AWS organizations documentation change
Summary
Added note clarifying that CloudTrail logs actions in the account where the action occurs (e.g., member account actions are logged in member trails).
Security assessment
Clarifies audit logging behavior, which aids security monitoring but does not address a vulnerability.
Diff
diff --git a/organizations/latest/userguide/orgs_cloudtrail-integration.md b/organizations/latest/userguide/orgs_cloudtrail-integration.md index 2a4cc1a2e..9e2cd7686 100644 --- a//organizations/latest/userguide/orgs_cloudtrail-integration.md +++ b//organizations/latest/userguide/orgs_cloudtrail-integration.md @@ -46,0 +47,4 @@ For more information, see the [CloudTrail userIdentity Element](https://docs.aws +###### Note + +CloudTrail will log events in the account that takes a given action (i.e. in member account rather than management account if member account took the action). For example, a member account leaving an organization will be logged in member account trail, and a management account removing a member account will be logged in management account trail. +