- Newest
- Most votes
- Most comments
The issue you're encountering is likely related to insufficient permissions for AWS Config to access the S3 bucket containing your custom conformance pack template. There are a few things to consider:
-
The S3 bucket policy you've provided allows access only from the Control Tower management account. However, AWS Config needs to access this bucket from the account where the conformance pack is being deployed, which may not be the management account.
-
For organization-wide deployments, it's recommended to use a bucket name that starts with "awsconfigconforms-" and to include additional conditions in the bucket policy.
-
The policy should allow both GetObject and PutObject permissions for AWS Config to work properly with conformance packs.
-
It's a best practice to use the aws:SourceOrgID condition instead of aws:PrincipalAccount to restrict access to your organization.
-
You should also include permissions for the AWS Config service-linked role.
Here's an improved bucket policy that addresses these issues:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConfigAccess", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::awsconfigconforms-[your-suffix]/*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "[your-organization-id]" }, "ArnLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms" } } }, { "Sid": "AllowGetBucketAcl", "Effect": "Allow", "Principal": "*", "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::awsconfigconforms-[your-suffix]", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "[your-organization-id]" }, "ArnLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms" } } } ] }
Make sure to replace [your-suffix] with an appropriate suffix for your bucket name and [your-organization-id] with your AWS Organizations ID. This policy allows the necessary permissions for AWS Config to access the bucket from any account within your organization, while still maintaining security by restricting access to your organization and the AWS Config service-linked role.
Sources
Prerequisite for Conformance Packs for AWS Config - AWS Config
Amazon S3 bucket policy in the audit account - AWS Control Tower
Permissions for the Amazon S3 Bucket for the AWS Config Delivery Channel - AWS Config
Relevant content
- asked a year ago
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
I removed the following condition, for future reference: "ArnLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/AWSServiceRoleForConfigConforms" }