Questions tagged with AWS Control Tower

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Policies applied on organization trail logs bucket created by AWS Tower

Hello, We just setup AWS Tower on our organization. Everything ran smoothly but we detected a strange policy applied by AWS Tower on the bucket responsible to aggregate Cloudtrail trails from all of our organization. This bucket is located on the Log Archive account of Tower architecture. The policy is : ``` { "Sid": "AWSBucketDeliveryForOrganizationTrail", "Effect": "Allow", "Principal": { "Service": "" }, "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::CLOUDTRAIL_BUCKET/ORGANIZATION_ID/AWSLogs/ORGANIZATION_ID/*" ] } ``` This policy allows `cloudtrail` service to push objects on the provided path. Out of curiosity, we tried to configure a Cloudtrail trail located on non-related AWS account (by non-related I mean an AWS account that doesn't belong to the AWS organization) to use this S3 path to push data on. And it worked. Is there any reason why this policy doesn't have a `condition` field to restrict access to accounts that belong to the organization like : ``` "Condition": { "StringEquals": { "aws:PrincipalOrgID": [ "ORGANIZATION_ID" ]} } } ``` Our Tower landing zone version is 3.0. This version enabled Organization-based trail instead of Account-based trails, so I think this policy exists since this version. I know there are some non easily guessable variables (like the Org ID and the bucket name) in the process, but as a compliance tool, AWS Tower should restrict access to the organization itself as it's restricted to it by design. Thanks for your time
asked 8 days ago