Which operationally efficient solution meets these requirements?
Create an AWS Lambda function in each member account with a cross-account role. Trigger the Lambda functions when new CloudTrail logs are created and copy the CloudTrail logs to a centralized S3 bucket. Set up an Amazon CloudWatch alarm to alert if CloudTrail is not configured properly.
Configure CloudTrail in each member account to deliver log events to a central S3 bucket. Ensure the central S3 bucket policy allows PutObject access from the member accounts. Migrate existing logs to the central S3 bucket. Set up an Amazon CloudWatch alarm to alert if CloudTrail is not configured properly.
Configure an organization-level CloudTrail in the parent account to deliver log events to a central S3 bucket. Migrate the existing CloudTrail logs from each member account to the central S3 bucket. Delete the existing CloudTrail and logs in the member accounts.
Configure an organization-level CloudTrail in the parent account to deliver log events to a central S3 bucket. Configure CloudTrail in each member account to deliver log events to the central S3 bucket.
Explanations:
Using Lambda functions in each member account adds significant operational overhead for management and maintenance, especially as the number of accounts grows. This approach is complex and not the most efficient way to centralize CloudTrail logs. Setting up CloudWatch alarms is a good practice, but this doesn’t solve the core problem efficiently.
While delivering logs to a central S3 bucket is the right idea, configuring CloudTrail individually in each member account and managing individual bucket policies is not scalable. This also does not automatically apply to new accounts. Migrating existing logs is a necessary step but is not the complete solution.
Configuring anorganization-levelCloudTrail in the parent account is the most efficient solution. This automatically configures CloudTrail logging forallexisting andfuturemember accounts, minimizing administrative overhead. Migrating existing logs ensures that no data is lost. Deleting the old CloudTrail configurations and logs in member accounts after migration is a good practice to avoid duplication and confusion.
Configuring CloudTrail inboththe parent account at the organization levelandindividually in each member account would result in duplicate logs being sent to the central S3 bucket. This creates unnecessary storage costs and complexity.