What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

Cross-Account CloudTrail: Centralizing Audit Logs Across Your AWS Organization

In a single-account environment, CloudTrail logs stay in that account. In a multi-account environment, logs scattered across dozens of accounts make investigation impractical — to determine whether a specific EC2 instance was launched by a particular IAM principal, you'd need to log into each account and query separately. Centralized CloudTrail logging collects all logs into a single location for unified querying and analysis.

Centralization also provides a critical security property: audit logs stored in a separate, locked-down account are much harder for a compromised account's attacker to tamper with. An attacker who compromises the production account can try to delete CloudTrail logs in that account, but cannot delete logs already shipped to the Log Archive account.

Architecture: Centralized Log Archive Account

The standard architecture uses a dedicated Log Archive account that receives CloudTrail logs from all other accounts. The Log Archive account is:

Not used for any workloads — it exists solely for log storage and retention
Has extremely restricted human access — typically only the security or compliance team, with MFA required
Has S3 Object Lock enabled on the CloudTrail bucket (WORM mode) to prevent log deletion
Is enrolled in AWS Organizations but has the most restrictive SCPs of any account

AWS Control Tower and AWS Landing Zone Reference Architecture both create a Log Archive account as a foundational element. If you're implementing centralized logging without Control Tower, create the Log Archive account manually and apply the appropriate protections before configuring CloudTrail delivery.

Configuring Organization-Level CloudTrail

AWS Organizations enables an organization-level CloudTrail trail that automatically covers all current and future member accounts. Create the organization trail from the management account:

aws cloudtrail create-trail   --name organization-audit-trail   --s3-bucket-name org-cloudtrail-logs-bucket   --include-global-service-events   --is-multi-region-trail   --enable-log-file-validation   --is-organization-trail   --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:CloudTrailLogs:*

The --is-organization-trail flag automatically enrolls all accounts in the organization. New accounts added to the organization automatically start sending logs to the centralized trail. The trail includes all regions and global services (IAM, STS, CloudFront) in a single configuration.

S3 Bucket Configuration for Centralized Logs

The centralized CloudTrail bucket in the Log Archive account needs a bucket policy that allows all organization member accounts to write logs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"Service": "cloudtrail.amazonaws.com"},
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::org-cloudtrail-logs-bucket"
    },
    {
      "Effect": "Allow",
      "Principal": {"Service": "cloudtrail.amazonaws.com"},
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::org-cloudtrail-logs-bucket/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceOrgID": "o-xxxxxxxxxxxx",
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}

The aws:SourceOrgID condition restricts writes to CloudTrail services acting on behalf of accounts in your specific organization — preventing other organizations' CloudTrail from writing to your bucket.

Log File Integrity Validation

Enable log file integrity validation on all CloudTrail trails. Integrity validation creates cryptographic digest files that chain together — a tampered or deleted log file breaks the chain, providing evidence of tampering. For compliance and forensics purposes, integrity validation is the difference between "logs that might have been modified" and "logs with verified authenticity."

The validate-logs CLI command checks integrity: aws cloudtrail validate-logs --trail-arn [trail-arn] --start-time [start-time]. Run this as part of your compliance evidence collection process before submitting audit artifacts.

Querying Centralized Logs with Athena

Centralized logs in S3 are most useful when queryable across the full organization. Set up Athena with a table over the organization CloudTrail bucket. Partition the table by account ID and date for efficient queries that don't scan all logs for every query:

SELECT eventtime, eventname, useridentity.arn, sourceipaddress, recipientaccountid
FROM cloudtrail_logs
WHERE eventname = 'ConsoleLogin'
  AND year = '2026'
  AND month = '07'
  AND sourceipaddress NOT IN ('1.2.3.4', '5.6.7.8') -- office IPs
ORDER BY eventtime DESC
LIMIT 100;

This query finds console logins across all accounts in the organization from IPs outside your office network — a useful daily security review query.

FAQ

Should I have one trail per account or an organization trail?

For most organizations, an organization trail in addition to any account-level trails for account-specific use cases. The organization trail provides centralized visibility across all accounts. Account-level trails may still be needed for higher log detail (data events for specific S3 buckets) or to deliver logs to an account-specific destination (account-level security tool that expects logs in the same account). The costs overlap — CloudTrail charges per event once, regardless of how many trails receive the event.

How do you prevent log tampering if an account is compromised?

Centralization is the primary protection — logs shipped to the Log Archive account can't be deleted by actions in the source account. S3 Object Lock in the Log Archive account prevents deletion even from the Log Archive account's root user during the lock period. CloudTrail log integrity validation detects if logs were modified between creation and analysis. The combination makes log evidence forensically defensible.

What's the cost of organization-level CloudTrail logging?

CloudTrail charges per 100,000 management events delivered ($2.00 per 100,000 after the first trail in each account, which is free). Data events (S3 object-level, Lambda invocations) cost extra ($0.10 per 100,000). For most organizations, management events are the primary log volume — data events should be selectively enabled only for critical resources due to volume and cost. S3 storage for centralized logs costs standard S3 rates, typically a few dollars per account per month.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO