In my AWS Organization, I have implemented Control Tower to manage certain key accounts. Meanwhile, I'm using the Security Hub console (in an Audit account as delegated administrator) to meet certain security standards. However, there are certain controls that are required by the standards, but which Control Tower prevents me from editing to address them.
For example, one standard includes the control SNS.1 - "SNS topics should be encrypted at-rest using AWS KMS." The topic raising the failure is " aws-controltower-AggregateSecurityNotifications" in the Audit account. When attempting to edit the topic, I get the error:
Error code: AuthorizationError - Error message: An error occurred while setting the attribute encryption. User: arn:aws:sts::<account>:assumed-role/ AWSReservedSSO_AdministratorAccess_9f45fff32654b3aa /<user> is not authorized to perform: SNS:SetTopicAttributes on resource: <topic arn> with an explicit deny in a service control policy
I cannot modify the SCPs or the underlying CloudFormation stacks, since that would break Control Tower.
How can I fully satisfy security controls such as this without disabling them?
Note: I am not using the root user. I'm an SSO-authenticated user with administrative privileges.
AWS OFFICIALUpdated 8 months ago
Thank you. I will do that. As a work-around, I realized that you can simply move the account outside the Control Tower-managed OU (to the root level), make the relevant changes to satisfy the controls, and then move it back into the OU. Control Tower sometimes triggers an alert detecting drift, but it does not break the service.