In the lecture "Cross Region Replication And S3" [1] of the AWS Security Specialty course, Ryan says that replication of CloudTrail logs is a security best practice.
I wonder if this is still true now that they provide aws organization trails [2]. Isn’t it better to choose organization trails over replication (i.e. storing things twice)?
[2] https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html
2 Answers
Hi – it is definitely worth knowing both ways of doing this. Although AWS changes on a daily(!) basis – the exams do run 6-12 months behind in terms of the latest services…
Thank you for pointing this out though.
Faye
Hi, I think both are security best-practices because aws organization trails assumes you have an organization AND have all features enabled. These are 2 prerequisites for using the feature and there are still reasons however for some parties to not have all features enabled. (Link: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html).
You can say that ‘Not" replicating Cloudtrail logs is not a security best-practice but the fact that you do (and how is of lower priority) is the most important message.