By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Update ControlTower CloudTrail S3 Bucket to Use Log file SSE-KMS encryption

0

I am using an MDR service called Adlumin that consumes CloudWatch log streams created by my Org CloudTrail log. Part of that requirement is that my Log files use SSE-KMS encryption, which is not the case by default for Control Tower.
I would like to enable it, but while my management account owns the CloudTrail, my logging account owns the S3 bucket. So when I attempt to update that setting in my CloudTrail it let's me know that I "don't have adequate permissions in S3 to perform this operation."

My Questions: Will updating this setting for my S3 bucket be blocked by any Control Tower Guardrails? What kind of policies would I need to establish with my bucket (and IAM?) to give my management account access to update this configuration for my logging accounts S3 bucket?

Topics
StorageSecurity, Identity, & ComplianceManagement & Governance
Tags
Amazon Simple Storage ServiceAWS Key Management ServiceAWS Identity and Access ManagementAWS Control Tower
Language
English
TSquared
asked a year ago798 views
1 Answer
0

Hi There

Control Tower has a few mandatory controls that protect the logging bucket from being modified outside of Control Tower.

You should update the KMS settings through the Control Tower dashboard under "Landing Zone Settings" then choose "Modify Settings"

Enter image description here

profile pictureAWS
EXPERT
Matt-B
answered a year ago
  • nodnarbHQ
    a year ago

    I followed the instructions to add the KMS via this GUI page and I ran into similar issues. Giving me issues with the bucket policy in my logging account. Trying to remove the key through the wizard then gives me an error of: AWS Control Tower failed to set up your landing zone completely: AWS Control Tower failed to deploy stack(s): arn:aws:cloudformation:us-east-1:<REDACTED>:stack/AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER/<REDACTED>

    UPDATE: After retrying a few more times it successfully finished the Landing Zone set up. But I am not sure if I want to try enabling KMS again... The CF Stack in question is still showing drift where the expected and actual don't match. it is showing it is expecting this "KMSKeyId": "", but that key just isn't there in the actual when it is NULL or empty.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content