diff --git a/template/ct-al-master-stackset.yaml b/template/ct-al-master-stackset.yaml
index 40be048..3ee7c91 100644
--- a/template/ct-al-master-stackset.yaml
+++ b/template/ct-al-master-stackset.yaml
@@ -14,6 +14,12 @@ Parameters:
     AllowedPattern: "^[0-9]{12}$"
     MinLength: 12
     MaxLength: 12
+  LogArchiveAccount:
+    Type: String
+    Description: Designated AWS Control Tower Log Archive account
+    AllowedPattern: '^[0-9]{12}$'
+    MinLength: 12
+    MaxLength: 12
   AlertLogicCustomerId:
     Type: String
     Description: AlertLogic Customer Id
@@ -113,6 +119,22 @@ Conditions:
     - !Ref SecurityAccount
     - !Ref AWS::AccountId
 
+  SecurityAccountOriginRegion: !And
+    - !Equals
+      - !Ref SecurityAccount
+      - !Ref AWS::AccountId
+    - !Equals
+      - !Ref MasterRegion
+      - !Ref AWS::Region
+
+  LogArchiveOriginRegion: !And
+    - !Equals
+      - !Ref LogArchiveAccount
+      - !Ref AWS::AccountId
+    - !Equals
+      - !Ref MasterRegion
+      - !Ref AWS::Region
+
 Resources:
   ALRoleFromCFT:
     Condition: OriginRegion