CloudTrail Event Source - Organisation Trail


We are setting up a new AWS account strucutre using Control Tower. As part of the Control Tower setup it automatically creates a Org Trail centralising all the CloudTrail logs to a single S3 bucket in the Log Archive account.

I’ve tried both the API and SQS method in the docs and having no success.

Has anyone had success feeding the Cloudtrail logs from the Log Archive S3 into IDR?


Hi Jamie,

How are you?

I just recently assisted another customer that was having similar issues setting up the CloudTrail event source who was similarly using Control Tower; it would seem the reason they were running into issues in their instance was due to the encryption policy in place and unfortunately using AWS Managed keys as opposed to Customer Managed (which was not adjustable), had they been able to provide the service account used with Decrypt permission that may have worked with the API and SQS collection options.

When they opted for using S3 Bucket as the collection method however there was no issue and the logs began ingesting immediately as soon as they had it configured.


Hello Sean,

The key used for the encryption for the Organisation trail is a customer managed key. I have added the required permissions following the following documentation:

I have tried the S3 Bucket as the collection method documented here:

Do you mean using a Custom Event Source and AWS S3 as the collection method?

Kind regards

Hi Jamie,

Yes I did mean the S3 Bucket listed in those API docs. If you want to log a Support case I’d be happy to look into getting this working for you.


Hi Sean

I currently have one open.

The case number is 03082135

Should I create another?


Perfect, I’ll liaise with the Support Engineer on this too, no need for another case