2

I have an Organization setup in AWS and have a Management account and also a Sec Account. I have Delegated Admin of CloudTrail from the Management account to the Sec Account.

In the Sec account I then setup an Organization CloudTrail and all logs are been delivered to an S3 bucket. This all works fine.

I would like to setup the streaming of the CloudTrail logs to CloudWatch but in the Sec Account this option is greyed out as seen below enter image description here

If I log back into the Management account this option is NOT greyed out and can setup this up. enter image description here

This would mean that the CloudWatch logs would be in the Management Account and the CloudTrail logs in the Sec Account which is not what I want.

Why is the option to setup CloudWatch logs in the Sec account greyed out and is there a way round this? Is it possible to have an Organization Trail setup to deliver the logs in the Sec Account and also to get those logs streamed into CloudWatch ?

alexis
  • 1,022
  • 3
  • 16
  • 44

1 Answers1

1

According to Creating a trail for your organization in the console:

The delegated administrator account cannot currently configure a CloudWatch Logs log group using the console, because the console operation is not supported. The delegated administrator account must use the AWS CLI or CloudTrail APIs to create an organization trail with a CloudWatch Logs log group.

So, from the delegated administrator account (Sec Account in your case) you can't configure the CloudWatch log group through the console, but you can do it through the AWS CLI (create-trail). Example:

aws cloudtrail create-trail --name 'trail name' --s3-bucket-name 's3 bucket name' --is-multi-region-trail --is-organization-trail --cloud-watch-logs-log-group-arn 'log group arn' --cloud-watch-logs-role-arn 'role arn'
andresm53
  • 1,913
  • 6
  • 15