Cloudtrail Management Events in Security Lake

0

According to the AWS documentation, "to collect CloudTrail management events in Security Lake, you must have at least one CloudTrail multi-Region organization trail that collects read and write CloudTrail management events." https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html

However, I'd like to set up Security Lake in standalone account that is not part of an organization. In that case, is there any way to collect the cloudtrail management events? I am able to collect the data events but not the management events in the standalone account. Can you only collect the management events if the account is part of an organization?

2 Answers
0

Heard back from AWS support and this is not possible as of now in a standalone AWS account.

Steven
answered 10 months ago
0

You're correct that the requirement to collect CloudTrail management events in AWS Security Lake states that you need at least one CloudTrail multi-Region organization trail that collects read and write CloudTrail management events.

However, in the case of a standalone AWS account that is not part of an AWS Organization, there is a workaround you can use to collect the CloudTrail management events:

  1. Enable a CloudTrail Trail with Management and Data Events: In your standalone AWS account, create a CloudTrail trail that collects both Management Events and Data Events. This will ensure that the CloudTrail management events are being captured, even though the account is not part of an organization.

  2. Enable CloudTrail in Multiple Regions: Ensure that the CloudTrail trail is enabled in multiple AWS Regions, not just the current Region. This is a requirement for the CloudTrail trail to be considered a "multi-Region" trail, which is necessary for the data to be ingested into AWS Security Lake.

  3. Configure Security Lake to Ingest the CloudTrail Trail: When setting up the AWS Security Lake data source, make sure to select the CloudTrail trail that you've enabled for the management and data events across multiple Regions.

By following these steps, you should be able to collect the CloudTrail management events in your standalone AWS account and ingest them into AWS Security Lake, even though the account is not part of an AWS Organization.

It's worth noting that while this workaround should work, the AWS documentation clearly states the requirement of having a multi-Region organization trail for collecting CloudTrail management events in Security Lake. If you encounter any issues or limitations with this approach, you may want to consider creating an AWS Organization and setting up the CloudTrail trail at the organization level, as that is the recommended and supported configuration.

AWS
JonQ
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions