Ensure that only one trail within a CloudTrail multi-region logging configuration has Include Global Services feature enabled in order to avoid duplicate log events being recorded for the AWS global services such as IAM, STS or Cloudfront.
When you have multiple single region trails created in your AWS account, the events recorded for certain global services such as Identity and Access Management (IAM) are duplicated in the logs as each region trail writes the same IAM events to the CloudTrail aggregated log. In order to prevent this duplication, the Include Global Services feature must be enabled for one trail only and disabled for all other trails from other regions that write to the same CloudTrail log. Note: this guide assumes that you have multiple single region trails (multi-region configuration) already available in your AWS account.
To determine if more than one single region trail has Include Global Services feature enabled, perform the following:
To disable API tracking for AWS global services in the subsequent single region trails, perform the following: