I am using an MDR service called Adlumin that consumes CloudWatch log streams created by my Org CloudTrail log.
Part of that requirement is that my Log files use SSE-KMS encryption, which is not the case by default for Control Tower.
I would like to enable it, but while my management account owns the CloudTrail, my logging account owns the S3 bucket. So when I attempt to update that setting in my CloudTrail it let's me know that I "don't have adequate permissions in S3 to perform this operation."
My Questions:
Will updating this setting for my S3 bucket be blocked by any Control Tower Guardrails?
What kind of policies would I need to establish with my bucket (and IAM?) to give my management account access to update this configuration for my logging accounts S3 bucket?
I followed the instructions to add the KMS via this GUI page and I ran into similar issues. Giving me issues with the bucket policy in my logging account. Trying to remove the key through the wizard then gives me an error of:
AWS Control Tower failed to set up your landing zone completely: AWS Control Tower failed to deploy stack(s): arn:aws:cloudformation:us-east-1:<REDACTED>:stack/AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER/<REDACTED>
UPDATE: After retrying a few more times it successfully finished the Landing Zone set up. But I am not sure if I want to try enabling KMS again... The CF Stack in question is still showing drift where the expected and actual don't match. it is showing it is expecting this
"KMSKeyId": "",
but that key just isn't there in the actual when it is NULL or empty.