Menu
AWS CloudTrail
User Guide (Version 1.0)

Amazon S3 Bucket Policy for CloudTrail

By default, S3 buckets and objects are private. Only the resource owner (the AWS account that created the bucket) can access the bucket and objects it contains. The resource owner can grant access permissions to other resources and users by writing an access policy.

To deliver log files to an S3 bucket, CloudTrail must have the required permissions. CloudTrail automatically attaches the required permissions to the topic when you do the following:

  • Create an S3 bucket as part of creating or updating a trail in the CloudTrail console.

  • Create an S3 bucket with the AWS CLI create-subscription and update-subscription commands.

CloudTrail adds the following fields in the policy for you:

  • The allowed SIDs.

  • The bucket name.

  • The service principal name for CloudTrail.

  • The name of the folder where the log files are stored, including the bucket name, a prefix (if you specified one), and your AWS account ID.

The following policy allows CloudTrail to write log files to the bucket from supported regions. For more information, see CloudTrail Supported Regions.

S3 bucket policy

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::myBucketName" }, { "Sid": "AWSCloudTrailWrite20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} } ] }

Specifying an Existing Bucket for CloudTrail Log Delivery

If you specified an existing S3 bucket as the storage location for log file delivery, you must attach a policy to the bucket that allows CloudTrail to write to the bucket.

Note

As a best practice, use a dedicated S3 bucket for CloudTrail logs.

To add the required CloudTrail policy to an Amazon S3 bucket

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Choose the bucket where you want CloudTrail to deliver your log files, and then choose Properties.

  3. Choose Permissions.

  4. Choose Edit Bucket Policy.

  5. Copy the S3 bucket policy to the Bucket Policy Editor window. Replace the placeholders in italics with the names of your bucket, prefix, and account number. If you specified a prefix when you created your trail, include it here. The prefix is an optional addition to the S3 object key that creates a folder-like organization in your bucket.

    Caution

    If the existing bucket already has one or more policies attached, add the statements for CloudTrail access to that policy or policies. Evaluate the resulting set of permissions to be sure that they are appropriate for the users who will access the bucket.

Receiving Log Files from Other Accounts

You can configure CloudTrail to deliver log files from multiple AWS accounts to a single S3 bucket. For more information, see Receiving CloudTrail Log Files from Multiple Accounts.

Troubleshooting the S3 Bucket Policy

The following sections describe how to troubleshoot the S3 bucket policy.

Common S3 Policy Configuration Errors

When you create a new bucket as part of creating or updating a trail, CloudTrail attaches the required permissions to your bucket. The bucket policy uses the service principal name, "cloudtrail.amazonaws.com", which allows CloudTrail to deliver logs for all regions.

If CloudTrail is not delivering logs for a region, it's possible that your bucket has an older policy that specifies CloudTrail account IDs for each region. This policy gives CloudTrail permission to deliver logs only for the regions specified.

The following bucket policy allows CloudTrail to deliver logs for the specified nine regions only:

Example bucket policy with account IDs

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20131101",
            "Effect": "Allow",
            "Principal": {"AWS": [
                "arn:aws:iam::903692715234:root",
                "arn:aws:iam::035351147821:root",
                "arn:aws:iam::859597730677:root",
                "arn:aws:iam::814480443879:root",
                "arn:aws:iam::216624486486:root",
                "arn:aws:iam::086441151436:root",
                "arn:aws:iam::388731089494:root",
                "arn:aws:iam::284668455005:root",
                "arn:aws:iam::113285607260:root"
            ]},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket-1"
        },
        {
            "Sid": "AWSCloudTrailWrite20131101",
            "Effect": "Allow",
            "Principal": {"AWS": [
                "arn:aws:iam::903692715234:root",
                "arn:aws:iam::035351147821:root",
                "arn:aws:iam::859597730677:root",
                "arn:aws:iam::814480443879:root",
                "arn:aws:iam::216624486486:root",
                "arn:aws:iam::086441151436:root",
                "arn:aws:iam::388731089494:root",
                "arn:aws:iam::284668455005:root",
                "arn:aws:iam::113285607260:root"
            ]},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-1/my-prefix/AWSLogs/123456789012/*",
            "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
        }
    ]
}

This policy uses a permission based on individual CloudTrail account IDs. To send notifications for a new region, you must manually update the policy to include the CloudTrail account ID for that region. For example, because CloudTrail added support for the US East (Ohio) Region, you must update the policy to include the account ID ARN for that region: "arn:aws:iam::475085895292:root".

As a best practice, update the policy to use a permission with the CloudTrail service principal. To do this, replace the account ID ARNs with the service principal name: "cloudtrail.amazonaws.com". This gives CloudTrail permission to deliver logs for current and new regions. The following is an updated version of the previous policy:

Example bucket policy with service principal name

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket-1"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-1/my-prefix/AWSLogs/123456789012/*",
            "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
        }
    ]
}

Changing a Prefix for an Existing Bucket

If you try to add, modify, or remove a log file prefix for an S3 bucket that receives logs from a trail, you may see the error: There is a problem with the bucket policy. A bucket policy with an incorrect prefix can prevent your trail from delivering logs to the bucket. To resolve this issue, use the Amazon S3 console to update the prefix in the bucket policy, and then use the CloudTrail console to specify the same prefix for the bucket in the trail.

To update the log file prefix for an S3 bucket

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Choose the bucket for which you want to modify the prefix, and then choose Properties.

  3. Choose Permissions.

  4. Choose Edit Bucket Policy.

  5. In the bucket policy, under the s3:PutObject action, edit the Resource entry to add, modify, or remove the log file prefix as needed.

    "Action": "s3:PutObject",
          "Resource": "arn:aws:s3:::myBucketName/prefix/AWSLogs/myAccountID/*",
  6. Choose Save.

  7. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  8. Choose your trail and for Storage location, click the pencil icon to edit the settings for your bucket.

  9. For S3 bucket, choose the bucket with the prefix you are changing.

  10. For Log file prefix, update the prefix to match the prefix that you entered in the bucket policy.

  11. Choose Save.

Additional Resources

For more information about S3 buckets and policies, see the Amazon Simple Storage Service Developer Guide.