aws-cloudformation
Creation of organization CloudTrail from delegated admin account fails
Name of the resource
AWS::CloudTrail::Trail
Resource Name
No response
Issue Description
I am trying to create an organization CloudTrail from a CloudTrail delegated administrator account, but it fails during deployment.
My setup contains a management account with id 111111111111 and another account 222222222222 that is registered as a delegated CloudTrail administrator account. CloudFormation template is being deployed in account 222222222222 and trail is named org-cloudtrail.
During deployment Cfn calls CreateTrail and receives a successful response. Trail is created in the management account, as expected, with Arn: arn:aws:cloudtrail:us-east-1:111111111111:trail/org-cloudtrail. Cfn then invokes StartLogging, using the trail name value org-cloudtrail as the name parameter instead of an Arn for CloudTrail. This call fails with TrailNotFoundException and Cfn then proceeds to roll-back the deployment.
{
"eventVersion": "1.10",
"userIdentity": {
"type": "AssumedRole",
"accountId": "222222222222",
"accessKeyId": "ASIAXYKJWD7HLQEHAAAA",
"invokedBy": "cloudformation.amazonaws.com"
},
"eventTime": "2024-02-24T23:18:13Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "StartLogging",
"awsRegion": "us-east-1",
"sourceIPAddress": "cloudformation.amazonaws.com",
"userAgent": "cloudformation.amazonaws.com",
"errorCode": "TrailNotFoundException",
"errorMessage": "Unknown trail: arn:aws:cloudtrail:us-east-1:222222222222:trail/org-cloudtrail for the user: 222222222222",
"requestParameters": {
"name": "org-cloudtrail"
},
"responseElements": null,
"requestID": "-",
"eventID": "-",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "222222222222",
"eventCategory": "Management"
}
Cfn resource:
rOrgTrail:
Type: AWS::CloudTrail::Trail
Properties:
TrailName: 'org-cloudtrail'
IsLogging: true
IncludeGlobalServiceEvents: true
IsMultiRegionTrail: true
IsOrganizationTrail: true
EnableLogFileValidation: true
EventSelectors:
- IncludeManagementEvents: true
ReadWriteType: All
S3BucketName: 'bucket-name'
S3KeyPrefix: ''
Expected Behavior
Deploying Cfn template in the CloudTrail delegated administrator account should successfully create CloudTrail in the management account.
When invoking StartLogging Cfn needs to pass Arn instead of name of the trail as the name parameter.
CLI commands executed as 222222222222:
$ aws cloudtrail start-logging --name org-cloudtrail
An error occurred (TrailNotFoundException) when calling the StartLogging operation: Unknown trail: arn:aws:cloudtrail:us-east-1:222222222222:trail/org-cloudtrail for the user: 222222222222
$ aws cloudtrail start-logging --name arn:aws:cloudtrail:us-east-1:111111111111:trail/org-cloudtrail
Observed Behavior
Organization trail is successfully created, but CloudFormation encounters an error when calling StartLogging and rolls back the deployment.
Test Cases
- Enabled Trusted Access for AWS CloudTrail
- Register delegated administrator for AWS CloudTrail
- Try to deploy organization CloudTrail from the delegated administrator account.
Other Details
This is also reported as CDK issue: https://github.com/aws/aws-cdk/issues/26840
I can confirm this is happening. I can see the trail created in all the member accounts. I can also state that if you use a CMK, you will have the exact same thing happen but the error will be about the CMK KMS key not existing. Once you delete the stack, these trails also stay in the accounts.
My workaround was to deploy everything in the delegated admin account / logging account, then manually create the CloudTrail in the delegated admin account. This worked fine.
