrator", since it will be a member account that can perform administrative tasks like creating trails and event data stores on behalf of the entire organization. In that case, you can minimize using your "Management" account to perform administrative tasks.
Alternatives like adding individual policies to accounts or organization units would require more ongoing maintenance and lack centralized visibility compared to using a delegated administrator.
References:
[1] https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudtrail.html#integrate-enable-ta-cloudtrail
[2] https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.html
Thanks,
Atul
Relevant content
- asked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
From the choose trail attributes picture above, it looks like the option for 'Enable for all accounts' would allow all accounts in the organisation to access Cloudtrail. So if I only want limited accounts to access Cloudtrail I should use Delegated Administrator. Is that right?
If you need only a few specific accounts to send their logs in CloudTrail, you can simply go with individual policies. Please be mindful that you would need to configure and manage the permissions for it. Ref: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html.
And, using a Delegated Administrator will simply shift the administration responsibilities from Management account to a delegated member account. It won't restrict to a limited set of accounts. If you enable Cloudtrail at the organization level, either it's enabled for all accounts within the organization or none at all. Ref: https://repost.aws/questions/QUthASABVNQlepdjCNc8sEIw/is-it-possible-to-exclude-certain-accounts-when-creating-an-org-wide-cloudtrail
Hope this makes things clear.
Thank you. Can I have multiple member accounts stated in the policy under the Delegated Administrator, so that I have restrict a limited set of accounts using Delegated Administrator.