asantos82 · August 28, 2023 13:56
diff --git a/cfn.yml b/cfn.yml
 S3Policy:
  Type: "AWS::S3::BucketPolicy"
  Properties:
    Bucket: !Ref S3BucketTrail
    PolicyDocument:
      Statement:
        - Sid: AWSCloudTrailAclCheck
          Effect: Allow
          Principal:
            Service:
              - cloudtrail.amazonaws.com
          Action: s3:GetBucketAcl
          Resource: !Sub arn:${AWS::Partition}:s3:::${S3BucketTrail}
          Condition:
            StringEquals:
              aws:SourceArn: !Sub arn:${AWS::Partition}:cloudtrail:${CloudTrailRegion}:${CloudTrailDelegatedAdmin}:trail/${CloudTrailName}
        - Sid: AWSCloudTrailWrite
          Effect: Allow
          Principal:
            Service:
              - cloudtrail.amazonaws.com
          Action: s3:PutObject
          Resource:
            - !Sub arn:${AWS::Partition}:s3:::${S3BucketTrail}/AWSLogs/${CloudTrailDelegatedAdmin}/*
          Condition:
            StringEquals:
              s3:x-amz-acl: bucket-owner-full-control
              aws:SourceArn: !Sub arn:${AWS::Partition}:cloudtrail:${CloudTrailRegion}:${CloudTrailDelegatedAdmin}:trail/${CloudTrailName}
        - Sid: AWSCloudTrailOrganizationWrite
          Effect: Allow
          Principal:
            Service:
              - cloudtrail.amazonaws.com
          Action: s3:PutObject
          Resource:
            - !Sub arn:${AWS::Partition}:s3:::${S3BucketTrail}/AWSLogs/${AWSOrg}/*
          Condition:
            StringEquals:
              s3:x-amz-acl: bucket-owner-full-control
              aws:SourceArn: !Sub arn:${AWS::Partition}:cloudtrail:${CloudTrailRegion}:${CloudTrailDelegatedAdmin}:trail/${CloudTrailName}
	S3Policy:
	Type: "AWS::S3::BucketPolicy"
	Properties:
	Bucket: !Ref S3BucketTrail
	PolicyDocument:
	Statement:
	- Sid: AWSCloudTrailAclCheck
	Effect: Allow
	Principal:
	Service:
	- cloudtrail.amazonaws.com
	Action: s3:GetBucketAcl
	Resource: !Sub arn:${AWS::Partition}:s3:::${S3BucketTrail}
	Condition:
	StringEquals:
	aws:SourceArn: !Sub arn:${AWS::Partition}:cloudtrail:${CloudTrailRegion}:${CloudTrailDelegatedAdmin}:trail/${CloudTrailName}
	- Sid: AWSCloudTrailWrite
	Effect: Allow
	Principal:
	Service:
	- cloudtrail.amazonaws.com
	Action: s3:PutObject
	Resource:
	- !Sub arn:${AWS::Partition}:s3:::${S3BucketTrail}/AWSLogs/${CloudTrailDelegatedAdmin}/*
	Condition:
	StringEquals:
	s3:x-amz-acl: bucket-owner-full-control
	aws:SourceArn: !Sub arn:${AWS::Partition}:cloudtrail:${CloudTrailRegion}:${CloudTrailDelegatedAdmin}:trail/${CloudTrailName}
	- Sid: AWSCloudTrailOrganizationWrite
	Effect: Allow
	Principal:
	Service:
	- cloudtrail.amazonaws.com
	Action: s3:PutObject
	Resource:
	- !Sub arn:${AWS::Partition}:s3:::${S3BucketTrail}/AWSLogs/${AWSOrg}/*
	Condition:
	StringEquals:
	s3:x-amz-acl: bucket-owner-full-control
	aws:SourceArn: !Sub arn:${AWS::Partition}:cloudtrail:${CloudTrailRegion}:${CloudTrailDelegatedAdmin}:trail/${CloudTrailName}