diff --git a/cloudtrail/README.md b/cloudtrail/README.md
index a5227ef..d1a9a0d 100644
--- a/cloudtrail/README.md
+++ b/cloudtrail/README.md
@@ -107,6 +107,7 @@ No modules.
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | AWS CloudTrail KMS ARN to be used for encrypting the ClouldTrail, S3 Bucket, and SQS | `string` | n/a | yes |
 | <a name="input_kms_key_management_identifiers"></a> [kms\_key\_management\_identifiers](#input\_kms\_key\_management\_identifiers) | AWS IAM ARNs (roles, groups, users) for full access to the created KMS Key for this bucket | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to apply to Cloudtrail, S3, SNS and SQS | `string` | `null` | no |
+| <a name="input_organization_id"></a> [organization\_id](#input\_organization\_id) | AWS Organization ID | `string` | `""` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
diff --git a/cloudtrail/cloudwatch.tf b/cloudtrail/cloudwatch.tf
index d533b05..835aad1 100644
--- a/cloudtrail/cloudwatch.tf
+++ b/cloudtrail/cloudwatch.tf
@@ -1,7 +1,10 @@
 locals {
-  cloudwatch_prefix    = replace(aws_cloudwatch_log_group.this.arn, "/:\\*$/", "")
-  cloudwatch_suffix    = format("%v_CloudTrail_%v", local.account_id, local.region)
-  cloudwatch_resources = join(":", list(local.cloudwatch_prefix, "log-stream", local.cloudwatch_suffix))
+  cloudwatch_prefix        = replace(aws_cloudwatch_log_group.this.arn, "/:\\*$/", "")
+  cloudwatch_suffix        = format("%v_CloudTrail_%v", local.account_id, local.region)
+  org_cloudwatch_suffix    = format("o-%v_*", var.organization_id)
+  cloudwatch_resources     = join(":", list(local.cloudwatch_prefix, "log-stream", local.cloudwatch_suffix))
+  org_cloudwatch_resources = var.enable_organization ? join(":", list(local.cloudwatch_prefix, "log-stream", local.org_cloudwatch_suffix)) : ""
+  resources                = compact(concat(local.cloudwatch_resoures, local.org_cloudwatch_resources))
 }
 
 data "aws_iam_policy_document" "cloudwatch_policy" {
@@ -9,14 +12,14 @@ data "aws_iam_policy_document" "cloudwatch_policy" {
     sid       = "AWSCloudTrailCreateLogStream"
     effect    = "Allow"
     actions   = ["logs:CreateLogStream"]
-    resources = [local.cloudwatch_resources]
+    resources = [local.resources]
   }
 
   statement {
     sid       = "AWSCloudTrailPutLogEvents"
     effect    = "Allow"
     actions   = ["logs:PutLogEvents"]
-    resources = [local.cloudwatch_resources]
+    resources = [local.resources]
   }
 }
 
diff --git a/cloudtrail/main.tf b/cloudtrail/main.tf
index dc18bf9..83f5c6f 100644
--- a/cloudtrail/main.tf
+++ b/cloudtrail/main.tf
@@ -72,3 +72,6 @@ locals {
 data "aws_kms_key" "incoming_key" {
   key_id = var.kms_key_arn
 }
+
+# data "aws_organizations_organization" "org" {}
+
diff --git a/cloudtrail/variables.tf b/cloudtrail/variables.tf
index c588afb..65a5a1e 100644
--- a/cloudtrail/variables.tf
+++ b/cloudtrail/variables.tf
@@ -72,9 +72,14 @@ variable "component_tags" {
   default     = { "s3" = {}, "kms" = {}, "ddb" = {} }
 }
 
-
 variable "enable_organization" {
   description = "Enable CloudTrail as an organization trail. This will only work in the organization master account"
   type        = bool
   default     = false
 }
+
+variable "organization_id" {
+  description = "AWS Organization ID"
+  type        = string
+  default     = ""
+}