How can I change my CloudTrail trail to an AWS Organizations trail?

Last updated: 2022-02-09

Instead of creating a new AWS Organizations organization trail, I want to change my existing AWS CloudTrail trail to an organization trail. How do I change my CloudTrail trail to an organization trail?

Resolution

(Prerequisite) Activate trusted service access with CloudTrail

Follow the instructions in Activating trusted access with CloudTrail in the AWS Organizations User Guide.

For more information about integrating CloudTrail into Organizations, see AWS CloudTrail and AWS Organizations.

Update the Amazon S3 bucket policy for your CloudTrail log files to allow the following:

  • The CloudTrail trail to deliver log files to the Amazon Simple Storage Service (Amazon S3) bucket.
  • The CloudTrail trail to deliver logs for the accounts in the organization to the Amazon S3 bucket.

1.    Open the Amazon S3 console.

2.    Choose Buckets.

3.    For Bucket name, choose the S3 bucket that contains your CloudTrail log files.

4.    Choose Permissions. Then, choose Bucket Policy.

5.    Copy and paste the following example bucket policy statement into the policy editor, and then choose Save.

Important: Replace primary-account-id with your Organizations primary account ID. Replace bucket-name with your S3 bucket name. Replace org-id with your Organizations ID. Replace your-region with your AWS Region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket-name"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/AWSLogs/primary-account-id/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/AWSLogs/org-id/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

(Optional) Configure permissions to monitor the organization's CloudTrail log files using CloudWatch Logs.

Note: The following steps are required only if you're monitoring CloudTrail log files with Amazon CloudWatch Logs.

1.    Make sure that your organization has all features activated.

2.    Follow the instructions Activate CloudTrail as a trusted service in AWS Organizations.

3.    Open the AWS Identity and Access Management (IAM) console.

4.    Choose Policies.

5.    For Policy name, choose the IAM policy associated with your CloudWatch logs group AWS primary account.

6.    Choose Edit policy, copy and paste the following example IAM policy statement, and then choose Save.

Important: Replace your-region with your AWS Region. Replace primary-account-id with your Organizations primary account ID. Replace org-id with your organization ID. Replace log-group-name with your CloudWatch log group name.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:your-region:primary-account-id:log-group:CloudTrail/log-group-name:log-stream:primary-account-id_CloudTrail_your-region*",
                "arn:aws:logs:your-region:primary-account-id:log-group:CloudTrail/log-group-name:log-stream:org-id*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:your-region:primary-account-id:log-group:CloudTrail/log-group-name:log-stream:primary-account-id_CloudTrail_your-region*",
                "arn:aws:logs:your-region:primary-account-id:log-group:CloudTrail/log-group-name:log-stream:org-id*"
            ]
        }
    ]
}

7.    Open the CloudTrail console.

8.    In the navigation pane, choose Trails.

9.    For Trail name, choose your trail's name.

10.    For CloudWatch logs, choose the edit icon. Then, choose Continue.

11.    For Role Summary, choose Allow.

Update your CloudTrail trail to an organization trail

1.    Open the CloudTrail console, and then choose Trails in the navigation pane.

2.    For Trail name, choose your trail.

3.    For Trail settings, choose the edit icon.

4.    For Apply trail to my organization, choose Yes. Then, choose Save.