setting-up-cloudtrail-multi-region
Setting Up CloudTrail Multi-Region
Overview
Domain expertise for enabling AWS CloudTrail across all regions to capture comprehensive API activity logs and configuring CloudWatch Logs Insights for security monitoring, compliance auditing, and operational analysis.
Set up a multi-region trail
To create a centralized multi-region CloudTrail trail with S3 storage, CloudWatch Logs integration, and log analysis, follow the procedure exactly. See CloudTrail multi-region setup procedure.
Troubleshooting
S3 bucket already exists
Choose a different globally unique name, or add a timestamp or organization identifier.
Permission denied errors
Verify your identity with aws sts get-caller-identity. Ensure your user/role has required actions attached. Do NOT use *FullAccess managed policies.
Trail not logging
Verify IAM role permissions, check S3 bucket policy allows CloudTrail access, and ensure the trail is started with start-logging.
Missing events in CloudWatch
Allow 5-15 minutes for initial log delivery. Verify the CloudWatch Logs role ARN is correct and the log group exists in the same region as the trail.
Opt-in region events not appearing
This is normal — events from opt-in regions may take several hours. Wait up to 24 hours before investigating further.
More from aws/agent-toolkit-for-aws
aws-iam
Verified corrections for IAM behaviors that AI agents frequently get\
288aws-serverless
Builds, deploys, manages, debugs, configures, and optimizes serverless applications on AWS using Lambda, API Gateway, Step Functions, EventBridge, and SAM/CDK. Covers cold starts, CORS debugging, event source mappings, troubleshooting, concurrency, SnapStart, Powertools, function URLs, EventBridge Scheduler, Lambda layers, Durable Functions, durable execution, checkpoint-and-replay, and production readiness. Use when the user mentions Lambda, API Gateway, Step Functions, SAM templates, CDK serverless stacks, DynamoDB stream triggers, SQS event sources, cold starts, timeouts, 502/504 errors, throttling, concurrency, CORS, Powertools, Durable Functions, durable execution, checkpoint-and-replay, or any event-driven architecture on AWS, even if they don't say "serverless." Do NOT use for EC2, ECS/Fargate containers, or Amplify hosting.
265aws-cdk
Authors, deploys, and troubleshoots AWS infrastructure using CDK with TypeScript or Python. Covers best practices, stack architecture, and construct patterns. Always use when writing CDK constructs, bootstrapping environments, running cdk deploy/synth/diff, fixing CDK or CloudFormation errors, planning stack structure, importing existing resources, resolving drift, or refactoring stacks without resource replacement.
257aws-sdk-python-usage
|
255aws-cloudformation
Author, validate, and troubleshoot AWS CloudFormation templates. Covers template authoring with secure defaults, pre-deployment validation (cfn-lint, cfn-guard, change sets), and root-cause diagnosis of failed stacks using CloudFormation events and CloudTrail correlation.
255aws-messaging-and-streaming
>
209