Versions Compared

Old Version 42

changes.mady.by.user Daria Lebedeva

Saved on

compared with

New Version 43

changes.mady.by.user Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role or the AWS account where the S3 bucket with logs is stored. Below is an example of a bucket policy that grants read access to encryption keys, in addition tocustom policy applied to the Cloudaware role at the account level, where the log bucket is located. In addition to necessary list* and get*permissions to the bucket, the policy grants decrypt permissions:

Code Block
{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
   ],
   "Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
   "Effect": "Allow",
   "Sid": "AllowAccessToKMSCloudtrailBucket"
  },
  {
   "Action": [
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
   ],
   "Effect": "Allow",
   "Sid": "AllowAccessToLogsBucket"
  },
  {
   "Action": [
    "s3:GetObject"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
   ],
   "Effect": "Allow"
  }
 ]
}

...