By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I change my CloudTrail trail to an AWS Organizations trail?

3 minute read
0

I want to change my existing AWS CloudTrail trail to an AWS Organizations trail.

Resolution

Prerequisite: You must enable CloudTrail as a trusted service in Organizations.

Update the Amazon S3 bucket policy for your CloudTrail log file

  1. Open the Amazon Simple Storage Service (Amazon S3) console.
  2. Choose Buckets.
  3. For Bucket name, choose the Amazon S3 bucket that contains your CloudTrail log files.
  4. Choose Permissions, and then choose Bucket Policy.
  5. Copy and paste the following example bucket policy statement into the policy editor.
    Important: Replace primary-account-id with your Organizations primary account ID. Replace bucket-name with your S3 bucket name. Replace org-id with your Organizations ID. Replace your-region with your AWS Region.
  6. Choose Save.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket-name"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/AWSLogs/primary-account-id/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/AWSLogs/org-id/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

(Optional) Configure CloudWatch logs to monitor the Organizations CloudTrail logs

Note: Complete the following steps only if you use Amazon CloudWatch logs to monitor CloudTrail log files.

  1. Verify that your organization has all features enabled.

  2. Open the AWS Identity and Access Management (IAM) console.

  3. Choose Policies.

  4. For Policy name, choose the IAM policy that allows access to the CloudWatch logs group in your AWS account.

  5. Choose Edit policy, and then copy and paste the following example IAM policy statement.
    Important: Replace your-region with your Region. Replace primary-account-id with your Organizations primary account ID. Replace org-id with your organization ID. Replace log-group-name with your CloudWatch log group name.

  6. Choose Save.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:your-region:primary-account-id:log-group:CloudTrail/log-group-name:log-stream:primary-account-id_CloudTrail_your-region*",
                "arn:aws:logs:your-region:primary-account-id:log-group:CloudTrail/log-group-name:log-stream:org-id*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:your-region:primary-account-id:log-group:CloudTrail/log-group-name:log-stream:primary-account-id_CloudTrail_your-region*",
                "arn:aws:logs:your-region:primary-account-id:log-group:CloudTrail/log-group-name:log-stream:org-id*"
            ]
        }
    ]
}

  7. Open the CloudTrail console.

  8. Choose Trails.

  9. For Trail name, choose your trail.

  10. For CloudWatch logs, choose the edit icon. Then, choose Continue.

  11. For Role Summary, choose Allow.

Update your CloudTrail trail to an organization trail

  1. Open the CloudTrail console.
  2. Choose Trails.
  3. For Trail name, choose your trail.
  4. For Trail settings, choose the edit icon.
  5. For Apply trail to my organization, choose Yes. Then, choose Save.

Related information

Getting started with AWS Organizations

Running update-trail to update an organization trail

AWS CloudTrail and AWS Organizations

Topics
Management & Governance
Tags
AWS CloudTrail
Language
English

Related videos

Watch Simran's video to learn more (9:38)
Watch Simran's video to learn more (9:38)
AWS OFFICIAL
AWS OFFICIALUpdated a month ago
2 Comments

I did exactly this but I keep getting InsufficientS3BucketPolicyException - PS my bucket lives in a log archive account. Does that make any difference? [Edit] In the end it worked, I had a typo. My question is why couldn't I use the StringEquals condition "aws:PrincipalOrgID": myOrgId ?

1oglop1
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
AWS Official
replied a year ago

Relevant content