By using AWS re:Post, you agree to the Terms of Use
/How can I restrict S3 bucket access to allow only VPC Flow logs from within an organization?/

How can I restrict S3 bucket access to allow only VPC Flow logs from within an organization?



I have a landing zone created with Control Tower (Audit and Logging account and so on) In the logging account I have an S3 bucket in which I want to receive the VPC Flow logs from all current and future accounts from that organization. So, I want to create a bucket policy that only allows receiving VPC Flow logs as long as the source account is in the organization. The new accounts are created with Control Tower account factory by other teams in a self service fashion so I need to filter by organization, not account ids or specific ARNs.

According to the VPC Flow logs user guide, you have to add the following statement (and another similar one but let's simplify things) to the S3 bucket policy to the destination bucket:

            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {"Service": ""},
            "Action": "s3:PutObject",
            "Resource": "my-s3-arn",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": account_id
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:region:account_id:*"

As I need to filter by organization and not by account, I tried using the aws:PrincipalOrgID condition key instead of the SourceAccount and SourceArn. However, I get an error saying that the aws:PrincipalOrgID does not support service principals and I cannot create the policy.

I also tried with the aws:PrincipalOrgPaths condition key. Then, it lets me create the policy but when I try to create the Flow log it says "Access Denied for LogDestination: bucket_name. Please check LogDestination permissions."

I have also tried keeping the principal as "*" and adding the "aws:PrincipalServiceName": "" to the condition but I get the same error when trying to create the Flow logs.

Does anyone have any idea on how can I do that?

Thanks in advance

2 Answers
Accepted Answer

You cannot use any conditions related with organization, because the service principal is not a member of your organization.

Just delete all conditions related to Account ID is a simple stupid solution. And keep S3 bucket name as secret. I believe that service is safe enough.


I know it is not best, but simple! :)

answered 6 months ago
  • Thanks for your answer @posquit0. That was my concern, that the delivery service principal is not member of my organization. There should be a way to restrict access to service principals within an organization as you cannot keep a bucket name as secret from a malicious ex employee.


I am creating central S3 bucket to get all VPC flow logs from many accounts within my org.. I using the principal org ID as the condition, however ideally we'd prevent one account overwriting another account's data, how can i make more cahnges to the following policy to be able to follow principle of least privilege ?

S3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3Bucket PolicyDocument: Version: '2012-10-17' Statement:

Effect: Allow Principal: AWS: '*' Action:

  • s3:ListBucket
  • s3:PutObject
  • s3:GetBucketAcl


  • 'arn:aws:s3:::testpolicycfns3vpc'
  • 'arn:aws:s3:::testpolicycfns3vpc/*'

Condition: StringEquals: aws:PrincipalOrgID: x-xxxxxxx

Refrence links :

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions