Conflicts Between Control Tower and Security Controls


In my AWS Organization, I have implemented Control Tower to manage certain key accounts. Meanwhile, I'm using the Security Hub console (in an Audit account as delegated administrator) to meet certain security standards. However, there are certain controls that are required by the standards, but which Control Tower prevents me from editing to address them.

For example, one standard includes the control SNS.1 - "SNS topics should be encrypted at-rest using AWS KMS." The topic raising the failure is " aws-controltower-AggregateSecurityNotifications" in the Audit account. When attempting to edit the topic, I get the error:

Error code: AuthorizationError - Error message: An error occurred while setting the attribute encryption. User: arn:aws:sts::<account>:assumed-role/ AWSReservedSSO_AdministratorAccess_9f45fff32654b3aa /<user> is not authorized to perform: SNS:SetTopicAttributes on resource: <topic arn> with an explicit deny in a service control policy

I cannot modify the SCPs or the underlying CloudFormation stacks, since that would break Control Tower.

How can I fully satisfy security controls such as this without disabling them?

Note: I am not using the root user. I'm an SSO-authenticated user with administrative privileges.

1 Answer

This seems to be a bug, I'd address by raising a support ticket, since AWS Control Tower is a supported product, and the Controls are part of it, the team should be able to address the bug and inform a workaround and/or fix.

profile pictureAWS
answered 3 months ago
  • Thank you. I will do that. As a work-around, I realized that you can simply move the account outside the Control Tower-managed OU (to the root level), make the relevant changes to satisfy the controls, and then move it back into the OU. Control Tower sometimes triggers an alert detecting drift, but it does not break the service.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions