CloudTrail — Organization trail to log-archive

Status: Active since 2026-04-18. Purpose: SOC 2 CC7.1 / CC7.2, HIPAA §164.308(a)(1)(ii)(D), CMS EDE Phase 3 audit trail requirement.

Summary

A single organization trail in the management account writes all AWS API activity across all 4 accounts to an S3 bucket in the dedicated log-archive account. Logs are encrypted with a customer-managed KMS CMK, version-protected, object-locked in COMPLIANCE mode for 7 years, and exported to CloudWatch Logs in the management account for near-real-time Insights anomaly detection.

Resources

Resource	Value
Trail name	`askflorence-org-trail`
Trail ARN	`arn:aws:cloudtrail:us-east-1:778477254880:trail/askflorence-org-trail`
Home region	`us-east-1`
Multi-region	Yes (captures all regions)
Org trail	Yes (applies to all member accounts)
Global service events	Yes (captures IAM, STS, Organizations, CloudFront, Route53)
Log file validation	Enabled (hash chain for tamper detection)
S3 destination bucket	`askflorence-org-cloudtrail-logs-754660694122` (log-archive account)
S3 object lock	COMPLIANCE mode, 7 years
S3 versioning	Enabled
KMS key	`alias/askflorence-org-logs` in log-archive (`arn:aws:kms:us-east-1:754660694122:key/e9dfcdbe-19e1-491c-a8f9-d17612cf6353`)
KMS rotation	Annual auto-rotation
CloudWatch log group	`/aws/cloudtrail/askflorence-org-trail` (mgmt, 365-day retention)
CloudTrail role for CW Logs	`arn:aws:iam::778477254880:role/CloudTrailToCloudWatchLogsRole`
Event selectors	Read+Write management events, global service events included, no data events yet
Insights	`ApiCallRateInsight`, `ApiErrorRateInsight` enabled

What's captured

All management-plane API calls across all accounts and all regions, including global services. Data events (S3 PutObject, Lambda Invoke) are not recorded by default — we'll enable them on specific resources when prod workloads exist (Phase 8 and beyond), scoped narrowly to control CloudTrail data-event cost.

Tamper protection

Two layers:

S3 Object Lock COMPLIANCE on the destination bucket. Objects cannot be deleted or overwritten for 7 years, even by the log-archive account root. AWS enforces this at the bucket level; no admin override.
Log file validation on the trail. Each hourly digest file contains a SHA-256 hash chain. aws cloudtrail validate-logs can verify chronological integrity at audit time.

SCP protection

ScpBaseline (attached to Prod, Non-Prod, Security OUs) denies cloudtrail:DeleteTrail, cloudtrail:PutEventSelectors, cloudtrail:StopLogging, cloudtrail:UpdateTrail in all member accounts. Only the management account (which is not under this SCP) can modify the trail, and only via SSO AdministratorAccess.

Encryption & access

In transit: CloudTrail service → S3 uses TLS. S3 bucket policy denies any non-SSL access.
At rest: SSE-KMS with the askflorence-org-logs CMK. Unencrypted puts denied by bucket policy.
Decrypt: any principal within the organization (aws:PrincipalOrgID == o-vefew8kgv1) can decrypt logs they're authorized to read per the bucket policy. The CMK policy separately grants kms:Decrypt to org principals. No external account can decrypt.

Incident access (future)

If a SOC 2 auditor or external responder needs to read trail logs, they get a time-limited IAM assumption into the log-archive account via SSO SecurityAudit permission set (4h session). No long-lived credentials.

Costs

CloudTrail: $2/100k management events (first trail is free for mgmt events; second trail = org trail counts as a second trail).
S3: tier-1 storage ~$0.023/GB/mo; compliance-mode object lock doesn't add cost.
KMS: $1/CMK/mo + $0.03/10k requests.
CloudWatch Logs: $0.50/GB ingested.
Estimated pre-launch: $5–10/mo.

Runbook references

aws-setup.md — general AWS runbook (profiles, deploy, logs, rollback)
change-log.md — setup and any modifications
aws cloudtrail get-trail-status --name askflorence-org-trail — quick health check (IsLogging should be true; LatestDeliveryTime should be <1hr old)
aws cloudtrail validate-logs --trail-arn <arn> --start-time ... --end-time ... — audit-time tamper verification