Which operationally efficient solution meets these requirements?

By:
In: SAP-C01
Tagged:
With: 2 Comments
A company uses AWS Organizations to manage one parent account and nine member accounts.The number of member accounts is expected to grow as the business grows.A security engineer has requested consolidation of AWS CloudTrail logs into the parent account for compliance purposes.Existing logs currently stored in Amazon S3 buckets in each individual member account should not be lost.Future member accounts should comply with the logging strategy.

Which operationally efficient solution meets these requirements?

Create an AWS Lambda function in each member account with a cross-account role. Trigger the Lambda functions when new CloudTrail logs are created and copy the CloudTrail logs to a centralized S3 bucket. Set up an Amazon CloudWatch alarm to alert if CloudTrail is not configured properly.

Configure CloudTrail in each member account to deliver log events to a central S3 bucket. Ensure the central S3 bucket policy allows PutObject access from the member accounts. Migrate existing logs to the central S3 bucket. Set up an Amazon CloudWatch alarm to alert if CloudTrail is not configured properly.

Configure an organization-level CloudTrail in the parent account to deliver log events to a central S3 bucket. Migrate the existing CloudTrail logs from each member account to the central S3 bucket. Delete the existing CloudTrail and logs in the member accounts.

Configure an organization-level CloudTrail in the parent account to deliver log events to a central S3 bucket. Configure CloudTrail in each member account to deliver log events to the central S3 bucket.

Explanations:

Using Lambda functions in each member account adds significant operational overhead for management and maintenance, especially as the number of accounts grows. This approach is complex and not the most efficient way to centralize CloudTrail logs. Setting up CloudWatch alarms is a good practice, but this doesn’t solve the core problem efficiently.

While delivering logs to a central S3 bucket is the right idea, configuring CloudTrail individually in each member account and managing individual bucket policies is not scalable. This also does not automatically apply to new accounts. Migrating existing logs is a necessary step but is not the complete solution.

Configuring anorganization-levelCloudTrail in the parent account is the most efficient solution. This automatically configures CloudTrail logging forallexisting andfuturemember accounts, minimizing administrative overhead. Migrating existing logs ensures that no data is lost. Deleting the old CloudTrail configurations and logs in member accounts after migration is a good practice to avoid duplication and confusion.

Configuring CloudTrail inboththe parent account at the organization levelandindividually in each member account would result in duplicate logs being sent to the central S3 bucket. This creates unnecessary storage costs and complexity.

2026-04-03

2 Comments

  1. Henry
    Author

    I infer that the answer is:
    Configure an organization-level CloudTrail in the parent account to deliver log events to a central S3 bucket. Migrate the existing CloudTrail logs from each member account to the central S3 bucket. Delete the existing CloudTrail and logs in the member accounts.

  2. Wayne
    Author

    As I see it, the answer is:
    Configure an organization-level CloudTrail in the parent account to deliver log events to a central S3 bucket. Migrate the existing CloudTrail logs from each member account to the central S3 bucket. Delete the existing CloudTrail and logs in the member accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × five =