How can I change my CloudTrail trail to an AWS Organization trail?

Last updated: 2020-01-16

I want to change my AWS CloudTrail trail to an AWS Organizations trail instead of creating a new trail.  

Resolution

Modify the Amazon Simple Storage Service (Amazon S3) bucket policy permissions for your CloudTrail log files. Then, modify your CloudTrail trail in the AWS master account, and change it to an Organizations trail.

If you haven't already done so, follow the instructions to prepare for creating a trail for your organization.

Modify your Amazon S3 bucket policy

1.    Open the Amazon S3 console, and then choose Buckets.

2.    In Bucket name, choose the S3 bucket that contains your CloudTrail log files.

3.    Choose Permissions, and then choose Bucket Policy.

4.    Copy and paste the following example policy, and then choose Save.

Note: Replace the following values:

    Replace master-account-id with your Organizations master account ID.

    Replace bucket-name with your S3 bucket name.

    Replace org-id with your Organizations ID.

    Replace your-region with your AWS Region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket-name"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/AWSLogs/master-account-id/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/AWSLogs/org-id/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

Modify your AWS Identity and Access Management (IAM) role

Note: These steps are required only if you're Monitoring CloudTrail Log Files with Amazon CloudWatch Logs.

1.    Be sure that your organization has all features enabled.

2.    Follow the instructions to configure Organizations to trust CloudTrail as a trusted service.

3.    Open the IAM console, and then choose Policies.

4.    In Policy name, choose the IAM policy associated with your CloudWatch logs group AWS master account.

5.    Choose Edit policy, copy and paste the following example policy, and then choose Save.

Note: Replace the following values:

    Replace your-region with your AWS Region.

    Replace master-account-id with your Organizations master account ID.

    Replace org-id with your Organizations ID.

    Replace log-group-name with your CloudWatch log group name.  

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailCreateLogStream",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:your-region:master-account-id:log-group:CloudTrail/log-group-name:log-stream:master-account-id_CloudTrail_your-region*",
                "arn:aws:logs:your-region:master-account-id:log-group:CloudTrail/log-group-name:log-stream:org-id*"
            ]
        },
        {
            "Sid": "AWSCloudTrailPutLogEvents",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:your-region:master-account-id:log-group:CloudTrail/log-group-name:log-stream:master-account-id_CloudTrail_your-region*",
                "arn:aws:logs:your-region:master-account-id:log-group:CloudTrail/log-group-name:log-stream:org-id*"
            ]
        }
    ]
}

6.    Open the CloudTrail console, and then choose Trails in the navigation pane.

7.    In Trail name, choose your trail.

8.    In CloudWatch logs, choose the edit icon, and then choose Continue.

9.    In Role Summary, choose Allow.

Update your CloudTrail trail to an Organization trail

1.    Open the CloudTrail console, and then choose Trails in the navigation pane.

2.    In Trail name, choose your trail.

3.    In Trail settings, choose the edit icon.

4.    In Apply trail to my organization, choose Yes, and then choose Save.