Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Grant Access to Control Tower created Cloudtrail S3 Bucket

3

Hi, I have what I think is a common use case: Control Tower creates an S3 Bucket in the Logging account where it centralizes all Cloudtrail and Config logs. Control Tower also deploys a mandatory Guardrail named "Disallow changes to bucket policy for AWS Control Tower created Amazon S3 buckets in log archive". So far so good. However, and I think it is a very common use case, I have a third-party solution in another account which needs access to those logs and I cannot grant access because I the Guardrail is preventing me from modifying the bucket policy.

What is the right way to grant access to these logs? There must be an elegant solution to this problem since there is no point on having logs if nobody can access them.

Thanks

Temas
Gestión y gobierno
Etiquetas
AWS Control Tower
Idioma
English
Pedro Deniz
preguntada hace 2 años3520 visualizaciones
1 Respuesta
3

Hi Pedro, You will need to update the bucket policy to grant access to your third-party application. As you pointed out, AWS Control Tower Guardrail prevents updates to bucket policies, so you will need to log into the Organization Management account first, then use the Switch Role capability from the drop down menu under your login in the upper right, to assume the AWSControlTowerExecution role in the Logging account. Using that role, you will be able to update the bucket policy in the Logging account. If you prefer doing this in code, you can also accomplish this using the AssumeRole cli command.

AWS
Bert_Z
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante