By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

sending cloudtrails to S3 bucket in different vpc account

1

i got aws 5 accounts in same vpc. got 6th aws account in different vpc. i need to send cloudtrails from all 5 accounts to a S3 bucket in completely different aws account (6th account/different vpc)

i got 2*ideas :

first idea: collect cloud trails from 1,2,3,4,5 aws accounts and send it to s3 bucket in 1st aws account .. and do s3 replication to the 6th aws account which is in different vpc. if i do this way - do i need vpc peering ??

second idea: collect cloud trails from 1,2,3,4,5 aws accounts and send it directly to s3 bucket in 6th aws account .. can this be done ??

or any other better option ? or which is the best among my 2 ideas ?

Topics
StorageNetworking & Content DeliveryAWS Well-Architected FrameworkManagement & Governance
Tags
Amazon Simple Storage ServiceAmazon VPCSecurityAWS Account Management
Language
English
profx
asked 8 months ago258 views
2 Answers
0

This is certainly possible, and the steps to implement it are here https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html

Just a note around your terminology - buckets don't exist in VPCs and are not tied to a particular VPC. You may access an S3 bucket through a particular VPC endpoint, but that doesn't mean the bucket is only accessible through that method.

But yes, back to your main point, you can certainly setup CloudTrail to send logs from accounts #1, #2, #3, #4 & #5 into a bucket owner by account #6.

profile picture
EXPERT
Steve_M
answered 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
  • Didier_Durand EXPERT
    8 months ago

    Hi, Steve's proposal is the AWS-recommended way to do it. So, probably the path that you want to follow.

0

the link you sent shows my second idea.. so it looks like i dont need to care about my vpc peeering. its about bucket policy on destination.

just generally , why second idea better than first idea ?

profx
answered 8 months ago
  • Steve_M EXPERT
    8 months ago

    Your first option would work, but adds a level of complexity for no real advantage.

    Whether you go with option 1 or 2 you are going to have to implement writing CloudTrail logs to a bucket in a different account.

    With option 2 that's all your work finished and everything works. With option 1 you then have to implement cross-region replication (which is certainly possible), but is more complex to manage and maintain, for no real reward.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content