Many of our users make use of a centralized S3 bucket in one AWS account and then ship all of their CloudTrail logs to this bucket from their other AWS accounts. This is a very good approach, however it will require a bit of policy modification to work with CloudSploit's scans. The reason for this is that you create an IAM user in each of your AWS accounts which CloudSploit uses to scan the resources of that account. When CloudSploit detects that CloudTrail logs are being sent to an S3 bucket, it attempts to query that bucket's metadata for security information. If that bucket exists in another account, the CloudSploit role is often unable to make those queries.

The fix for this is simple: you will need to update the S3 bucket policy on the remote bucket to allow the CloudSploit roles you created in the other accounts to access it. You can use the following statement:

    "Sid": "AWSCloudSploitRead",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
    "Action": [

    "Resource": [

Replace the x, y, and z with the full AWS ARN of the CloudSploit role created in each of the other accounts. Replace "your-s3-bucket" with the name of your bucket.