...
* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role on the account level, where the log bucket is located. Below is an the example of a custom policy applied to the Cloudaware role at the account level, where the log bucket is located. In granting decrypt permissions, in addition to the necessary list* and get* permissions, the policy grants decrypt permissions:
| Code Block |
|---|
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
"Effect": "Allow",
"Sid": "AllowAccessToKMSCloudtrailBucket"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
"arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
],
"Effect": "Allow",
"Sid": "AllowAccessToLogsBucket"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
"arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
],
"Effect": "Allow"
}
]
} |
...