By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Member account access to control tower s3 log bucket

0

I have a control tower setup and the s3 logging bucket is delegated to the logging archive account. I am trying to create an SCP with Access Analyzer from a member account. I got it to work from the main account, but get denied access to the control tower s3 log bucket from member account.

How can I get the IAM access analyzer to run? And is this the best way to implement guardrails for new clients who don’t know what guardrails to start with?

Topics
Management & Governance
Tags
AWS Organizations
Language
English
Secopsol54
asked a year ago681 views
1 Answer
3

Unfortunately, Control Tower prevents you from modifying the access to your S3 log bucket and granted member accounts access. There are several Guardrails Control Tower deploys upon initializing your landing zone. Some of these are "Mandatory Guardrails" and cannot be deactivated.

Mandatory controls

Mandatory controls are owned by AWS Control Tower, and they apply to every OU on your landing zone. These controls are applied by default when you set up your landing zone, and they can't be deactivated. Following, you'll find a reference for each of the mandatory controls available in AWS Control Tower.

* Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GRCTAUDITBUCKETPOLICYCHANGESPROHIBITED",
            "Effect": "Deny",
            "Action": [
                "s3:PutBucketPolicy",
                "s3:DeleteBucketPolicy"
            ],
            "Resource": ["arn:aws:s3:::aws-controltower*"],
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
                }
            }
        }
    ]
}

https://repost.aws/questions/QUOh2j9EkES3uqMeIVakwdNQ/grant-access-to-control-tower-created-cloudtrail-s-3-bucket

AWS Control Tower Guardrail prevents updates to bucket policies, so you will need to log into the Organization Management account first, then use the Switch Role capability from the drop down menu under your login in the upper right, to assume the AWSControlTowerExecution role in the Logging account. Using that role, you will be able to update the bucket policy in the Logging account. If you prefer doing this in code, you can also accomplish this using the AssumeRole cli command.

AWS
abemusa
answered a year ago
  • abemusa
    a year ago

    https://repost.aws/questions/QUOh2j9EkES3uqMeIVakwdNQ/grant-access-to-control-tower-created-cloudtrail-s-3-bucket

    AWS Control Tower Guardrail prevents updates to bucket policies, so you will need to log into the Organization Management account first, then use the Switch Role capability from the drop down menu under your login in the upper right, to assume the AWSControlTowerExecution role in the Logging account. Using that role, you will be able to update the bucket policy in the Logging account. If you prefer doing this in code, you can also accomplish this using the AssumeRole cli command.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content