By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using AWS Organizations can you create a Cloudtrail Lake in a different account than the Management account

1

Looking at the user guide, it seems to imply you can only create the datalake in the management account; which seems counter-intutive since using Control Tower they used to create the combined Cloudtail log in a seperate Log Archive account. Ideally, I'd like to place it in a Security account which seems like where it would belong. Am I missing anything?

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/query-event-data-store.html

To have your event data store collect events from all accounts in an AWS Organizations organization, select Enable for all accounts in my organization. You must be signed in to the management account for the organization to create an event data store that collects events for an organization.

Topics
Management & Governance
Tags
AWS OrganizationsAWS CloudTrail
Language
English
larryjkl
asked 2 years ago890 views
4 Answers
0
Accepted Answer

CloudTrail now supports Delegated admin capability. You may create an organization level Lake now from the designated Delegated admin account. https://aws.amazon.com/about-aws/whats-new/2022/11/aws-cloudtrail-delegated-account-support-aws-organizations/

AWS
Gokultn
answered a year ago
0

Correct, it must be created from the management account as it's for centralized management collecting events from all of the AWS Account in an AWS Org setup. In terms of support for this feature, there'e an open feature enhancement requesting this for future releases.

AWS
nael
answered a year ago
0

hey @gokultn trying to create an Org Lake in a delegated admin account but still get messaging saying I must be signed in from management account when I hit create button after selecting include all org events. Is any particular IAM permission also needed?

axa
answered a year ago
0

actually I think its a bug, you cannot change an existing event data store to capture events from all accounts after becoming a delegated admin (even tho console gives you the option to). you can create a new event data store that does capture from all accounts though.

axa
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content