Policies applied on organization trail logs bucket created by AWS Tower



We just setup AWS Tower on our organization. Everything ran smoothly but we detected a strange policy applied by AWS Tower on the bucket responsible to aggregate Cloudtrail trails from all of our organization. This bucket is located on the Log Archive account of Tower architecture. The policy is :

            "Sid": "AWSBucketDeliveryForOrganizationTrail",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            "Action": "s3:PutObject",
            "Resource": [

This policy allows cloudtrail service to push objects on the provided path. Out of curiosity, we tried to configure a Cloudtrail trail located on non-related AWS account (by non-related I mean an AWS account that doesn't belong to the AWS organization) to use this S3 path to push data on. And it worked.

Is there any reason why this policy doesn't have a condition field to restrict access to accounts that belong to the organization like :

"Condition": {
                "StringEquals": {
                       "aws:PrincipalOrgID": [ "ORGANIZATION_ID" ]}

Our Tower landing zone version is 3.0. This version enabled Organization-based trail instead of Account-based trails, so I think this policy exists since this version. I know there are some non easily guessable variables (like the Org ID and the bucket name) in the process, but as a compliance tool, AWS Tower should restrict access to the organization itself as it's restricted to it by design.

Thanks for your time

1 Answer

This has been addressed in our latest Control Tower Landing Zone version 3.3. Release note here;

We have modified the Amazon S3 Audit bucket policy that AWS Control Tower deploys in accounts, so that an aws:SourceOrgID condition must be met for any write permissions. With this release, AWS services have access to your resources only when the request originates from your organization or organizational unit (OU). You can use the aws:SourceOrgID condition key and set the value to your organization ID in the condition element of your S3 bucket policy. This condition ensures that CloudTrail only can write logs on behalf of accounts within your organization to your S3 bucket; it prevents CloudTrail logs outside your organization from writing to your AWS Control Tower S3 bucket.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions