AWS Control Tower Controls - Disallow Changes to Encryption Configuration for Amazon S3 Buckets

Question

Hello.

I have enabled this control Disallow Changes to Encryption Configuration for Amazon S3 Buckets from AWS Control Tower, after that, when I try to create a S3 bucket, I receive this error: 
Insufficient permissions to apply Default Encryption
You need the s3:PutEncryptionConfiguration permission to apply Default Encryption on this bucket. After you or your AWS admin has updated your IAM permissions to allow s3:PutEncryptionConfiguration, go to edit Default Encryption.

Although this error, the s3 bucket is created, and I can upload files, so is this bucket functional?

Is this error expected? or it is normal?
Which steps should I perform if I want to enable this kind of controls?

Thank you.

Answer

This control disallows changes to encryption for all Amazon S3 buckets. This is a preventive control with elective guidance. By default, this control is not enabled.

The artifact for this control is the following service control policy (SCP).
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GRAUDITBUCKETENCRYPTIONENABLED",
            "Effect": "Deny",
            "Action": [
                "s3:PutEncryptionConfiguration"
            ],
            "Resource": ["*"],
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution"
                }
            }
        }
    ]
}

With the above you should be able to create bucket but encryption might not have been enabled for the bucket. more details: https://docs.aws.amazon.com/controltower/latest/userguide/elective-controls.html

AWS Control Tower Controls - Disallow Changes to Encryption Configuration for Amazon S3 Buckets

Relevant content