Create Trail
The Create Trail wizard guides you through configuring and deploying a new AWS CloudTrail trail across one or more AWS accounts. The wizard consists of four steps that walk you through all required and optional settings.
Accessing the Wizard
You can start the Create Trail wizard in two ways:
- Click Create Trail in the sidebar navigation
- Click the Create Trail button on the Trail List page
Wizard Steps
The wizard progresses through four steps in order:
| Step | Name | Description |
|---|---|---|
| 1 | Trail Settings | Configure the trail name, region, and multi-region setting |
| 2 | Select Accounts | Choose which AWS accounts to include in the trail |
| 3 | S3 Bucket | Configure the S3 bucket for storing trail logs |
| 4 | Events | Configure which event types to capture |
You can navigate back to previous steps at any time by clicking on the step name in the wizard header. You must complete all required fields in each step before proceeding to the next.
Clone Mode
If you arrived at the Create Trail wizard by clicking Clone Trail on a Trail Detail page, the wizard operates in clone mode. In this mode, the following settings are pre-populated from the source trail:
- Multi-region toggle
- Trail region
- Event configuration (all event types and their settings)
The following fields are not pre-populated and must be set fresh:
- Trail name (must be unique)
- Account selection
- S3 bucket configuration
Cloning is useful when you want to create a trail with the same event configuration but for different accounts or with a different S3 bucket destination.
Prerequisites
Before creating a trail, ensure:
- At least one AWS account is onboarded in Prism
- You have authenticated to the CloudTrail
- You know which accounts should be included in the trail
- You have decided on an S3 bucket strategy (new or existing)
Step 1: Trail Settings
In this step, you configure the trail's name, home region, and whether it should capture events from all AWS regions.
Trail Name
| Property | Value |
|---|---|
| Type | Text input |
| Required | Yes |
| Constraints | Must be unique within your organization |
Enter a descriptive name for the trail. The trail name is permanent and cannot be changed after creation. Choose a name that clearly identifies the trail's purpose, such as production-audit-trail or security-monitoring.
Use a consistent naming convention across your trails. For example, include the environment (prod, dev) or purpose (security, compliance) in the name.
Multi-Region Trail
| Property | Value |
|---|---|
| Type | Toggle switch |
| Required | No |
| Default | Enabled (recommended) |
When enabled, the trail captures API events from all AWS regions, not just the home region. This is the recommended setting for comprehensive audit coverage.
- Enabled -- Events are recorded from every AWS region, ensuring you capture activity regardless of where it occurs
- Disabled -- Events are only recorded from the region specified in Trail Region
Disabling multi-region means you will not capture API activity in other regions. If someone performs actions in a region not covered by your trail, those events will not be logged. Enable multi-region unless you have a specific reason to limit the trail to a single region.
Trail Region
| Property | Value |
|---|---|
| Type | Dropdown select with search |
| Required | Yes |
| Default | None |
Select the AWS region where the trail will be created. This is the trail's home region. If multi-region is disabled, only events from this region will be captured.
The following regions are available:
| Region Code | Region Name |
|---|---|
us-east-1 | US East (N. Virginia) |
us-east-2 | US East (Ohio) |
us-west-1 | US West (N. California) |
us-west-2 | US West (Oregon) |
ap-south-1 | Asia Pacific (Mumbai) |
ap-northeast-3 | Asia Pacific (Osaka) |
ap-northeast-2 | Asia Pacific (Seoul) |
ap-southeast-1 | Asia Pacific (Singapore) |
ap-southeast-2 | Asia Pacific (Sydney) |
ap-northeast-1 | Asia Pacific (Tokyo) |
ca-central-1 | Canada (Central) |
eu-central-1 | Europe (Frankfurt) |
eu-west-1 | Europe (Ireland) |
eu-west-2 | Europe (London) |
eu-west-3 | Europe (Paris) |
eu-north-1 | Europe (Stockholm) |
sa-east-1 | South America (Sao Paulo) |
Choose a region that is close to your primary operations or that aligns with your compliance requirements. The trail region also determines where the S3 bucket is created if you choose to create a new bucket.
Step 2: Select Accounts
In this step, you choose which AWS accounts in your organization will have the CloudTrail trail deployed.
Account List
The step displays all AWS accounts that have been onboarded to your Prism organization. Each account is shown with its name and account ID.
Searching Accounts
Use the search bar at the top of the account list to filter accounts by account name or account ID. The list filters in real time as you type.
Selecting Accounts
You can select accounts in two ways:
- Individual selection -- Click the checkbox next to each account you want to include
- Select All / Deselect All -- Use the bulk action buttons to quickly select or clear all accounts
A counter at the top of the list shows "Selected: X of Y accounts", where X is the number of selected accounts and Y is the total number of available accounts.
At least one account must be selected before you can proceed to the next step. The Next button is disabled until you have selected at least one account.
Considerations
- All selected accounts will have the trail deployed to them simultaneously
- If you need to add more accounts later, you can do so from the Trail Detail page using the Add Accounts button
- The account you choose for the S3 bucket (in the next step) must be among the selected accounts
- Each account will have an independent deployment status that you can monitor after creation
For comprehensive audit coverage, select all accounts in your organization. You can always remove individual accounts later from the Trail Detail page if needed.
Step 3: S3 Bucket Configuration
In this step, you configure where CloudTrail log files will be stored. You can either create a new S3 bucket or use an existing one.
Bucket Account
| Property | Value |
|---|---|
| Type | Autocomplete dropdown |
| Required | Yes |
| Options | Filtered to accounts selected in Step 2 |
Select the AWS account where the S3 bucket resides (or will be created). The dropdown only shows accounts that you selected in the previous step.
The bucket account is significant because:
- This account cannot be removed from the trail as long as it hosts the trail's S3 bucket
- If you create a new bucket, it will be created in this account
- If you use an existing bucket, it must already exist in this account
Bucket Option
| Property | Value |
|---|---|
| Type | Radio button selection |
| Required | Yes |
| Default | Create new bucket |
Choose how to provide the S3 bucket:
Create New Bucket (Default)
Prism will create a new S3 bucket in the selected bucket account. The bucket name is auto-generated using the format:
cloudtrail-{realm}-{timestamp}
Where {realm} is your organization's Prism realm identifier and {timestamp} is the current Unix timestamp. You can modify the auto-generated name if desired.
When you delete a trail that uses a newly created bucket, you will have the option to also delete the S3 bucket. This option is only available for buckets that Prism created.
Use Existing Bucket
Specify the name of an S3 bucket that already exists in the selected bucket account. The bucket must:
- Already exist in the selected AWS account
- Have the appropriate permissions for CloudTrail to write log files
- Be accessible from the trail's home region
S3 Bucket Name
| Property | Value |
|---|---|
| Type | Text input |
| Required | Yes |
| Default | Auto-generated (for new buckets) |
The name of the S3 bucket. For new buckets, an auto-generated name is pre-filled but can be modified. For existing buckets, enter the exact bucket name.
S3 bucket names must follow AWS naming rules:
- 3 to 63 characters long
- Only lowercase letters, numbers, hyphens, and periods
- Must start and end with a letter or number
S3 Key Prefix
| Property | Value |
|---|---|
| Type | Text input |
| Required | No |
| Default | Empty |
An optional prefix that organizes CloudTrail log files within the S3 bucket. When set, logs are stored under this path prefix.
For example, if you set the prefix to audit-logs, your log files will be stored at:
s3://your-bucket-name/audit-logs/AWSLogs/{account-id}/CloudTrail/...
Use an S3 key prefix if you plan to store logs from multiple trails in the same bucket, or if you want to organize logs alongside other data in the bucket.
Step 4: Event Configuration
In this step, you configure which types of AWS events the trail will capture. This step also displays a review panel summarizing your entire trail configuration before submission.
Event Types
CloudTrail supports four categories of events. Each can be independently configured:
| Event Type | Description | Default |
|---|---|---|
| Management Events | Control plane operations that manage AWS resources | Enabled |
| Data Events | Data plane operations on resources | Disabled (no selectors) |
| Insight Events | Anomaly detection for unusual API activity | Disabled |
| Network Activity Events | VPC endpoint network activity | Disabled (no selectors) |
Management Events
Management events capture control plane operations -- API calls that create, modify, or delete AWS resources (e.g., CreateBucket, RunInstances, DeleteTable).
| Field | Type | Default | Description |
|---|---|---|---|
| Enable Management Events | Toggle | Enabled | Whether to capture management events. |
| Read/Write Type | Select | All | Which operations to log: All, ReadOnly, or WriteOnly. |
| Exclude AWS KMS events | Checkbox | Unchecked | When checked, excludes AWS Key Management Service events (high-volume in many environments). |
| Exclude Amazon RDS Data API events | Checkbox | Unchecked | When checked, excludes Amazon RDS Data API events. |
AWS KMS events can generate significant log volume because many AWS services call KMS frequently for encryption operations. Excluding KMS events can reduce log volume and costs without losing visibility into resource management activity.
For more details, see Management Events.
Data Events
Data events capture data plane operations performed on or within AWS resources, such as reading an S3 object or invoking a Lambda function.
Click Add Data Event Selector to add a new selector. You can add multiple selectors to capture different resource types. Each selector has the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
| Resource Type | Dropdown | Yes | The AWS resource type to monitor. |
| Read/Write | Select | Yes | Which operations to log: All, ReadOnly, or WriteOnly. Default: All. |
| Resource ARNs | Text input | No | Comma-separated list of ARNs to filter specific resources. Leave empty to log all resources of the selected type. |
Supported Resource Types
| Resource Type |
|---|
AWS::S3::Object |
AWS::Lambda::Function |
AWS::DynamoDB::Table |
To remove a data event selector, click the remove button on the selector.
For more details, see Data Events.
Insight Events
Insight events enable CloudTrail to detect unusual API activity patterns and generate insight events when anomalies are detected.
| Field | Type | Default | Description |
|---|---|---|---|
| API call rate insight | Checkbox | Unchecked | Detects anomalies in the rate of API calls. |
| API error rate insight | Checkbox | Unchecked | Detects anomalies in the rate of API error responses. |
Insight events require management events to be enabled on the trail. CloudTrail analyzes management event patterns to detect anomalies.
For more details, see Insight Events.
Network Activity Events
Network activity events capture network-level activity through VPC endpoints, letting you monitor which AWS services are being accessed over your VPC endpoints.
Click Add Network Activity Selector to add a new selector. Each selector has the following field:
| Field | Type | Required | Description |
|---|---|---|---|
| Event Source | Autocomplete with custom input | Yes | The AWS service event source to monitor (e.g., ec2.amazonaws.com, s3.amazonaws.com). |
The event source field provides autocomplete suggestions for supported AWS service endpoints. For the full list of available event sources, see Network Activity Events. You can also enter custom event source values.
To remove a network activity selector, click the remove button on the selector.
For more details, see Network Activity Events.
Review Panel
Before submitting, the review panel on Step 4 displays a summary of your complete trail configuration across all four wizard steps:
- Trail Settings -- Trail name, region, multi-region setting
- Selected Accounts -- Number and list of selected accounts
- S3 Bucket -- Bucket name, bucket account, key prefix, and whether it is new or existing
- Events -- Summary of all enabled event types and their settings
Review all settings carefully before clicking Create Trail.
What Happens After Submission
After you click Create Trail:
- You are returned to the Trail List page
- The new trail appears with a pending status
- The trail status transitions to in_progress as deployment begins
- Each selected account is provisioned with the trail configuration
- Once all accounts are deployed, the status changes to completed
- If any accounts fail, the status changes to partial_failure
The Trail List automatically polls every 5 seconds while operations are active, so you can watch the deployment progress in real time.
Related Pages
- Trail List -- View all trails
- Trail Detail -- View a trail after creation