1 Answer
- Newest
- Most votes
- Most comments
0
This control disallows changes to encryption for all Amazon S3 buckets. This is a preventive control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following service control policy (SCP). { "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETENCRYPTIONENABLED", "Effect": "Deny", "Action": [ "s3:PutEncryptionConfiguration" ], "Resource": [""], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam:::role/AWSControlTowerExecution" } } } ] }
With the above you should be able to create bucket but encryption might not have been enabled for the bucket. more details: https://docs.aws.amazon.com/controltower/latest/userguide/elective-controls.html
answered 3 months ago
Relevant content
- asked 2 years ago
- asked a year ago
- asked 7 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 4 months ago