![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
Receiving CloudTrail log files from multiple Regions
# To change an existing trail so that it applies to all Regions
aws cloudtrail update-trail --name my-trail --is-multi-region-trail
Configuring CloudWatch Logs monitoring with the CLI
1) Create CloudWatch log-group
aws logs create-log-group --log-group-name CloudTrail/logs
aws logs describe-log-groups
2) Create a role for CloudTrail
aws iam create-role --role-name role_name --assume-role-policy-document file://<path to assume_role_policy_document>.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}3) Creating a policy document
This document grants CloudTrail the permissions required to create a CloudWatch Logs log stream in the log group
aws iam put-role-policy --role-name role_name \
--policy-name cloudtrail-policy \
--policy-document file://<path to role-policy-document>.json
4) Update the trail with the log group and role information
aws cloudtrail update-trail --name trail_name \
--cloud-watch-logs-log-group-arn log_group_arn \
--cloud-watch-logs-role-arn role_arn
