By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Org level CloudTrail with CloudWatch

1

In the AWS Managment account 1111111 I have enabled CloudTrail. All CloudTrail logs are sent to the S3 bucket XXXX in the Audit Account 2222222. This part of the configuration works fine.

I am now trying to enable the CloudTrail logs to be sent CloudWatch in account 2222222. Because CloudTrail is configure at the Org level in account 1111111 but the logs are in an S3 bucket in account 222222 when i try to enable CloudWatch I get an error message saying There is a problem with the role policy

Has anyone configure something like this before and if they have any idea and what the Role should look like ?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAmazon CloudWatchAWS CloudTrailIAM Policies
Language
English
rePost-User-8537881
asked 2 years ago370 views
1 Answer
0

At this time, CloudTrail can only support sending logs to a CloudWatch log group in the same account. This is owing to the fact that CloudTrail doesn't support AWS Organizations delegated admin feature. An alternative solution would be to use Kinesis or Lambda to automate writing those CloudWatch logs to a log group in another account.

Please look at the Centralized Logging reference architecture to see how your use case can be achieved using other services: https://aws.amazon.com/solutions/implementations/centralized-logging/

AWS
Noam
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content