# Deliver CloudTrail Logs to a specific S3 bucket

* To deliver log files to an S3 bucket, **CloudTrail must have the required permissions, and it cannot be configured as a Requester Pays bucket**.<br>

* **When you create a new bucket as part of creating or updating a trail, CloudTrail attaches the required permissions to your bucket** and the bucket policy uses the **service principal name, `"cloudtrail.amazonaws.com"`, which allows CloudTrail to deliver logs for all regions**.

* **If CloudTrail is not delivering logs for a region, it's possible that your bucket has an older policy that specifies CloudTrail account IDs for each region** and this **only gives CloudTrail permission to deliver logs for some regions** (the specified ones.)
  * As a best practice, **update the policy to use a permission with the CloudTrail service principal**. To do this, **replace the account ID ARNs with the service principal name: `"cloudtrail.amazonaws.com"`**. This gives CloudTrail permission to deliver logs for current and new regions.

* **If you try to add, modify, or remove a log file prefix for an S3 bucket** that receives logs from a trail, you may see the error: **`There is a problem with the bucket policy`**.

  * A **bucket policy with an incorrect prefix can prevent your trail from delivering logs to the bucket**. To resolve this issue, **use S3 to update the prefix in the bucket policy, and then use the CloudTrail console to specify the same prefix** for the bucket in the trail.

* **`s3:UploadPart` - Uploads one part in a multipart upload**.