Is it possible to write cloudtrail logs to an s3 bucket in another, third-party AWS account?

Question

Is it possible to write cloudtrail logs to an s3 bucket in another, third-party AWS account?

Want to configure CloudTrail to write the logs to an S3 bucket owned by another AWS account. Is this possible?

Answer 1

You can have CloudTrail deliver log files from multiple AWS accounts into a single Amazon S3 bucket. For example, you have four AWS accounts with account IDs 111111111111, 222222222222, and 333333333333, and you want to configure CloudTrail to deliver log files from all four of these accounts to a bucket belonging to account 111111111111. To accomplish this, complete the following steps in order:

1. Turn on CloudTrail in the account where the destination bucket will belong (111111111111 in this example). Do not turn on CloudTrail in any other accounts yet. For instructions, see Creating a trail.

2. Update the bucket policy on your destination bucket to grant cross-account permissions to CloudTrail. For instructions, see Setting bucket policy for multiple accounts.

3. Turn on CloudTrail in the other accounts you want (222222222222, 33333333333 in this example). Configure CloudTrail in these accounts to use the same bucket belonging to the account that you specified in step 1 (111111111111 in this example). For instructions, see Turning on CloudTrail in additional accounts.