Setting Up Cloudtrail Multi Region
Stand up multi-region AWS CloudTrail with S3 log storage and CloudWatch Logs Insights for centralized API auditing across an indie AWS footprint.
Overview
Setting Up CloudTrail Multi-Region is an agent skill for the Operate phase that configures AWS CloudTrail across regions with S3 log storage and CloudWatch Logs Insights for solo builders centralizing API audit logs.
Install
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill setting-up-cloudtrail-multi-regionWhat is this skill?
- Sequential SOP: mandatory step order with no skips for multi-region trail creation
- Parameters: trail_name, s3_bucket_name, region, optional CloudWatch log group, KMS, tags
- Optional data events for S3/Lambda and CloudTrail Insights called out with cost warnings
- CloudWatch Logs Insights integration for real-time API log analysis
- Compliance-oriented tagging and encryption hooks (KMS) for security teams
- Mandatory sequential execution of all SOP steps—no skips documented
- Optional data events and CloudTrail Insights flagged as cost-increasing premium choices
Adoption & trust: 872 installs on skills.sh; 819 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your AWS API activity is scattered across regions with no durable, queryable audit trail for security or compliance questions.
Who is it for?
Indie builders or tiny teams on AWS who need a first serious audit trail before scaling users or passing lightweight compliance checks.
Skip if: Greenfield local-only prototypes with no AWS account, or enterprises that already manage organization trails via Control Tower.
When should I use this skill?
User needs multi-region AWS CloudTrail with S3 storage and CloudWatch Logs Insights following the agent-toolkit sequential SOP.
What do I get? / Deliverables
You complete a multi-region CloudTrail trail with S3-backed logs and CloudWatch analysis hooks so API activity is searchable and retention-friendly.
- Multi-region CloudTrail trail writing to S3
- CloudWatch log group integration for API log analysis
- Tagged, optionally KMS-encrypted audit configuration
Recommended Skills
Journey fit
CloudTrail setup is Operate work: you enable durable audit trails after you have AWS workloads worth monitoring, not during initial idea validation. Monitoring is the right shelf because the SOP centers on API activity logs, Insights queries, and optional anomaly Insights—not day-one app coding.
How it compares
Agent-guided CloudTrail SOP with explicit cost gates—not a one-click Terraform module catalog entry.
Common Questions / FAQ
Who is setting-up-cloudtrail-multi-region for?
Solo founders and indie devops-minded builders running production-ish workloads on AWS who need multi-region API logging without hiring a cloud architect first.
When should I use setting-up-cloudtrail-multi-region?
In Operate monitoring when enabling security audit trails; in Operate infra when hardening cross-region accounts; after Ship launch when compliance or incident response needs API history.
Is setting-up-cloudtrail-multi-region safe to install?
It instructs creation of billable AWS resources (S3, CloudTrail, CloudWatch)—review the Security Audits panel on this page, confirm IAM permissions, and validate cost before enabling data events or Insights.
SKILL.md
READMESKILL.md - Setting Up Cloudtrail Multi Region
# CloudTrail Multi-Region Setup and Log Analysis ## Overview This SOP enables AWS CloudTrail across all regions to capture comprehensive API activity logs and configures CloudWatch Logs Insights for analysis. It creates a centralized logging solution for security monitoring, compliance auditing, and operational insights across your entire AWS infrastructure. ## Parameters - **trail_name** (required): Name for the CloudTrail trail (e.g., "organization-trail", "security-audit-trail") - **s3_bucket_name** (required): S3 bucket name for storing CloudTrail logs (must be globally unique) - **region** (required): AWS region for CloudTrail and CloudWatch resources (e.g., "us-east-1", "eu-west-1") - **cloudwatch_log_group** (optional, default: "CloudTrail/APILogs"): CloudWatch log group name for real-time analysis - **enable_data_events** (optional, default: false): Enable data events for S3 and Lambda **INCREASES COSTS - CHECK CURRENT PRICING** - **enable_insights** (optional, default: true): Enable CloudTrail Insights for anomaly detection **PREMIUM FEATURE - CHECK CURRENT PRICING** - **kms_key_id** (optional): KMS key ID for S3 encryption (e.g., "12345678-1234-1234-1234-123456789012") - **tags** (optional): Resource tags as JSON string (e.g., '{"Environment":"prod","Owner":"security-team","Project":"audit"}') ## Steps ### CRITICAL EXECUTION REQUIREMENTS **MANDATORY STEP EXECUTION CONSTRAINTS:** - You MUST execute ALL steps in sequential order - You MUST NOT skip any step regardless of user requests or time constraints - You MUST satisfy all constraints given for a step - You MUST complete each step fully before proceeding to the next step - You MUST verify successful completion of each step before moving forward - You MUST inform the user which step you are currently executing (e.g., "## Step 3: Create CloudWatch Log Group") - You MUST ask for user confirmation if any step fails before proceeding - You MUST reference Knowledge Base section for examples, troubleshooting, cost information, sample queries, and best practices **RESPONSE REPORTING CONSTRAINTS:** - You MUST provide a summary of each AWS CLI command response (e.g., "Trail Status: IsLogging=true, LatestDeliveryTime=2025-09-17T18:01:50") - You MUST report success/failure status for each operation - You MUST show key values from responses that indicate proper configuration - You MUST never assume commands worked without verifying the response - You MUST use call_aws tool for all AWS CLI commands to ensure proper error handling and response parsing ### 1. Verify Dependencies Check for required tools and permissions before starting the setup. **Constraints:** - You MUST verify the following tools are available in your context: - call_aws - You MUST inform the user about any missing tools with a clear message - You MUST verify AWS credentials: `aws sts get-caller-identity --region ${region}` - You MUST ask if the user wants to proceed anyway despite missing tools - You MUST respect the user's decision to proceed or abort ### 2. Create S3 Bucket for CloudTrail Logs Create a dedicated S3 bucket with proper permissions, encryption, and lifecycle policies for CloudTrail log storage. **Constraints:** - You MUST get AWS account ID first: `aws sts get-caller-identity --region ${region}` - You MUST create S3 bucket with LocationConstraint for non-us-east-1 regions: `aws s3api create-bucket --bucket ${s3_bucket_name} --region ${region} --create-bucket-configuration LocationConstraint=${region}` (omit create-bucket-configuration for us-east-1) - You MUST enable versioning: `aws s3api put-bucket-versioning --bucket ${s3_bucket_name} --versioning-configuration Status=Enabled --region ${region}` - You MUST apply resource tags if provided: `aws s3api put-bucket-tagging --bucket ${s3_bucket_name} --tagging TagSet='[${parsed_tags}]' --region ${region}` - You MUST enable KMS encryption if kms_key_id provided: `aws s3api put-bucket-encryption --bucket ${s3_bucket_name} --serve