Control Tower Organizational Trail with delegated account

Question

Hi,

is it possible to use Organizational Trail with Control Tower but defining a delegated account? 
since Nov 2022 (https://aws.amazon.com/about-aws/whats-new/2022/11/aws-cloudtrail-delegated-account-support-aws-organizations/?nc1=h_ls) AWS Cloudtrail supports delegated account for organizational Trail. Control Tower v3 adopts organizational trail in July 2022 (https://aws.amazon.com/about-aws/whats-new/2022/07/aws-control-tower-adopts-aws-cloudtrail-organization-logging/). When you configure Control Tower you define if you opt-in to use organizational trail. But I guess it's managed from management account, which seems not to be aligned with Control Tower philosophy (only use management account for CT management purposes; Cloudtrail logs review looks more related to Audit/Security instead of management).

Is it possible to use a delegated account for this purpose (like you can do for GuardDuty and Security Hub)?

TIA.

Accepted Answer

Hi THere

This is one of the purposes of the [Audit account](
From https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#what-shared).  The audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. From the audit account, you have programmatic access to review accounts, by means of a role that is granted to Lambda functions only. The audit account does not allow you to log in to other accounts manually.

You can query the CloudTrail logs in the Log Archive from the Audit account using the role aws-controltower-AuditReadOnlyRole with Lambda  to gain access to the logs in the Log Archive. The role assumes aws-controltower-ReadOnlyExecutionRole in the Log Archive account granting read only access.

Answer

Thanks a lot Matt-B for your answer. 
Let me explain a little bit better my question. I agree with you that this would be the purpose of Audit account. And being the delegated account is something possible with Security Hub and GuardDuty when using Control Tower: each new account can have these services enabled in an organizational way, so all events  are sent to Audit account, and then from there they are archived in S3 bucket in log archiving account. From Security Hub and GuardDuty in the Audit account it's possible to review recent events, and in case an old event is required Audit account can read it from log Archiving.
My question is about organizational CloudTrail trail; delegated account for this service is a new feature (since Nov22). Previous to that, Control Tower v3 allows to deploy an organizational trail so every new account has cloudtrail enabled and an organizational trail defined. But this organizational trail is managed from Management account, and all logs are sent to management account (and from there, they can be sent to an S3 bucket in archiving account). As management account is only intended to be used for management, it would be great if you can define Audit account as delegated account for this organizational trail; but as this is a recent feature, I'm not sure if Control Tower, at the moment that you decide to use organizational trail, allows you to select a delegated account, or if it sets management account as the main account for the organizational trail. I've not seen any reference in control tower documentation, only that it allows you to enable the organizational trail (https://docs.aws.amazon.com/controltower/latest/userguide/configure-org-trails.html).

Control Tower Organizational Trail with delegated account

Relevant content