ControlTower | Rack-based Web Application Server for MacRuby
kandi X-RAY | ControlTower Summary
kandi X-RAY | ControlTower Summary
Rack-based Web Application Server for MacRuby
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of ControlTower
ControlTower Key Features
ControlTower Examples and Code Snippets
Community Discussions
Trending Discussions on ControlTower
QUESTION
I have a AWS S3 bucket in account A, This bucket was created by AWS Control Tower. And used for collecting logs from all other account in my org,
I was trying to understand the bucket policy which is something like this
...ANSWER
Answered 2022-Mar-30 at 14:01"Resource": "arn:aws:s3:::aws-controltower-logs-12345656-us-east-1/o-1234/AWSLogs/*/*"
The 1st "*" enables all account numbers.
QUESTION
We were having issues with the AWS Managed Guardrail "Disallow Changes to Encryption Configuration for Amazon S3 Buckets" which has a Deny for "s3:PutEncryptionConfiguration".
This prevented us from adding encryption to a bucket when the bucket is first created.
Ideally, we want to ensure that encryption cannot be deleted once applied. I modified the policy to Deny deleting the encryption.
However, when disabling encryption, I am not being stopped as expected. I do see the call in CloudTrail. I don't understand why the SCP is not preventing the action.
SCP:
...ANSWER
Answered 2021-Sep-05 at 01:59There is no IAM action
QUESTION
We have applied the guardrails mentioned in this posting, AWS Preventive S3 Guardrails. 1. Unfortunately, we are not getting the anticipated outcome. We applied the Disallow Changes to Encryption Configuration for Amazon S3 Buckets 2.
The SCP has a DENY for s3:PutEncryptionConfiguration, with a condition excepting the arn:aws:iam::*:role/AWSControlTowerExecution role.
The issue is that anyone can create an S3 bucket, which is acceptable. However, when creating the bucket either in the console or via CloudFormation and attempting to specify encryption either SSE or KMS an error is generated and the bucket created without encryption.
Ideally we need to have anyone be able to create an S3 bucket and enable encryption. What we were hoping that this SCP would do would be to prevent removing encryption once applied to the bucket.
We are anticiapting similar issues with the other guardrails mentioned in the article:
Disallow Changes to Encryption Configuration for all Amazon S3 Buckets [Previously: Enable Encryption at Rest for Log Archive] Disallow Changes to Logging Configuration for all Amazon S3 Buckets [Previously: Enable Access Logging for Log Archive] Disallow Changes to Bucket Policy for all Amazon S3 Buckets [Previously: Disallow Policy Changes to Log Archive] Disallow Changes to Lifecycle Configuration for all Amazon S3 Buckets [Previously: Set a Retention Policy for Log Archive]
Has anyone encountered this issue? What would be the best way to implement allowing the buckets be created with the needed encryption, logging, bucket policy and lifecycle and once created disallowing removal or changes after the bucket was created?
...ANSWER
Answered 2021-Sep-01 at 20:09I'm afraid scp's dont offer the flexibility you need, simply because the condition keys you need are not present in the api calls. There is not a policy that says "allow createbucket with the condition that it has encryption enabled".
I've worked in various platform teams for corporates to implement these types of controls and have encountered these limitations many times. Basically there are three strategies:
- Detective compliance
- Corrective compliance
- Preventive compliance
First make sure you have visibility over how stuff is configured. You can use aws config rules for this. There are definitely rules out there that check s3 buckets for encryption settings. Make sure to centralize the results of these rules using a aws config aggregator in your security account. After detection you can manually follow up on detected misconfigurations (or automate this when running at scale).
If you also like to correct mistakes you can use aws config auto remediation actions. Also various open source tools are available to help you with this. An often used one is cloud custodian with the c7n-org plugin. Also many commercial offerimgs exist but are quite expensive.
With scp's or iam policies you can prevent someone from doing stuff which is a bit lower risk than correcting misconfigurations after they happened. However, it's also very inflexible, policies can get complex real quickly and it also it doesnt tell the user why he cant do something. Often, scp's are only used for the very simple tasks (e.g. no iam users may be created) or blocking actions outside or certain regions.
I'd opt for making sure you detect stuff properly first, then see if you can either correct or prevent it.
Edit: If you have mature teams that only use ci/cd and infra as code you can also make sure your security controls are implemented using tools like cfn-guard in a pipeline build stage. Simply fail the build if their templates are not up to standards.
Edit2: to get back on your question: for some actions it's possible to prevent using scp's if there is a separate api for disabling stuff like a 'DisableEncryption' action. However for most actions it's a PutEncryptionSetting-like action and you cant really tell if its being enabled or disabled.
QUESTION
Aws best practices recommends to secure aws accounts by disallowing account access with root user credentials.
this is the template they provide with
...ANSWER
Answered 2021-Apr-16 at 17:46It might be that your account where this SCP is not working is your management (formerly called master) account.
According to the docs:
Important: SCPs don't affect users or roles in the management account. They affect only the member accounts in your organization.
QUESTION
Is there a way to create a cloudformation script which enables EBS encryption by default for all organizations? There is a aws config rule for this what I am looking for a remediation for this config rule. https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#ebs-enable-encryption
...ANSWER
Answered 2020-Oct-13 at 03:21This is currently not possible via CloudFormation. https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/158
Alternatively, you can enforce the policy that only encrypted EBS volumes can be created or attached by adding the following IAM policy statement:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install ControlTower
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page