LZA ControlTower redundant Logging Path Behavior

[oniGino]

This might be the expected behavior but I'd like some clarity.

looking a centralized logging bucket in the Logging Account I am seeing s3://aws-controltower-logs-12345-us-gov-west-1/o-XXXX/AWSLogs/o-XXXX/ACCOUNT_ID/CloudTrail/ notice we create an org o-xxx organization folder twice. For access to Cloudtrail event logs

While for AWS config logs we see the "correct" way s3://aws-controltower-logs-12345-us-gov-west-1/o-XXXX/AWSLogs/ACCOUNT_ID/Config/

Is this this expected behavior?, I see this across all LZA accounts. bootstrapped using 1.6.2.

Please let me know. If this behavior is expected, if so, is it possible to override this path selection so we can consolidate all account logging into a single path?

Here is the LZA generated CloudTrail policy

 {
            "Sid": "AWSBucketDeliveryForOrganizationTrail",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws-us-gov:s3:::aws-controltower-logs-12345-us-gov-west-1/o-XXXX/AWSLogs/ACCONT_ID/*",
                "arn:aws-us-gov:s3:::aws-controltower-logs-12345-us-gov-west-1/o-XXXX/AWSLogs/o-XXXX/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceOrgID": "o-XXXX"
                }
            }
        }

[bo1984]

Hi Gino!

Thank you for contacting us. When AWS Control Tower setups your AWS CloudTrail logging (aws-controltower-BaselineCloudTrail), by default, the prefix set will be that of your organization ID, so this is intended behavior. Having said that, the LZA solution does not control the path of the CloudTrail logs and the prefix they're stored in the logging bucket that AWS Control Tower has provisioned.