By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using Cloud Trail Console to view all events in multi-account CloudTrail ( created via Organizations )

2

Still working on understanding all of the parts. We have a hiearchy of accounts configured using Control Tower and Organizations. There is an organization trail created in the "Log Audit" account that was created via Control Tower and I can see the various accounts individual Cloud Trail logs as "subdirectories" in the main Cloud Trail location.

I'm trying to see if there is a way to query all of the Cloud Trail logs in the organization trail. When I query for events using Cloud Trail in an account it seems like it is only looking at the trail for that account, even in the "Log Audit" account. Is there an easy way to query all of the trails in the organization trail like from the "Log Audit" account? I was kind of expecting there would be. If not, any auggestions on how someone would be able to query all events in the organization trail ( ie. across all accounts? )

Topics
Management & Governance
Tags
AWS OrganizationsAWS CloudTrail
Language
English
larryjkl
asked 2 years ago1321 views
1 Answer
2
Accepted Answer

Using Athena to query is pretty easy and effective, though there's a little setup to do - see https://www.linkedin.com/pulse/using-athena-partition-projection-query-cloudtrail-other-kinsman/.

Also you can use CloudTrail Lake, see a comparison with Athena here - https://www.linkedin.com/pulse/querying-aws-cloudtrail-athena-vs-lake-steve-kinsman/.

EXPERT
skinsman
answered 2 years ago
  • larryjkl
    2 years ago

    Your linked-in link was immensly helpful; I was able to use the query to create the Athena table and then start running queries across all of the accounts. The only download I really see is having to specify the accountIds as part of the table defintion; that seems like one of those easy things that could be forgotten, but that seems like more of an Athena limitation. Thanks again, worked great. Will look at Cloudtrail Lake at some point in the future.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content