Closed mbuotidem closed 2 years ago
Thank you for taking the time to submit a pull request.
The high-level S3 bucket structure described in the paragraph does not define a literal S3 path. The existing JSON policy example is correct as is.
Included below are examples of different CloudTrail S3 paths and reference link.
Standard CloudTrail path:
The following example shows a complete log file object name:
bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/region/YYYY/MM/DD/file_name.json.gz
Organization CloudTrail path:
Note For organization trails, the log file object name includes the organization unit ID in the path, as follows:
bucket_name/prefix_name/AWSLogs/OU-ID/Account ID/CloudTrail/region/YYYY/MM/DD/file_name.json.gz
Reference Link: Finding your CloudTrail log files - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html
@ljquin Is there any chance you or someone on your team can spin an Organization CloudTrail log up and verify the path? I'm asking because this is what it looks like on my end.
You can see that the OU-ID comes before AWSLogs. I made the PR because I spent an entire afternoon wondering why things weren't working despite my following the instructions to a T, and only on a second pass did I notice that my path didn't match up with what the docs describe.
For context my Organizational Setup is done using https://docs.aws.amazon.com/controltower/latest/userguide/taf-account-provisioning.html
@mbuotidem I do have an Organizations CloudTrail setup in my account and the S3 path of the trail matches the documented path mentioned in my prior comment. I created the Organizations CloudTrail manually but you used Control Tower to setup the Organizations CloudTrail. This could be the reason for different CloudTrail S3 paths.
I'll investigate further and return with an update.
Issue #, if available: N/A
Description of changes: The provided sample arn is incorrect. According to the docs for creating an organizational trail at https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html, "the high-level bucket structure for log files contains a folder named with the organization ID, and subfolders named with the account IDs for each account in the organization."
This pr fixes the arn to reflect the structure as described above.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.