At my company we are testing an Organization CloudTrail as part of a centralized logging strategy.
For the most part this Org CloudTrail model seems to fit the bill; however I ran into a bit of a disappointment operationally when I first saved off the configuration.
We have an AWS Organization and a handful of Member accounts; and while all of them did 'receive' the CloudTrail configuration, 2 of those accounts showed the Org CloudTrail with a Status of 'Off.' (The other accounts were fine and showed Status of 'Logging.')
I looked at Event History in the affected accounts, and I found that when the configuration was executed, I hit what looks like an API rate limit; here are the fields which I think are relevant:
User name = CloudTrailOrganizationReplication
Event source = cloudtrail.amazonaws.com
Event name = PutEventSelectors
AWS region = us-east-1
Error code = ThrottlingException
Recipient Account Id = <Failed account id>
I was able to 'kick' the logging in these accounts by going back to the Org CloudTrail settings and disable, then re-enable, a setting (I chose Log File Validation but maybe others would have also worked). After this, all accounts went into Logging state.
I also deleted the configuration entirely, and repeated it 2 other times and the problem did not occur again. So while I think I've found root cause of the issue, and something of a workaround, is this to be expected? It seems sad that I would hit an API rate limit when AWS is offering this Org CloudTrail as a service that can randomly fail setup and there is no way for me to control the request rate. At this point I think our SOP will have to include a step to actually validate the logging of all accounts anytime this is set up as well as on new accounts anytime we bring a new account into the Org, but it is something of a nuisance and not confidence-inspiring.
Thanks for any advice!
AWS OFFICIALUpdated 4 years ago
