# Logging API calls with AWS CloudTrail for AWS Organizations
AWS Organizations is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Organizations. CloudTrail captures all API calls for AWS Organizations as events, including calls from the AWS Organizations console and from code calls to the AWS Organizations APIs. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Organizations. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to AWS Organizations, the IP address it was made from, who made it, when it was made, and additional details.
To learn more about CloudTrail, see the *AWS CloudTrail User Guide*.
**Important**
You can view all CloudTrail information for AWS Organizations only in the US East (N. Virginia) Region. If you don't see your AWS Organizations activity in the CloudTrail console, set your console to **US East (N. Virginia)** using the menu in the upper-right corner. If you query CloudTrail with the AWS CLI or SDK tools, direct your query to the US East (N. Virginia) endpoint.
## AWS Organizations information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in AWS Organizations, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for AWS Organizations, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. When CloudTrail logging is enabled in your AWS account, API calls made to AWS Organizations actions are tracked in CloudTrail log files, where they are written with other AWS service records. You can configure other AWS services to further analyze and act on the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
All AWS Organizations actions are logged by CloudTrail and are documented in the [AWS Organizations API Reference](https://docs.aws.amazon.com/organizations/latest/APIReference/). For example, calls to `CreateAccount` (including the `CreateAccountResult` event), `ListHandshakesForAccount`, `CreatePolicy`, and `InviteAccountToOrganization` generate entries in the CloudTrail log files.
Every log entry contains information about who generated the request. The user identity information in the log entry helps you determine the following:
+ Whether the request was made with root user or IAM user credentials
+ Whether the request was made with temporary security credentials for an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) or a [federated user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html)
+ Whether the request was made by another AWS service
For more information, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
**Note**
CloudTrail will log events in the account that takes a given action (i.e. in member account rather than management account if member account took the action). For example, a member account leaving an organization will be logged in member account trail, and a management account removing a member account will be logged in management account trail.
## Understanding AWS Organizations log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
### Example log entries: CloseAccount
The following example shows a CloudTrail log entry for a sample `CloseAccount` call that is generated when the API is called and the workflow to close the account starts processing in the background.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
"arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/my-admin-role",
"accountId": "111122223333",
"userName": "my-session-id"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2022-03-18T18:17:06Z"
}
}
},
"eventTime": "2022-03-18T18:17:06Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CloseAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.0.1",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
"requestParameters": {
"accountId": "555555555555"
},
"responseElements": null,
"requestID": "e28932f8-d5da-4d7a-8238-ef74f3d5c09a",
"eventID": "19fe4c10-f57e-4cb7-a2bc-6b5c30233592",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
The following example shows a CloudTrail log entry for a `CloseAccountResult` call after the background workflow to close the account successfully completes.
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "organizations.amazonaws.com"
},
"eventTime": "2022-03-18T18:17:06Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CloseAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "organizations.amazonaws.com",
"userAgent": "organizations.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"closeAccountStatus": {
"accountId": "555555555555",
"state": "SUCCEEDED",
"requestedTimestamp": "Mar 18, 2022 6:16:58 PM",
"completedTimestamp": "Mar 18, 2022 6:16:58 PM"
}
},
"eventCategory": "Management"
}
```
### Example log entries: CreateAccount
The following example shows a CloudTrail log entry for a sample `CreateAccount` call that is generated when the API is called and the workflow to create the account starts processing in the background.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE:my-admin-role",
"arn": "arn:aws:sts::111122223333:assumed-role/my-admin-role/my-session-id",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/my-admin-role",
"accountId": "111122223333",
"userName": "my-session-id"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-09-16T21:16:45Z"
}
}
},
"eventTime": "2018-06-21T22:06:27Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.168.0.1",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
"requestParameters": {
"tags": [],
"email": "****",
"accountName": "****"
},
"responseElements": {
"createAccountStatus": {
"accountName": "****",
"state": "IN_PROGRESS",
"id": "car-examplecreateaccountrequestid111",
"requestedTimestamp": "Sep 16, 2020 9:20:50 PM"
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
The following example shows a CloudTrail log entry for a `CreateAccount` call after the background workflow to create the account successfully completes.
```
{
"eventVersion": "1.05",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "..."
},
"eventTime": "2020-09-16T21:20:53Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "....",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"createAccountStatus": {
"id": "car-examplecreateaccountrequestid111",
"state": "SUCCEEDED",
"accountName": "****",
"accountId": "444455556666",
"requestedTimestamp": "Sep 16, 2020 9:20:50 PM",
"completedTimestamp": "Sep 16, 2020 9:20:53 PM"
}
}
}
```
The following example shows a CloudTrail log entry that is generated after a `CreateAccount` background workflow fails to create the account.
```
{
"eventVersion": "1.06",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-06-21T22:06:27Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateAccountResult",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": false,
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"createAccountStatus": {
"id": "car-examplecreateaccountrequestid111",
"state": "FAILED",
"accountName": "****",
"failureReason": "EMAIL_ALREADY_EXISTS",
"requestedTimestamp": Jun 21, 2018 10:06:27 PM,
"completedTimestamp": Jun 21, 2018 10:07:15 PM
}
}
}
```
### Example log entry: CreateOrganizationalUnit
The following example shows a CloudTrail log entry for a sample `CreateOrganizationalUnit` call.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:40:11Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "CreateOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"requestParameters": {
"name": "OU-Developers-1",
"parentId": "r-a1b2"
},
"responseElements": {
"organizationalUnit": {
"arn": "arn:aws:organizations::111111111111:ou/o-aa111bb222/ou-examplerootid111-exampleouid111",
"id": "ou-examplerootid111-exampleouid111",
"name": "test-cloud-trail",
"path": "o-aa111bb222/r-a1b2/ou-examplerootid111-exampleouid111/"
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### Example log entry: InviteAccountToOrganization
The following example shows a CloudTrail log entry for a sample `InviteAccountToOrganization` call.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:41:17Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "InviteAccountToOrganization",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"requestParameters": {
"notes": "This is a request for Mary's account to join Diego's organization.",
"target": {
"type": "ACCOUNT",
"id": "111111111111"
}
},
"responseElements": {
"handshake": {
"requestedTimestamp": "Jan 18, 2017 9:41:16 PM",
"state": "OPEN",
"arn": "arn:aws:organizations::111111111111:handshake/o-aa111bb222/invite/h-examplehandshakeid111",
"id": "h-examplehandshakeid111",
"parties": [
{
"type": "ORGANIZATION",
"id": "o-aa111bb222"
},
{
"type": "ACCOUNT",
"id": "222222222222"
}
],
"action": "invite",
"expirationTimestamp": "Feb 2, 2017 9:41:16 PM",
"resources": [
{
"resources": [
{
"type": "MASTER_EMAIL",
"value": "diego@example.com"
},
{
"type": "MASTER_NAME",
"value": "Management account for organization"
},
{
"type": "ORGANIZATION_FEATURE_SET",
"value": "ALL"
}
],
"type": "ORGANIZATION",
"value": "o-aa111bb222"
},
{
"type": "ACCOUNT",
"value": "222222222222"
},
{
"type": "NOTES",
"value": "This is a request for Mary's account to join Diego's organization."
}
]
}
},
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### Example log entry: AttachPolicy
The following example shows a CloudTrail log entry for a sample `AttachPolicy` call. The response indicates that the call failed because the requested policy type isn't enabled in the root where the request to attach was attempted.
```
{
"eventVersion": "1.06",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAMVNPBQA3EXAMPLE",
"arn": "arn:aws:iam::111111111111:user/diego",
"accountId": "111111111111",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "diego"
},
"eventTime": "2017-01-18T21:42:44Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "AttachPolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36",
"errorCode": "PolicyTypeNotEnabledException",
"errorMessage": "The given policy type ServiceControlPolicy is not enabled on the current view",
"requestParameters": {
"policyId": "p-examplepolicyid111",
"targetId": "ou-examplerootid111-exampleouid111"
},
"responseElements": null,
"requestID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"eventType": "AwsApiCall",
"recipientAccountId": "111111111111"
}
```
### Example log entry: Invalid effective policy
The following example shows a CloudTrail log entry for a sample `EffectivePolicyValidation` event. This event is emitted to the management account of the organization whenever an update in the organization creates an invalid effective policy on any account.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-07-17T14:53:40Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "EffectivePolicyValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"accountId": "111111111111",
"policyType": "BACKUP_POLICY",
"state": "INVALID",
"requestTimestamp": "Jul 17, 2025, 2:53:40 PM",
"info": "All validation errors listed",
"validationErrors": [
{
"accountPath": "o-aa111bb222/r-a1b2/111111111111/",
"evaluationTimestamp": "Jul 17, 2025, 2:53:40 PM",
"errorCode": "ELEMENTS_TOO_MANY",
"errorMessage": "'hourly_rule' exceeds the allowed maximum limit 10",
"pathToError": "plans/hourly-backup/rules/hourly_rule",
"contributingPolicies": [
"p-examplepolicyid111"
]
}
]
},
"eventCategory": "Management"
}
```
### Example log entry: Valid effective policy
The following example shows a CloudTrail log entry for a sample `EffectivePolicyValidation` event. This event is emitted to the management account of the organization whenever an update in the organization fixes an effective policy on an account which was invalid previously.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111111111111",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-07-17T14:54:40Z",
"eventSource": "organizations.amazonaws.com",
"eventName": "EffectivePolicyValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE",
"readOnly": true,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"accountId": "111111111111",
"policyType": "BACKUP_POLICY",
"state": "VALID",
"requestTimestamp": "Jul 17, 2025, 2:54:40 PM",
"info": "Previous effective policy validation error(s) resolved for this account/policyType"
},
"eventCategory": "Management"
}
```