Skip to main content

Quick Start: CloudTrail

This guide walks you through creating your first AWS CloudTrail trail using the CloudTrail's step-by-step wizard.

Prerequisites

  • Your organization has Prism
  • You have the CloudTrail permissions assigned through the Admin Management Page under the Admin Portal
  • Your AWS accounts are onboarded on Prism

Step 1: Log In

  1. Navigate to your organization's Prism URL
  2. Authenticate through SSO
  3. Select CloudTrail on the Application selection screen, You'll land on the Trail List page

Step 2: Start the Create Trail Wizard

  1. Click the Create Trail button
  2. The wizard opens with 4 steps

Step 2a: Trail Settings

  1. Enter a Trail Name — e.g., my-org-trail
  2. Select the Home Region — the AWS region where the trail will be created
  3. Choose whether this is a multi-region trail (recommended) or single-region
  4. Click Next

Step 2b: Select Accounts

  1. Choose which AWS accounts to include in the trail
  2. You can select individual accounts or use Select All
  3. Search accounts by name or ID to find specific ones
  4. Click Next

Step 2c: S3 Bucket Configuration

  1. Configure where trail logs will be stored:
    • Create new bucket — Prism creates an S3 bucket for you
    • Use existing bucket — Specify an existing S3 bucket name
  2. Set the S3 key prefix (optional) — organizes logs in a subfolder
  3. Click Next

Step 2d: Event Configuration

  1. Configure which events to log:
    • Management Events — API calls that manage AWS resources (enabled by default)
    • Data Events — Operations on data within resources (e.g., S3 object reads)
    • Insight Events — Unusual API activity detection
    • Network Activity Events — Network activity logging
  2. For each event type, configure whether to log Read events, Write events, or both
  3. Click Create Trail

Step 3: Verify Your Trail

  1. You'll be returned to the Trail List
  2. Find your new trail in the list
  3. Click on the trail name to view its details
  4. Verify the configuration is correct:
    • Status shows the trail is completed
    • Accounts are correctly assigned
    • Event types are configured as expected

What Happens Next

After creating a trail:

  • CloudTrail begins logging API events to the configured S3 bucket
  • Logs are delivered within a few minutes of the API activity
  • You can view trail details and modify settings at any time
  • The trail applies to all selected accounts

Next Steps