Amazon S3 bucket policy for CloudTrail Lake query results - Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon S3 bucket policy for CloudTrail Lake query results

By default, Amazon S3 buckets and objects are private. Only the resource owner (the Amazon account that created the bucket) can access the bucket and objects it contains. The resource owner can grant access permissions to other resources and users by writing an access policy.

To deliver CloudTrail Lake query results to an S3 bucket, CloudTrail must have the required permissions, and it cannot be configured as a Requester Pays bucket.

CloudTrail adds the following fields in the policy for you:

  • The allowed SIDs

  • The bucket name

  • The service principal name for CloudTrail

As a security best practice, add an aws:SourceArn condition key to the Amazon S3 bucket policy. The IAM global condition key aws:SourceArn helps ensure that CloudTrail writes to the S3 bucket only for the event data store.

The following policy allows CloudTrail to deliver query results to the bucket from supported Amazon Web Services Regions. Replace myBucketName, myAccountID, and myQueryRunningRegion with the appropriate values for your configuration. The myAccountID is the Amazon account ID used for CloudTrail, which may not be the same as the Amazon account ID for the S3 bucket.


If your bucket policy includes a statement for a KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, Amazon KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.

If this is an organization event data store, the event data store ARN must include the Amazon account ID for the management account. This is because the management account maintains ownership of all organization resources.

S3 bucket policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailLake1", "Effect": "Allow", "Principal": {"Service": ""}, "Action": [ "s3:PutObject*", "s3:Abort*" ], "Resource": [ "arn:aws:s3:::myBucketName", "arn:aws:s3:::myBucketName/*" ], "Condition": { "StringLike": { "aws:sourceAccount": "myAccountID", "aws:sourceArn": "arn:aws:cloudtrail:myQueryRunningRegion:myAccountID:eventdatastore/*" } } }, { "Sid": "AWSCloudTrailLake2", "Effect": "Allow", "Principal": {"Service":""}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::myBucketName", "Condition": { "StringLike": { "aws:sourceAccount": "myAccountID", "aws:sourceArn": "arn:aws:cloudtrail:myQueryRunningRegion:myAccountID:eventdatastore/*" } } } ] }

Specifying an existing bucket for CloudTrail Lake query results

If you specified an existing S3 bucket as the storage location for CloudTrail Lake query results delivery, you must attach a policy to the bucket that allows CloudTrail to deliver the query results to the bucket.


As a best practice, use a dedicated S3 bucket for CloudTrail Lake query results.

To add the required CloudTrail policy to an Amazon S3 bucket
  1. Open the Amazon S3 console at

  2. Choose the bucket where you want CloudTrail to deliver your Lake query results, and then choose Permissions.

  3. Choose Edit.

  4. Copy the S3 bucket policy for query results to the Bucket Policy Editor window. Replace the placeholders in italics with the names of your bucket, Region, and account ID.


    If the existing bucket already has one or more policies attached, add the statements for CloudTrail access to that policy or policies. Evaluate the resulting set of permissions to be sure that they are appropriate for the users who access the bucket.

Additional resources

For more information about S3 buckets and policies, see Using bucket policies in the Amazon Simple Storage Service User Guide.