aws · sarisia · Jun 6, 2024 · Jan 13, 2025
diff --git a/packages/aws-cdk-lib/aws-cloudtrail/lib/cloudtrail.ts b/packages/aws-cdk-lib/aws-cloudtrail/lib/cloudtrail.ts
@@ -7,7 +7,7 @@ import * as lambda from '../../aws-lambda';
 import * as logs from '../../aws-logs';
 import * as s3 from '../../aws-s3';
 import * as sns from '../../aws-sns';
-import { Resource, Stack } from '../../core';
+import { Annotations, Resource, Stack } from '../../core';
 
 /**
  * Properties for an AWS CloudTrail trail
@@ -271,19 +271,24 @@ export class Trail extends Resource {
     }));
 
     if (props.isOrganizationTrail) {
-      this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({
-        resources: [this.s3bucket.arnForObjects(
-          `AWSLogs/${props.orgId}/*`,
-        )],
-        actions: ['s3:PutObject'],
-        principals: [cloudTrailPrincipal],
-        conditions: {
-          StringEquals: {
-            's3:x-amz-acl': 'bucket-owner-full-control',
-            'aws:SourceArn': `arn:${this.stack.partition}:cloudtrail:${this.s3bucket.stack.region}:${this.s3bucket.stack.account}:trail/${props.trailName}`,
+      if (props.orgId !== undefined) {
+        this.s3bucket.addToResourcePolicy(new iam.PolicyStatement({
+          resources: [this.s3bucket.arnForObjects(
+            `AWSLogs/${props.orgId}/*`,
+          )],
+          actions: ['s3:PutObject'],
+          principals: [cloudTrailPrincipal],
+          conditions: {
+            StringEquals: {
+              's3:x-amz-acl': 'bucket-owner-full-control',
+              'aws:SourceArn': `arn:${this.stack.partition}:cloudtrail:${this.s3bucket.stack.region}:${this.s3bucket.stack.account}:trail/${props.trailName}`,
+            },
           },
-        },
-      }));
+        }));
+      } else {
+        Annotations.of(this).addWarningV2('@aws-cdk/aws-cloudtrail:missingOrgIdForOrganizationTrail', 'Skipped attaching a policy to the bucket to allow organization trail to write logs to it because this is an organization trail but orgId is not specified. Consider specifying orgId to attach missing permissions');
+      }
+
     }
 
     this.topic = props.snsTopic;

diff --git a/packages/aws-cdk-lib/aws-cloudtrail/test/cloudtrail.test.ts b/packages/aws-cdk-lib/aws-cloudtrail/test/cloudtrail.test.ts
@@ -1,5 +1,5 @@
 import { testDeprecated } from '@aws-cdk/cdk-build-tools';
-import { Match, Template } from '../../assertions';
+import { Annotations, Match, Template } from '../../assertions';
 import * as iam from '../../aws-iam';
 import * as kms from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
@@ -376,6 +376,100 @@ describe('cloudtrail', () => {
       });
     });
 
+    test('organizationTrail without orgId', () => {
+      // GIVEN
+      const stack = getTestStack();
+
+      // WHEN
+      new Trail(stack, 'Trail', { isOrganizationTrail: true });
+
+      Template.fromStack(stack).resourceCountIs('AWS::CloudTrail::Trail', 1);
+      Template.fromStack(stack).resourceCountIs('AWS::S3::Bucket', 1);
+      Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', {
+        Bucket: { Ref: 'TrailS30071F172' },
+        PolicyDocument: {
+          Statement: [
+            {
+              Action: 's3:*',
+              Condition: {
+                Bool: {
+                  'aws:SecureTransport': 'false',
+                },
+              },
+              Effect: 'Deny',
+              Principal: {
+                AWS: '*',
+              },
+              Resource: [
+                {
+                  'Fn::GetAtt': [
+                    'TrailS30071F172',
+                    'Arn',
+                  ],
+                },
+                {
+                  'Fn::Join': [
+                    '',
+                    [
+                      {
+                        'Fn::GetAtt': [
+                          'TrailS30071F172',
+                          'Arn',
+                        ],
+                      },
+                      '/*',
+                    ],
+                  ],
+                },
+              ],
+            },
+            {
+              Action: 's3:GetBucketAcl',
+              Effect: 'Allow',
+              Principal: {
+                Service: 'cloudtrail.amazonaws.com',
+              },
+              Resource: {
+                'Fn::GetAtt': [
+                  'TrailS30071F172',
+                  'Arn',
+                ],
+              },
+            },
+            {
+              Action: 's3:PutObject',
+              Condition: {
+                StringEquals: {
+                  's3:x-amz-acl': 'bucket-owner-full-control',
+                },
+              },
+              Effect: 'Allow',
+              Principal: {
+                Service: 'cloudtrail.amazonaws.com',
+              },
+              Resource: {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      'Fn::GetAtt': [
+                        'TrailS30071F172',
+                        'Arn',
+                      ],
+                    },
+                    '/AWSLogs/123456789012/*',
+                  ],
+                ],
+              },
+            },
+          ],
+          Version: '2012-10-17',
+        },
+      });
+
+      Annotations.fromStack(stack).hasWarning('/TestStack/Trail', 'Skipped attaching a policy to the bucket to allow organization trail to write logs to it because this is an organization trail but orgId is not specified. Consider specifying orgId to attach missing permissions [ack: @aws-cdk/aws-cloudtrail:missingOrgIdForOrganizationTrail]');
+    });
+
     test('encryption keys', () => {
       const stack = new Stack();
       const key = new kms.Key(stack, 'key');