diff --git a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
index 6c8f2c86..e1e36e5a 100644
--- a/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
+++ b/plugins/cloudtrail/pkg/cloudtrail/cloudtrail.go
@@ -48,7 +48,7 @@ const (
 	PluginName               = "cloudtrail"
 	PluginDescription        = "reads cloudtrail JSON data saved to file in the directory specified in the settings"
 	PluginContact            = "github.com/falcosecurity/plugins/"
-	PluginVersion            = "0.12.4"
+	PluginVersion            = "0.12.5"
 	PluginEventSource        = "aws_cloudtrail"
 )
 
diff --git a/plugins/cloudtrail/pkg/cloudtrail/source.go b/plugins/cloudtrail/pkg/cloudtrail/source.go
index 8cbc0aee..ff80794a 100644
--- a/plugins/cloudtrail/pkg/cloudtrail/source.go
+++ b/plugins/cloudtrail/pkg/cloudtrail/source.go
@@ -271,6 +271,8 @@ func (oCtx *PluginInstance) openS3(input string) error {
 	// bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/region/YYYY/MM/DD/AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.json.gz
 	// for organization trails the format is
 	// bucket_name/prefix_name/AWSLogs/O-ID/Account ID/CloudTrail/Region/YYYY/MM/DD/AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.json.gz
+	// for ControlTower releases before landing zones version 3.0 the organization trails format is
+	// bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/Region/YYYY/MM/DD/AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.json.gz
 	// Reduce the number of pages we have to process using "StartAfter" parameters
 	// here, then trim individual filepaths below.
 
@@ -278,8 +280,8 @@ func (oCtx *PluginInstance) openS3(input string) error {
 
 	// For durations, carve out a special case for "Copy S3 URI" in the AWS console, which gives you
 	// bucket_name/prefix_name/AWSLogs/<Account ID>/ or bucket_name/prefix_name/AWSLogs/<Org-ID>/<Account ID>/
-	awsLogsRE := regexp.MustCompile(`AWSLogs/(?:o-[a-z0-9]{10,32}/)?\d{12}/?$`)
-	awsLogsOrgRE := regexp.MustCompile(`AWSLogs/o-[a-z0-9]{10,32}/?$`)
+	awsLogsRE := regexp.MustCompile(`/AWSLogs/(?:o-[a-z0-9]{10,32}/)?\d{12}/?$`)
+	awsLogsOrgRE := regexp.MustCompile(`/AWSLogs(?:/o-[a-z0-9]{10,32})?/?$`)
 	if awsLogsRE.MatchString(prefix) {
 		if (! strings.HasSuffix(intervalPrefix, "/")) {
 			intervalPrefix += "/"