Posted On: Jul 29, 2022

AWS Control Tower now includes AWS CloudTrail organization logging as part of landing zone version 3.0. With this new feature, an organization-level AWS CloudTrail trail will be deployed in your organization’s management account to automatically log the actions of all member accounts in your organizations. AWS Control Tower does not configure any parameters for logging other than a mandatory detective guardrail that checks logging is configured for all AWS Control Tower governed accounts. AWS Control Tower with organization logging offers users the latest standard and best practice for unified account logging.

The adoption of organization trail logging will mark a support transition from account trail logging. Users can option-in or option-out of the organization trail logging feature during the new install or update/repair process. This enables customers with additional AWS CloudTrail requirements to provision their own trails without duplicating log aggregation. The optionality of this feature also provides flexibility to customers migrating to AWS Control Tower. Customers can choose to keep their existing CloudTrail solution in-place and later enable AWS Control Tower organization logging after their initial landing zone deployment. We recommend to customers who option-in and do not use AWS Control Tower to manage their entire Organization, that they disable account trail logging on non-AWS Control Tower member accounts to prevent duplicate CloudTrails.

AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Customers can create new accounts using AWS Control Tower’s account factory and enable governance features such as guardrails, centralized logging, and monitoring in supported AWS Regions. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.