CloudTrail is the audit trail of your AWS environment. When it stops working, you lose visibility into who’s doing what in your accounts. I’ve seen this scenario dozens of times: you’re monitoring CloudTrail in a member account, and suddenly the log delivery stops. You check CloudTrail and see the error: “CloudTrail: S3 bucket policy does not allow CloudTrail to write logs.” Now you’re in crisis mode because you have no audit trail. In this post, I’ll show you how to diagnose and fix CloudTrail S3 permission errors.
The Problem
Control Tower deploys a centralized CloudTrail that logs all API calls from all accounts in the organization to an S3 bucket in the Log Archive account. For this to work, the S3 bucket policy must explicitly allow the CloudTrail service to write logs. If the policy is missing or incorrect, CloudTrail cannot deliver logs and you get a permission error.
| Error Type | Description |
|---|---|
| S3 bucket policy incorrect | CloudTrail service principal not allowed in policy |
| Block Public Access conflict | S3 block public access overrides bucket policy |
| KMS key policy missing | Encryption key doesn’t allow CloudTrail to write |
| Bucket ACL conflict | ACL conflicts with IAM policy |
| Cross-account permissions revoked | Organization trail permissions were removed |
Why Does This Happen?
- Log Archive S3 bucket policy was manually modified — The bucket policy includes a specific
Principalfor the CloudTrail service. If you manually edit the policy or replace it, you might accidentally remove this principal, and CloudTrail loses write access. - S3 Block Public Access overrides were applied — While Block Public Access doesn’t block CloudTrail (it’s not “public”), misconfiguration of bucket policies combined with Block Public Access can cause issues. Specifically, if you have old ACL-based permissions, they might be blocked.
- KMS key policy for log encryption was modified — Control Tower uses KMS to encrypt logs at rest. If you modified the KMS key policy and removed CloudTrail’s permission to use the key, encryption fails and logs don’t get written.
- Bucket ACL conflict (rare with newer buckets) — Older bucket policies sometimes included ACL-based permissions. If these were misconfigured, CloudTrail cannot write.
- Cross-account permissions for the centralized trail were revoked — The organization trail in the management account needs explicit permission to deliver logs to the Log Archive bucket. If this permission was revoked, logs stop flowing.
The Fix
Fix the S3 bucket policy in the Log Archive account to restore CloudTrail logging.
Step 1: Check the Current Bucket Policy
Log into the Log Archive account and retrieve the bucket policy:
aws s3api get-bucket-policy \
--bucket aws-controltower-logs-ACCOUNT-ID-REGION \
--region us-east-1
Replace ACCOUNT-ID with your Log Archive account ID and REGION with your primary region.
Step 2: Review the Policy Structure
The policy should look like this (simplified):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::aws-controltower-logs-ACCOUNT-ID-REGION"
},
{
"Sid": "AWSCloudTrailWrite",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::aws-controltower-logs-ACCOUNT-ID-REGION/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Check that both statements are present and the Principal is set to "Service": "cloudtrail.amazonaws.com".
Step 3: Restore or Correct the Policy
If the policy is missing or incorrect, you need to restore it. The safest way is to let Control Tower repair the landing zone, which will re-apply the correct policy:
Control Tower → Landing Zone → Check for drift → Repair
If you need to manually fix it immediately, follow these steps:
- Go to the S3 console in the Log Archive account.
- Select the
aws-controltower-logs-*bucket. - Go to Permissions → Bucket policy.
- Click Edit and paste the correct policy (from the template above, adjusted for your account and region).
- Click Save.
Step 4: Verify KMS Key Policy
If logs are encrypted (they should be), verify the KMS key policy allows CloudTrail:
aws kms get-key-policy \
--key-id arn:aws:kms:REGION:ACCOUNT-ID:key/KEY-ID \
--policy-name default \
--region us-east-1
The policy should include a statement allowing "kms:GenerateDataKey" and "kms:DecryptDataKey" for the CloudTrail service principal.
Step 5: Test CloudTrail Delivery
After fixing the policy, wait a few minutes for CloudTrail to retry delivery, then check for new logs:
aws s3 ls s3://aws-controltower-logs-ACCOUNT-ID-REGION/AWSLogs/ \
--region us-east-1 \
--recursive
You should see recent log files (within the last 15 minutes). If you don’t, CloudTrail may still be having issues.
Step 6: Check CloudTrail Status
In the source account (where you want to verify logging), check the CloudTrail service status:
aws cloudtrail describe-trail-status \
--trail-name organization-trail \
--region us-east-1
Look at the DeliveryStatus field. It should show recent IsDelivering: true entries.
How to Run This
- Log into the Log Archive account.
- Run
aws s3api get-bucket-policyto retrieve the current policy. - Compare it to the expected policy structure (shown above).
- If it’s incorrect or missing statements: go to the S3 console → bucket → Permissions → Bucket policy and paste the correct policy.
- Click Save.
- Wait 5–10 minutes for CloudTrail to retry delivery.
- Run
aws s3 lsto verify new logs are appearing. - Run
aws cloudtrail describe-trail-statusin the source account to confirm delivery is working.
Is This Safe?
Yes. Correcting the bucket policy is safe. The policy is purely for CloudTrail’s use — it doesn’t affect any other services. You can update it at any time without causing downtime.
Key Takeaway
CloudTrail S3 permission errors are caused by missing or incorrect bucket policies in the Log Archive account. Restore the correct policy (which includes the CloudTrail service principal), verify KMS key permissions, and CloudTrail delivery will resume.
Have questions or ran into a different Control Tower issue? Connect with me on LinkedIn or X.