- Newest
- Most votes
- Most comments
Hi THere
This is one of the purposes of the [Audit account]( From https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#what-shared). The audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. From the audit account, you have programmatic access to review accounts, by means of a role that is granted to Lambda functions only. The audit account does not allow you to log in to other accounts manually.
You can query the CloudTrail logs in the Log Archive from the Audit account using the role aws-controltower-AuditReadOnlyRole with Lambda to gain access to the logs in the Log Archive. The role assumes aws-controltower-ReadOnlyExecutionRole in the Log Archive account granting read only access.
Thanks a lot Matt-B for your answer. Let me explain a little bit better my question. I agree with you that this would be the purpose of Audit account. And being the delegated account is something possible with Security Hub and GuardDuty when using Control Tower: each new account can have these services enabled in an organizational way, so all events are sent to Audit account, and then from there they are archived in S3 bucket in log archiving account. From Security Hub and GuardDuty in the Audit account it's possible to review recent events, and in case an old event is required Audit account can read it from log Archiving. My question is about organizational CloudTrail trail; delegated account for this service is a new feature (since Nov22). Previous to that, Control Tower v3 allows to deploy an organizational trail so every new account has cloudtrail enabled and an organizational trail defined. But this organizational trail is managed from Management account, and all logs are sent to management account (and from there, they can be sent to an S3 bucket in archiving account). As management account is only intended to be used for management, it would be great if you can define Audit account as delegated account for this organizational trail; but as this is a recent feature, I'm not sure if Control Tower, at the moment that you decide to use organizational trail, allows you to select a delegated account, or if it sets management account as the main account for the organizational trail. I've not seen any reference in control tower documentation, only that it allows you to enable the organizational trail (https://docs.aws.amazon.com/controltower/latest/userguide/configure-org-trails.html).
Relevant content
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
Right now no, you cant delegate CloudTrail to another account because its fully integrated and managed by Control Tower which runs in the management account. but you can analyze the cloudtrail logs from the audit account.
Thanks Matt-B!