1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
0
Hi There
Control Tower has a few mandatory controls that protect the logging bucket from being modified outside of Control Tower.
You should update the KMS settings through the Control Tower dashboard under "Landing Zone Settings" then choose "Modify Settings"
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años
I followed the instructions to add the KMS via this GUI page and I ran into similar issues. Giving me issues with the bucket policy in my logging account. Trying to remove the key through the wizard then gives me an error of:
AWS Control Tower failed to set up your landing zone completely: AWS Control Tower failed to deploy stack(s): arn:aws:cloudformation:us-east-1:<REDACTED>:stack/AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER/<REDACTED>
UPDATE: After retrying a few more times it successfully finished the Landing Zone set up. But I am not sure if I want to try enabling KMS again... The CF Stack in question is still showing drift where the expected and actual don't match. it is showing it is expecting this
"KMSKeyId": "",
but that key just isn't there in the actual when it is NULL or empty.