Unable to get aws:PrincipalOrgID to work with creating subscription filter

Question

I have an AWS account with Organizations enabled. I want to ensure that certain logs from my child accounts go to my Kinesis stream in a logging account. The idea is that in future if I create a new child account in Organizations, the logs should go to Kinesis.

For this, I have created a Kinesis log destination in my logging account using aws logs put-destination command. I added a destination policy to it. The policy I used was:

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "PutSubscriptionFilter",
        "Effect": "Allow",
        "Principal": {
            "AWS": ["*"]
        },
        "Action": "logs:PutSubscriptionFilter",
        "Resource": "arn:aws:logs:us-east-1:123456789012:destination:mytestLogDestination",
        "Condition": {
            "StringEquals": {
                "aws:PrincipalOrgID": "o-abcde12345"
            }
        }
    }
}

The command I used to add the destination policy was:

aws logs put-destination-policy \
    --destination-name mytestLogDestination \
    --access-policy file://destination_policy.json

This added the destination policy successfully. I can confirm this by running the command: aws logs describe-destinations --destination-name-prefix mytestLogDestination. When I try to create a new subscription filter in one of my member accounts using the following command, it errors out. The command I tried is:

aws logs put-subscription-filter \
    --log-group-name "/aws/lambda/GetOrgIdFunction" \
    --filter-name randomsubscriptionfilter --filter-pattern "" \
    --destination-arn arn:aws:logs:us-east-1:123456789012:destination:mytestLogDestination

Error message is:

An error occurred (AccessDeniedException) when calling the PutSubscriptionFilter operation: User with accountId: 210987654321 is not authorized to perform: logs:PutSubscriptionFilter on resource: arn:aws:logs:us-east-1:123456789012:destination:mytestLogDestination

When I remove the condition and restrict the Principal to just my account (210987654321), it works fine. Is it possible to get this setup working or does AWS currently not support it?

Answer 1

As of August 02, 2019

After talking to AWS Support, this is CloudWatch Logs limitation as they don't yet support PrincipalOrgID. We would have to add each account separately when creating the log destination policy.

Marking this as an answer for now.

Update: January 06, 2021

According to a new AWS release, this is now supported. AWS documentation for reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateDestination.html

Answer 2

How annoying, I wasted so much time testing different methods to try and get this running. Glad I eventually found your answer! I don't suppose they gave you any further information regarding dates when it might be supported? I'm assuming no conditions work with these policies as I tried PrincipleArn and I was having the same issue.