Certified Security - Specialty

Sign Up Free or Log In to participate!

CloudTrail organization trail vs cross region replication (CRR)

In the lecture "Cross Region Replication And S3" [1] of the AWS Security Specialty course, Ryan says that replication of CloudTrail logs is a security best practice.

I wonder if this is still true now that they provide aws organization trails [2]. Isn’t it better to choose organization trails over replication (i.e. storing things twice)?

[1] https://acloud.guru/course/aws-certified-security-specialty/learn/a9b42538-b06a-8291-8802-21b72c0f2f27/955fd1b4-98f0-6dfd-7581-436b5824ae32/watch

[2] https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html

2 Answers

Hi – it is definitely worth knowing both ways of doing this. Although AWS changes on a daily(!) basis – the exams do run 6-12 months behind in terms of the latest services…

Thank you for pointing this out though.


Hi, I think both are security best-practices because aws organization trails assumes you have an organization AND have all features enabled. These are 2 prerequisites for using the feature and there are still reasons however for some parties to not have all features enabled. (Link: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html).

You can say that ‘Not" replicating Cloudtrail logs is not a security best-practice but the fact that you do (and how is of lower priority) is the most important message.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?