Member account access to control tower s3 log bucket

Unfortunately, Control Tower prevents you from modifying the access to your S3 log bucket and granted member accounts access. There are several Guardrails Control Tower deploys upon initializing your landing zone. Some of these are "Mandatory Guardrails" and cannot be deactivated.

Mandatory controls

Mandatory controls are owned by AWS Control Tower, and they apply to every OU on your landing zone. These controls are applied by default when you set up your landing zone, and they can't be deactivated. Following, you'll find a reference for each of the mandatory controls available in AWS Control Tower.

* Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GRCTAUDITBUCKETPOLICYCHANGESPROHIBITED",
            "Effect": "Deny",
            "Action": [
                "s3:PutBucketPolicy",
                "s3:DeleteBucketPolicy"
            ],
            "Resource": ["arn:aws:s3:::aws-controltower*"],
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
                }
            }
        }
    ]
}

https://repost.aws/questions/QUOh2j9EkES3uqMeIVakwdNQ/grant-access-to-control-tower-created-cloudtrail-s-3-bucket

AWS Control Tower Guardrail prevents updates to bucket policies, so you will need to log into the Organization Management account first, then use the Switch Role capability from the drop down menu under your login in the upper right, to assume the AWSControlTowerExecution role in the Logging account. Using that role, you will be able to update the bucket policy in the Logging account. If you prefer doing this in code, you can also accomplish this using the AssumeRole cli command.