Choose your Cloud Detections for AWS CloudTrail deployment option

Standard single account deployment

• You have a single AWS account
• You want to monitor CloudTrail logs for one specific account
• You are not using AWS Control Tower

Control Tower deployment

• You have multiple AWS accounts managed through AWS Control Tower
• You want centralized threat detection across all accounts in your organization
• You need to monitor CloudTrail logs from multiple accounts in one place

• Monitor all AWS accounts within your Control Tower environment from a single connection
• Centralized visibility into threats across your entire AWS organization
• Simplified management for multi-account environments

Log Archive account connection

Connect directly to the AWS Log Archive account where Control Tower stores logs. This is the most common Control Tower deployment method.

For setup instructions, see Enable Cloud Detections for Control Tower (Log Archive account).

Audit account connection

Connect through an AWS Audit account that replicates logs from the Log Archive account. Use this option when you have an audit account configured to monitor and collect logs from your Log Archive account.

For setup instructions, see Enable Cloud Detections for Control Tower (Audit account).

Note Control Tower deployment requires CloudFormation. Terraform is not supported for Control Tower deployments.