Ensure CloudTrail Logs Are Sent to Centralized S3 Bucket

Description

To ensure all AWS accounts within an organization send AWS CloudTrail logs to a centralized Amazon S3 logging bucket and to enforce this configuration for any future accounts, the following set of actions should be implemented.

Steps

Create and Configure a New Trail
- Create a new CloudTrail in the management account.
- Configure the trail to send CloudTrail logs to a centralized Amazon S3 bucket.
Apply the Trail to the Organization
- Edit the newly created trail.
- Apply it to the entire AWS Organization to ensure all member accounts inherit this configuration.
Prevent Deletion or Stopping of CloudTrail
- Create a Service Control Policy (SCP) to deny actions that could disable or delete the CloudTrail.
- Specifically, deny cloudtrail:Delete* and cloudtrail:Stop* actions.
- Apply this SCP to all member accounts to enforce the policy.

Rationale

By creating a trail in the management account and applying it to the organization, you ensure that all member accounts, both existing and future, are covered. Additionally, the SCP prevents any accidental or intentional changes that could disable or remove the CloudTrail logging.