Exactly one CloudTrail trail should monitor global services

Description

For global services such as AWS Identity and Access Management (IAM), AWS STS, and Amazon CloudFront, events are delivered to any trail that includes global services. If you have multiple single region trails, AWS recommends configuring your trails so that global service events are delivered in only one of the trails.

Console Remediation Steps

If you have multiple single region trails, AWS recommends configuring your trails so that global service events are delivered in only one of the trails.

Global service events are delivered by default to trails that are created using the CloudTrail console, and cannot be configured using the console. Use the CLI for remediation instead.

CLI Remediation Steps

• To disable global service events for a CloudTrail trail, replace MYTRAILNAME with your trail name:

  • aws cloudtrail update-trail --name MYTRAILNAME --no-include-global-service-events

Documentation Links

• AWS CloudTrail - About Global Service Events

• Enabling and Disabling Logging Global Service Events