- 新しい順
- 投票が多い順
- コメントが多い順
Unfortunately, Control Tower prevents you from modifying the access to your S3 log bucket and granted member accounts access. There are several Guardrails Control Tower deploys upon initializing your landing zone. Some of these are "Mandatory Guardrails" and cannot be deactivated.
Mandatory controls are owned by AWS Control Tower, and they apply to every OU on your landing zone. These controls are applied by default when you set up your landing zone, and they can't be deactivated. Following, you'll find a reference for each of the mandatory controls available in AWS Control Tower.
* Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCTAUDITBUCKETPOLICYCHANGESPROHIBITED",
"Effect": "Deny",
"Action": [
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy"
],
"Resource": ["arn:aws:s3:::aws-controltower*"],
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
}
}
}
]
}
AWS Control Tower Guardrail prevents updates to bucket policies, so you will need to log into the Organization Management account first, then use the Switch Role capability from the drop down menu under your login in the upper right, to assume the AWSControlTowerExecution role in the Logging account. Using that role, you will be able to update the bucket policy in the Logging account. If you prefer doing this in code, you can also accomplish this using the AssumeRole cli command.
関連するコンテンツ
- 質問済み 8ヶ月前
- AWS公式更新しました 7ヶ月前
https://repost.aws/questions/QUOh2j9EkES3uqMeIVakwdNQ/grant-access-to-control-tower-created-cloudtrail-s-3-bucket
AWS Control Tower Guardrail prevents updates to bucket policies, so you will need to log into the Organization Management account first, then use the Switch Role capability from the drop down menu under your login in the upper right, to assume the AWSControlTowerExecution role in the Logging account. Using that role, you will be able to update the bucket policy in the Logging account. If you prefer doing this in code, you can also accomplish this using the AssumeRole cli command.