Conflicts Between Control Tower and Security Controls

0

In my AWS Organization, I have implemented Control Tower to manage certain key accounts. Meanwhile, I'm using the Security Hub console (in an Audit account as delegated administrator) to meet certain security standards. However, there are certain controls that are required by the standards, but which Control Tower prevents me from editing to address them.

For example, one standard includes the control SNS.1 - "SNS topics should be encrypted at-rest using AWS KMS." The topic raising the failure is " aws-controltower-AggregateSecurityNotifications" in the Audit account. When attempting to edit the topic, I get the error:

Error code: AuthorizationError - Error message: An error occurred while setting the attribute encryption. User: arn:aws:sts::<account>:assumed-role/ AWSReservedSSO_AdministratorAccess_9f45fff32654b3aa /<user> is not authorized to perform: SNS:SetTopicAttributes on resource: <topic arn> with an explicit deny in a service control policy

I cannot modify the SCPs or the underlying CloudFormation stacks, since that would break Control Tower.

How can I fully satisfy security controls such as this without disabling them?

Note: I am not using the root user. I'm an SSO-authenticated user with administrative privileges.

ddunham
질문됨 7달 전233회 조회
1개 답변
0

This seems to be a bug, I'd address by raising a support ticket, since AWS Control Tower is a supported product, and the Controls are part of it, the team should be able to address the bug and inform a workaround and/or fix.

profile pictureAWS
Renato
답변함 5달 전
  • Thank you. I will do that. As a work-around, I realized that you can simply move the account outside the Control Tower-managed OU (to the root level), make the relevant changes to satisfy the controls, and then move it back into the OU. Control Tower sometimes triggers an alert detecting drift, but it does not break the service.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인