Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Update ControlTower CloudTrail S3 Bucket to Use Log file SSE-KMS encryption

0

I am using an MDR service called Adlumin that consumes CloudWatch log streams created by my Org CloudTrail log. Part of that requirement is that my Log files use SSE-KMS encryption, which is not the case by default for Control Tower.
I would like to enable it, but while my management account owns the CloudTrail, my logging account owns the S3 bucket. So when I attempt to update that setting in my CloudTrail it let's me know that I "don't have adequate permissions in S3 to perform this operation."

My Questions: Will updating this setting for my S3 bucket be blocked by any Control Tower Guardrails? What kind of policies would I need to establish with my bucket (and IAM?) to give my management account access to update this configuration for my logging accounts S3 bucket?

Argomenti
ArchiviazioneSicurezza, identità e conformitàGestione e amministrazione
Tag
Servizio di archiviazione semplice di AmazonServizio di gestione delle chiavi AWSGestione identità e accesso AWSAWS Control Tower
Lingua
English
TSquared
posta un anno fa855 visualizzazioni
1 Risposta
0

Hi There

Control Tower has a few mandatory controls that protect the logging bucket from being modified outside of Control Tower.

You should update the KMS settings through the Control Tower dashboard under "Landing Zone Settings" then choose "Modify Settings"

Enter image description here

profile pictureAWS
ESPERTO
Matt-B
con risposta un anno fa
  • nodnarbHQ
    un anno fa

    I followed the instructions to add the KMS via this GUI page and I ran into similar issues. Giving me issues with the bucket policy in my logging account. Trying to remove the key through the wizard then gives me an error of: AWS Control Tower failed to set up your landing zone completely: AWS Control Tower failed to deploy stack(s): arn:aws:cloudformation:us-east-1:<REDACTED>:stack/AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER/<REDACTED>

    UPDATE: After retrying a few more times it successfully finished the Landing Zone set up. But I am not sure if I want to try enabling KMS again... The CF Stack in question is still showing drift where the expected and actual don't match. it is showing it is expecting this "KMSKeyId": "", but that key just isn't there in the actual when it is NULL or empty.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente