This template will set up CloudTrail with the following configuration:

• CloudTrail will be turned on for all regions in your account. This is a sensible place to start because it gives you visibility over where your AWS resources are being created. Even if you are the sole user of your AWS account, it can be handy to know if you are making API calls to other regions by mistake (it's easy to do). When you create a multi-region trail, new regions will automatically be included when they come online with no additional effort on your part.
• Global service events will also be logged. Again, this is a sensible default because it includes services that aren't region-specific. CloudFront and IAM are two examples of AWS services that aren't region-specific.
• Log file validation is turned on. With this feature enabled, CloudTrail will deliver a digest file on an hourly basis that you can use to determine if your CloudTrail logs have been tampered with. CloudTrail uses SHA-256 for hashing and signing (RSA). The AWS CLI can be used to perform ad hoc validation of CloudTrail logs. For a quick view of your CloudTrial logs with some basic search and filter functionality, you can head to the AWS web console.