- 最新
- 最多得票
- 最多評論
This is certainly possible, and the steps to implement it are here https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html
Just a note around your terminology - buckets don't exist in VPCs and are not tied to a particular VPC. You may access an S3 bucket through a particular VPC endpoint, but that doesn't mean the bucket is only accessible through that method.
But yes, back to your main point, you can certainly setup CloudTrail to send logs from accounts #1, #2, #3, #4 & #5 into a bucket owner by account #6.
the link you sent shows my second idea.. so it looks like i dont need to care about my vpc peeering. its about bucket policy on destination.
just generally , why second idea better than first idea ?
Your first option would work, but adds a level of complexity for no real advantage.
Whether you go with option 1 or 2 you are going to have to implement writing CloudTrail logs to a bucket in a different account.
With option 2 that's all your work finished and everything works. With option 1 you then have to implement cross-region replication (which is certainly possible), but is more complex to manage and maintain, for no real reward.
相關內容
AWS 官方已更新 1 年前
Hi, Steve's proposal is the AWS-recommended way to do it. So, probably the path that you want to follow.