Why not use organization trail for multiple accounts but create a central CloudTrail for security account

Hi gruntwork experts!

I have been reading the article < How to configure a production-grade AWS account structure> recently! Below is the link


One thing I could not understand is that why not create an organization trail in root account and gather all the audits from sub-accounts but a CloudTrail is created in security account and the audits of security account are separated from root account.

You could certainly send all CloudTrail logs to the root account, but it’s worth remembering that the root account has powerful access to ALL child accounts, so if it gets compromised, all bets are off. Therefore, we typically try to minimize usage of the root account: we use it solely to create new child accounts and check the bills, and that’s it. We don’t run any infrastructure in it, lock it down as much as possible (e.g., it has its own CloudTrail, plus GuardDuty, AWS Config, etc), and try to reduce reasons for users to have to log into it.

Hi jim

Thanks for your reply. It make senses to lock down the root account for the security aspect. I should early seek help in the community.

We do something similar, but instead of using the AWS Organization master (i.e. “root”) account we have a separate account for our Security team where the CT logs are aggregated under. This of course achieves the desired goal of centralized access of all logs in a tightly controlled account that doesn’t provide backdoor admin access to all Organization accounts through OrganizationAccountAccessRole assumption.