Deliver CloudTrail Logs to a specific S3 bucket

  • To deliver log files to an S3 bucket, CloudTrail must have the required permissions, and it cannot be configured as a Requester Pays bucket.

  • When you create a new bucket as part of creating or updating a trail, CloudTrail attaches the required permissions to your bucket and the bucket policy uses the service principal name, "cloudtrail.amazonaws.com", which allows CloudTrail to deliver logs for all regions.

  • If CloudTrail is not delivering logs for a region, it's possible that your bucket has an older policy that specifies CloudTrail account IDs for each region and this only gives CloudTrail permission to deliver logs for some regions (the specified ones.)

    • As a best practice, update the policy to use a permission with the CloudTrail service principal. To do this, replace the account ID ARNs with the service principal name: "cloudtrail.amazonaws.com". This gives CloudTrail permission to deliver logs for current and new regions.

  • If you try to add, modify, or remove a log file prefix for an S3 bucket that receives logs from a trail, you may see the error: There is a problem with the bucket policy.

    • A bucket policy with an incorrect prefix can prevent your trail from delivering logs to the bucket. To resolve this issue, use S3 to update the prefix in the bucket policy, and then use the CloudTrail console to specify the same prefix for the bucket in the trail.

  • s3:UploadPart - Uploads one part in a multipart upload.

PreviousElastiSearchNextCloudTrail Management & Data Events

Last updated