Issue
After integrating an AWS Organization with Red Canary, telemetry is only being received for the AWS Account hosting the S3 bucket configured in Step 2A of the integration form.
Environment
AWS Integration (Organization scope)
Resolution
After configuring an organizational Trail, you must modify the storage location's bucket policy in S3 to allow cross-account writes from CloudTrail. Without this cross-account permission, no Trails from other accounts in the AWS Organization can write logs to S3.
Cause
For an S3 bucket to receive log files from all accounts in an AWS Organization, its bucket policy must explicitly grant the s3:PutObject permission to write log files from all the accounts. This means you must modify the bucket policy on your destination bucket to grant CloudTrail permission to write log files from each specified account.
redcanary-partner-access IAM role has not been deployed as a CloudFormation StackSet or Terraform template to all accounts in the AWS Organization.For more information on configuring CloudTrail, see Best Practices for CloudTrail and GuardDuty Setup