Control Tower CfCT ""Insufficient read permissions on S3" error?

0

Hi all

I'd love to deploy a custom AWS Config Conformance Pack using AWS Control Tower Customization Framework (CfCT). In the cfn yaml template, I used an S3 bucket to upload custom conformance pack file as follows:

Resources:
  FedRAMPConformancePack:
    Type: AWS::Config::ConformancePack
    Properties:
      ConformancePackName: !Ref ConformancePackName
      DeliveryS3Bucket: !Ref DeliveryS3Bucket
      TemplateS3Uri: !Ref TemplateS3Uri

I encountered an error:

"Insufficient read permissions on S3 URI: s3://[buckent-name]/[filename].yaml.

I used the following S3 bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::[bucket-name]/*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalAccount": "[CT-management-account-id]"
                }
            }
        }
    ]
}

What could go wrong?

Thanks.

profile picture
asked 14 days ago28 views
1 Answer
1
Accepted Answer

The issue you're encountering is likely related to insufficient permissions for AWS Config to access the S3 bucket containing your custom conformance pack template. There are a few things to consider:

  1. The S3 bucket policy you've provided allows access only from the Control Tower management account. However, AWS Config needs to access this bucket from the account where the conformance pack is being deployed, which may not be the management account.

  2. For organization-wide deployments, it's recommended to use a bucket name that starts with "awsconfigconforms-" and to include additional conditions in the bucket policy.

  3. The policy should allow both GetObject and PutObject permissions for AWS Config to work properly with conformance packs.

  4. It's a best practice to use the aws:SourceOrgID condition instead of aws:PrincipalAccount to restrict access to your organization.

  5. You should also include permissions for the AWS Config service-linked role.

Here's an improved bucket policy that addresses these issues:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowConfigAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::awsconfigconforms-[your-suffix]/*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "[your-organization-id]"
                },
                "ArnLike": {
                    "aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
                }
            }
        },
        {
            "Sid": "AllowGetBucketAcl",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::awsconfigconforms-[your-suffix]",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "[your-organization-id]"
                },
                "ArnLike": {
                    "aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms"
                }
            }
        }
    ]
}

Make sure to replace [your-suffix] with an appropriate suffix for your bucket name and [your-organization-id] with your AWS Organizations ID. This policy allows the necessary permissions for AWS Config to access the bucket from any account within your organization, while still maintaining security by restricting access to your organization and the AWS Config service-linked role.
Sources
Prerequisite for Conformance Packs for AWS Config - AWS Config
Amazon S3 bucket policy in the audit account - AWS Control Tower
Permissions for the Amazon S3 Bucket for the AWS Config Delivery Channel - AWS Config

profile picture
answered 14 days ago
profile picture
EXPERT
reviewed 13 days ago
  • I removed the following condition, for future reference: "ArnLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms" }

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions