Skip to main content

CloudTrail Setup Issues

This page covers common problems with creating, configuring, and managing CloudTrail trails in the Prism CloudTrail.

Trail Creation Failed

Problem: Trail creation fails with an error after submitting the trail configuration.

Cause: The trail could not be created in one or more AWS accounts, typically due to insufficient IAM permissions in the target accounts or AWS service limits.

Solution:

  1. Check the error message for specific details about which step failed.
  2. Verify that the AWS accounts included in the trail have the required IAM permissions for CloudTrail:
    • The Prism service role must have permissions to create and manage CloudTrail trails.
    • The role must have permissions to write to the specified S3 bucket.
  3. Check AWS service limits:
    • Each AWS account has a limit on the number of trails (typically 5 per region).
    • If the limit has been reached, delete unused trails in the AWS console or request a limit increase.
  4. If the trail was partially created (some accounts succeeded, some failed), see the Partial Failure section below.
  5. Retry the trail creation after resolving the underlying issues.

Partial Failure During Trail Creation

Problem: Trail creation completed, but the trail detail page shows that some accounts succeeded while others failed.

Cause: Multi-account trail creation processes each account independently. Individual accounts may fail due to account-specific permission issues, service limits, or network problems while other accounts succeed.

Solution:

  1. Navigate to the trail detail page to see the per-account status.
  2. For each failed account, check the error message provided:
    • Permission errors: The Prism service role may not have adequate permissions in that specific account. Verify the role's CloudTrail and S3 permissions.
    • Service limit errors: The account may have reached its CloudTrail trail limit. Remove unused trails or request a limit increase from AWS.
    • Region not enabled: The trail's region may not be enabled in that AWS account. Enable the region in the account's AWS settings.
  3. After resolving the issues in the failed accounts, you can edit the trail to retry provisioning for those accounts.
  4. Successfully provisioned accounts are not affected by failures in other accounts.

S3 Bucket Creation Failed

Problem: Trail creation fails at the S3 bucket configuration step with an error about the bucket.

Cause: The S3 bucket could not be created. Common reasons include: the bucket name is already taken globally (S3 bucket names are globally unique across all AWS accounts), or the account designated for the S3 bucket does not have sufficient permissions.

Solution:

  1. Bucket name already exists:
    • S3 bucket names must be globally unique across all of AWS.
    • Choose a different, more specific bucket name (e.g., include your organization name and a unique identifier).
    • Avoid generic names like "cloudtrail-logs" which are likely already taken.
  2. Permission errors on the S3 bucket account:
    • Verify that the Prism service role in the S3 bucket account has permissions to create S3 buckets.
    • Verify that the role can set bucket policies (needed for cross-account CloudTrail log delivery).
  3. If using an existing bucket:
    • Verify the bucket exists and the Prism service role has write access.
    • Verify the bucket policy allows CloudTrail to write logs from all included accounts.
  4. After resolving the issue, retry trail creation with the corrected bucket configuration.

Cannot Delete Trail

Problem: You are trying to delete a trail but the delete operation fails or the delete button is disabled.

Cause: The trail is currently being provisioned or updated (status is "in_progress"). Trails cannot be deleted while an operation is in progress.

Solution:

  1. Check the trail's current status on the trail detail page.
  2. If the status is in_progress, wait for the current operation to complete before attempting deletion.
  3. Once the trail status changes to completed or failed, you can delete it.
  4. If the trail has been in "in_progress" status for an unusually long time (more than 30 minutes), see the Trail Stuck in "in_progress" section below.

Cannot Remove Account from Trail

Problem: When editing a trail, you cannot remove a specific AWS account. The remove option is disabled or an error appears.

Cause: There are two common reasons: the account is the designated S3 bucket account for the trail, or the account is the last remaining account in the trail.

Solution:

  1. Account is the S3 bucket account:
    • The account that hosts the S3 bucket where CloudTrail logs are delivered cannot be removed from the trail.
    • To change the S3 bucket account, you would need to delete the trail and recreate it with a different S3 bucket configuration.
  2. Account is the last remaining account:
    • A trail must have at least one AWS account. You cannot remove the last account.
    • If you no longer need the trail, delete the entire trail instead of trying to remove the last account.
  3. For any other account removal errors, check the trail detail page for account-specific error messages.

Trail Stuck in "in_progress"

Problem: A trail shows "in_progress" status for an extended period and does not transition to "completed" or "failed".

Cause: The trail creation or update operation is taking longer than expected due to account-level issues, AWS API throttling, or backend processing delays.

Solution:

  1. Navigate to the trail detail page and check the per-account status:
    • Individual accounts may show their own status (succeeded, failed, or in progress).
    • Look for accounts that are still processing or have errors.
  2. If specific accounts show errors:
    • Review the error messages for each failed account.
    • The errors may indicate permission issues, region availability problems, or AWS service limits.
  3. If the trail has been in "in_progress" for more than 30 minutes:
    • Refresh the page to get the latest status.
    • If it remains stuck, contact CloudKeeper support with the trail name and your realm. The backend process may need manual intervention.
  4. Do not attempt to create a duplicate trail while the original is still in progress, as this can cause conflicts.

Event Configuration Not Taking Effect

Problem: You configured specific event types (management events, data events, insight events, or network activity events) for your trail, but the events are not being captured as expected.

Cause: Event configuration depends on the correct selectors and settings. Misconfigured event selectors can result in events not being captured.

Solution:

  1. Navigate to the trail detail page and review the event configuration.
  2. For management events, verify:
    • Management events are enabled for the trail.
    • The read/write type filter is set correctly (ReadOnly, WriteOnly, or All).
  3. For data events, verify:
    • The correct resource types are selected (e.g., S3 objects, Lambda functions).
    • The resource selectors are not overly restrictive.
  4. For insight events, verify:
    • Insights are enabled for the trail.
    • The management events source is generating enough activity for insights to trigger.
  5. For network activity events, verify:
    • Network activity event selectors are configured with the correct event sources (e.g., ec2.amazonaws.com, s3.amazonaws.com).
    • The event sources match the AWS services you want to monitor.
  6. After making changes to event configuration, the trail may take a few minutes to start capturing events with the new settings.

Cannot Access CloudTrail

Problem: You cannot access the CloudTrail or see an "Access Denied" error.

Cause: CloudTrail access is controlled by a per-user toggle in the Admin Portal. Your administrator may not have enabled CloudTrail access for your account.

Solution:

  1. Contact your Prism administrator and ask them to enable CloudTrail access for your account.
  2. The administrator can toggle CloudTrail access in Preferences > Admin Management.
  3. After the toggle is enabled, log out and log back in for the change to take effect.
  4. CloudTrail access is independent of the Viewer/Approver/SSO Admin/Admin role hierarchy. Any role can access CloudTrail if the toggle is enabled.

Still Having Issues?

If none of the above solutions resolve your CloudTrail setup problem:

  1. Check the trail detail page for per-account error messages, which often provide specific guidance.
  2. Verify that your AWS accounts are properly onboarded in the Admin Portal under AWS Accounts.
  3. Contact CloudKeeper support with your realm name, trail name, and the specific error messages you are seeing.