Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How can I replicate objects from a Control Tower bucket/ or Modify policies on Control Power bucket to do so

0

I tried following the steps: herehttps://repost.aws/questions/QUx25XcQFaQNic0VkqCu3bBw/how-can-i-properly-modify-a-bucket-managed-by-control-tower

However, after creating this role to assume and assigning it in the replication configuration objects are still not being replicated to the other s3 bucket. Even though this is NOT cross account access and no KMS is being used, could the cause for this be due to the policy on the control tower bucket?

Also is it possible to contact AWS Support to have this control tower policy changed for our use case or/and the replication configured?

Topics
Management & GovernanceStorage
Tags
Service Control PolicyAWS OrganizationsAWS Control TowerAWS Premium SupportAmazon Simple Storage Service
Language
English
asked 9 days ago73 views
5 Answers
0

Hi There

You do NOT need to modify the source bucket policy for replication to work. Can you paste here:

  1. Your IAM Role trust policy
  2. Your IAM role inline policy

Also, are you using KMS for bucket encryption on the Control Tower bucket?

Please ensure you obfuscate any personal info like account ID or specific bucket name

AWS
EXPERT
answered 9 days ago
  • AWS2026
    8 days ago

    Sure, I'm not using KMS for bucket encryption on Control Tower bucket.

    Here's the policy for role: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::aws-controltower-logs-account_id-us-east-1" ] }, { "Effect": "Allow", "Action": [ "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::aws-controltower-logs-account_id-us-east-1/" ] }, { "Effect": "Allow", "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags" ], "Resource": "arn:aws:s3:::aws-cloudtrail-logs-<account_id>-us-east-1/" } ] }

    Here's the trust policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

  • Matt Barbieri EXPERT
    7 days ago

    Thank you. I see 2 issues with your policy. Your 2nd and 3rd statements are missing the trailing wildcard * symbol in the resource ARN. Should be

    "Resource": [ "arn:aws:s3:::<SOURCE BUCKET NAME>/*" ] and

    "Resource": "arn:aws:s3:::<DESTINATION BUCKET NAME>/*"

    I posted a community article about this topic with sample policies here that you can copy and paste: https://repost.aws/articles/ARJ4iZ5ZeKSBevAXvIZ2l99A/aws-control-tower-log-archive-bucket-replication-a-secure-alternative-to-policy-modifications

0

Can you clarify why you need to replicate the Control Tower managed bucket, and which specific bucket you’re referring to? Control Tower typically manages buckets like the CloudTrail logging bucket and the Config bucket.

In previous setups (for example, integrating CloudTrail logs with tools like CrowdStrike), I’ve been able to use the existing Control Tower CloudTrail bucket without requiring replication . That’s why I’d like to better understand your use case.

If you can share the purpose of the replication?

answered 9 days ago
  • AWS2026
    8 days ago

    Yes sure,

    I'm essentially using a third party app to ingest data from the S3 bucket I have. But the guardrails from control tower block changes to S3 bucket policy and also has a policy restricting access to it from the third party app. Since the guardrails block policy changes, I was going to replicate to a bucket managed outside of Control Tower and have my third party app ingets from that bucket, which first question answer i linked mentioned.

0

(Re-posting as answer for visibility)

Hi There

I see 2 issues with your policy.

Your 2nd and 3rd statements are missing the trailing wildcard * symbol in the resource ARN. Should be

            "Resource": [
                "arn:aws:s3:::<SOURCE BUCKET NAME>/*"
            ]

and

"Resource": "arn:aws:s3:::<DESTINATION BUCKET NAME>/*"

I posted a community article about this topic with sample policies here that you can copy and paste: https://repost.aws/articles/ARJ4iZ5ZeKSBevAXvIZ2l99A/aws-control-tower-log-archive-bucket-replication-a-secure-alternative-to-policy-modifications

AWS
EXPERT
answered 7 days ago
0

Hey,

Hope you're keeping well.

Buckets created and managed by AWS Control Tower, such as the log archive bucket, have restrictive bucket policies that prevent modification through the console or CLI. Direct changes to those policies aren’t supported, so replication must be configured using roles and permissions outside of altering the Control Tower-managed policy. A common approach is to set up replication from a secondary bucket where you have full control, or use an intermediary process (such as an AWS Lambda function) to copy objects to your target bucket.

Thanks and regards,
Taz

answered 4 days ago
-1

Hey,

Hope you're keeping well.

Buckets created and managed by AWS Control Tower, such as the Log Archive bucket, have restrictive bucket policies that are maintained by the service and will revert if manually edited. To enable replication, you need to grant the replication IAM role s3:GetObject, s3:ListBucket, and s3:ReplicateObject on the source bucket and objects, but Control Tower’s policy may block these unless you use an approved mechanism. The recommended approach is to replicate logs indirectly by writing them to an intermediary bucket that you control, then replicate from there.

Thanks and regards,
Taz

answered 7 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content