Using Cloud Trail Console to view all events in multi-account CloudTrail ( created via Organizations )
Still working on understanding all of the parts. We have a hiearchy of accounts configured using Control Tower and Organizations. There is an organization trail created in the "Log Audit" account that was created via Control Tower and I can see the various accounts individual Cloud Trail logs as "subdirectories" in the main Cloud Trail location.
I'm trying to see if there is a way to query all of the Cloud Trail logs in the organization trail. When I query for events using Cloud Trail in an account it seems like it is only looking at the trail for that account, even in the "Log Audit" account. Is there an easy way to query all of the trails in the organization trail like from the "Log Audit" account? I was kind of expecting there would be. If not, any auggestions on how someone would be able to query all events in the organization trail ( ie. across all accounts? )
Using Athena to query is pretty easy and effective, though there's a little setup to do - see https://www.linkedin.com/pulse/using-athena-partition-projection-query-cloudtrail-other-kinsman/.
Also you can use CloudTrail Lake, see a comparison with Athena here - https://www.linkedin.com/pulse/querying-aws-cloudtrail-athena-vs-lake-steve-kinsman/.
Relevant questions
Free Tier in AWS Organizations Sub-Account
asked 7 months agoUsing Cloud Trail Console to view all events in multi-account CloudTrail ( created via Organizations )
Accepted Answerasked 2 months agoAudit of S3 Bucket Deletion
asked a year agoHow to get the list of fleets available across all the AWS accounts.
Accepted Answerasked 2 months agoHow to reduce the cost for cloudtrail logging
asked 6 months agoCloudtrail S3 bucket objects
asked a month ago30 day limit - Delete an Organization with Many Accounts
asked a month agoIs there any limit to the number or age of events logged in CloudFormation event history?
Accepted Answerasked 8 months agoPublic IPs - List all in Organization
asked 2 years agoConsolidating Cloudtrail events from multiple accounts to one bucket
asked 24 days ago
Your linked-in link was immensly helpful; I was able to use the query to create the Athena table and then start running queries across all of the accounts. The only download I really see is having to specify the accountIds as part of the table defintion; that seems like one of those easy things that could be forgotten, but that seems like more of an Athena limitation. Thanks again, worked great. Will look at Cloudtrail Lake at some point in the future.