What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Organization Trail: Setting Up Centralized Audit Logging for All Member Accounts

Without an organization trail, every AWS account in your organization maintains its own CloudTrail configuration. Some accounts may have trails properly configured. Others may have no trail at all — a compliance gap discovered only during an audit or an incident investigation. An organization trail solves the coverage problem: created once in the management account, it captures management events from every member account automatically, including accounts added after the trail is created.

This guide covers the organization trail setup process, the S3 bucket configuration required for cross-account log delivery, CloudWatch Logs integration for real-time alerting, Athena setup for cross-account querying, and the specific security configuration that protects the centralized logs from tampering.

Creating the Organization Trail

Organization trails can only be created from the AWS Organizations management account or a delegated administrator account. From the CloudTrail console, select "Create trail," check "Enable for all accounts in my organization," and configure a centralized S3 bucket as the delivery destination. The trail will automatically create a sub-path for each member account under the configured S3 prefix.

Choose "All regions" for trail coverage. Single-region trails for organization-level audit logging create immediate coverage gaps — any API call in a region not covered by the trail is invisible to your centralized investigation capability. The incremental cost of all-region coverage versus single-region is typically small; the coverage benefit is complete.

Enable log file validation. CloudTrail's digest files provide cryptographic proof that log files have not been modified since delivery. Without log file validation, there is no automated way to detect log tampering — a gap that attackers who compromise your environment exploit to cover their tracks.

S3 Bucket Configuration for Cross-Account Delivery

The S3 bucket receiving organization trail logs requires a specific bucket policy that allows CloudTrail to deliver logs from all organization member accounts. The policy must grant s3:GetBucketAcl and s3:PutObject permissions to the CloudTrail service principal (cloudtrail.amazonaws.com) with conditions that restrict delivery to your organization ID (aws:SourceOrgID).

Place the logging bucket in a dedicated logging account — not the management account and not any account whose CloudTrail logs it stores. A dedicated logging account with SCPs that prevent modification of the CloudTrail bucket provides the strongest protection against log tampering. Even if a member account is compromised, the attacker cannot reach the logging account to delete their tracks.

Enable S3 Versioning and S3 Object Lock in Compliance mode on the logging bucket. Object Lock with Compliance mode prevents any deletion of log objects — including by the root account — within the retention period you configure. Set the retention period to match your compliance requirements: typically 12 months for security auditing, up to 7 years for financial regulatory requirements.

CloudWatch Logs Integration

Organization trails can deliver logs to CloudWatch Logs, but only the CloudWatch Logs group in the management account and management account's region. For member account alerting — detecting root logins or security group changes in specific member accounts — you typically need per-account CloudWatch Logs integration alongside the organization trail.

A practical architecture: use the organization trail for centralized S3 delivery and cross-account Athena querying, and deploy per-account trails (via CloudFormation StackSets) that deliver to CloudWatch Logs in each account for real-time alerting. The per-account trails capture management events in CloudWatch Logs for EventBridge/CloudWatch alarm integration, while the organization trail captures the same events centrally for investigation and compliance.

Querying Cross-Account Logs with Athena

Organization trail log delivery creates per-account subdirectories under your S3 prefix: s3://your-logging-bucket/AWSLogs/o-{org-id}/{accountId}/CloudTrail/{region}/{year}/{month}/{day}/. An Athena table with partition projection on account, region, year, month, and day allows queries that span all accounts or filter to specific accounts efficiently.

Create the Athena table in the logging account, not the management account. The querying principal needs s3:GetObject access to the logging bucket — grant this to auditor roles rather than broad account access. Cross-account Athena queries from the logging account to the logs bucket are straightforward with the right IAM configuration.

Cost Considerations

Organization trails charge for the additional copies of management events from member accounts (the first copy of management events per region is free per account; organization trail copies charge $2 per 100,000 events). For an organization with many accounts and high API call volumes, this cost can be significant. Monitor CloudTrail cost per account in Cost Explorer and investigate any account with unexpectedly high event volumes — which may indicate either unusual operational activity or a logging configuration issue.

FAQ

Does an organization trail replace the need for per-account trails?

No. An organization trail delivers to S3 and supports CloudWatch Logs integration only in the management account region. For real-time alerting in member accounts via CloudWatch metric filters and alarms, you still need per-account trails delivering to CloudWatch Logs in each account and region. Think of the organization trail as the centralized archive and per-account trails as the real-time detection layer.

Can member accounts opt out of organization trail logging?

No. Organization trails created in the management account apply to all member accounts and cannot be disabled by member account administrators. This is a deliberate design — the audit trail's integrity requires that accounts cannot selectively remove themselves from logging. Member accounts can see the organization trail in their CloudTrail console but cannot modify or delete it.

How do I give my security team access to query organization trail logs?

Create an IAM role in the logging account with read-only access to the CloudTrail S3 bucket and Athena query permissions. Security team members can assume this role via a cross-account trust policy from their primary account. Alternatively, use AWS IAM Identity Center (SSO) to provision the security team with direct access to the logging account with read-only permissions.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Vigilare Engineering

Platform Team