Amazon S3 bucket policy for CloudTrail Lake query results
By default, Amazon S3 buckets and objects are private. Only the resource owner (the AWS account that created the bucket) can access the bucket and objects it contains. The resource owner can grant access permissions to other resources and users by writing an access policy.
To deliver CloudTrail Lake query results to an S3 bucket, CloudTrail must have the required permissions, and it cannot be configured as a Requester Pays bucket.
CloudTrail adds the following fields in the policy for you:
-
The allowed SIDs
-
The bucket name
-
The service principal name for CloudTrail
As a security best practice, add an aws:SourceArn condition key to the Amazon S3
bucket policy. The IAM global condition key aws:SourceArn helps ensure that
CloudTrail writes to the S3 bucket only for the event data store.
The following policy allows CloudTrail to deliver query results to the bucket from supported
AWS Regions. Replace myBucketName,
myAccountID, and
myQueryRunningRegion with the appropriate values for your
configuration. The myAccountID is the AWS account ID used for
CloudTrail, which may not be the same as the AWS account ID for the S3 bucket.
Note
If your bucket policy includes a statement for a KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
If this is an organization event data store, the event data store ARN must include the AWS account ID for the management account. This is because the management account maintains ownership of all organization resources.
S3 bucket policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailLake1", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": [ "s3:PutObject*", "s3:Abort*" ], "Resource": [ "arn:aws:s3:::myBucketName", "arn:aws:s3:::myBucketName/*" ], "Condition": { "StringLike": { "aws:sourceAccount": "myAccountID", "aws:sourceArn": "arn:aws:cloudtrail:myQueryRunningRegion:myAccountID:eventdatastore/*" } } }, { "Sid": "AWSCloudTrailLake2", "Effect": "Allow", "Principal": {"Service":"cloudtrail.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::myBucketName", "Condition": { "StringLike": { "aws:sourceAccount": "myAccountID", "aws:sourceArn": "arn:aws:cloudtrail:myQueryRunningRegion:myAccountID:eventdatastore/*" } } } ] }
Specifying an existing bucket for CloudTrail Lake query results
If you specified an existing S3 bucket as the storage location for CloudTrail Lake query results delivery, you must attach a policy to the bucket that allows CloudTrail to deliver the query results to the bucket.
Note
As a best practice, use a dedicated S3 bucket for CloudTrail Lake query results.
To add the required CloudTrail policy to an Amazon S3 bucket
Open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
Choose the bucket where you want CloudTrail to deliver your Lake query results, and then choose Permissions.
-
Choose Edit.
-
Copy the S3 bucket policy for query results to the Bucket Policy Editor window. Replace the placeholders in italics with the names of your bucket, Region, and account ID.
Note
If the existing bucket already has one or more policies attached, add the statements for CloudTrail access to that policy or policies. Evaluate the resulting set of permissions to be sure that they are appropriate for the users who access the bucket.
Additional resources
For more information about S3 buckets and policies, see Using bucket policies in the Amazon Simple Storage Service User Guide.
