0

we have a multi-account setup where we deployed an organizational-level CloudTrail in our root account's Control Tower.

Organizational-level CloudTrail allows us to deploy CloudTrail in each of our respective accounts and provides them the ability to send logs to CloudWatch in our Root account and to an S3 logging bucket in our central logging account.

Now I have AWS Athena set up in our logging account to try and run queries on the logs generated through our organizational-level CloudTrail deployment. So far, I have managed to create the Athena Table that is built on the mentioned logging bucket and I also created a destination bucket for the query results.

When I try to run a simple "preview table" query, I get the following error:

Permission denied on S3 path: s3://BUCKET_NAME/PREFIX/AWSLogs/LOGGING_ACCOUNT_NUMBER/CloudTrail/LOGS_DESTINATION This query ran against the "default" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: f72e7dbf-929c-4096-bd29-b55c6c41f582

I figured that the error is caused by the logging bucket's policy lacking any statement allowing Athena access, but when I try to edit the bucket policy I get the following error:

Your bucket policy changes can’t be saved: You either don’t have permissions to edit the bucket policy, or your bucket policy grants a level of public access that conflicts with your Block Public Access settings. To edit a bucket policy, you need s3:PutBucketPolicy permissions. To review which Block Public Access settings are turned on, view your account and bucket settings. Learn more about Identity and access management in Amazon S3

This is strange since the role I am using has full admin access to this account.

Please advise.

Thanks in advance!

Tegue Morrison
  • 21
  • 4

1 Answers1

0

I see this is is a follow up question to your previous one: S3 Permission denied when using Athena

Control Tower guardrail automatically deploys a guardrail which prohibits updating the aws-controltower bucket policy.

In your master account, go to AWS Organizations. Then, go to your Security OU. Then go to Policies tab. You should see 2 guardrail policies:

enter image description here

One of them will contain this policy:

{
  "Condition": {
    "ArnNotLike": {
      "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
    }
  },
  "Action": [
    "s3:PutBucketPolicy",
    "s3:DeleteBucketPolicy"
  ],
  "Resource": [
    "arn:aws:s3:::aws-controltower*"
  ],
  "Effect": "Deny",
  "Sid": "GRCTAUDITBUCKETPOLICYCHANGESPROHIBITED"
},

Add these principals below AWSControlTowerExecution:

arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess* arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AdministratorAccess*

Your condition should look like this:

"Condition": {
  "ArnNotLike": {
    "aws:PrincipalArn": [
      "arn:aws:iam::*:role/AWSControlTowerExecution",
      "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess*",
      "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AdministratorAccess*"
    ]
  }
},

You shoulld be able to update the bucket after this is applied.

Amir Asyraf
  • 613
  • 1
  • 7
  • 18
  • Thanks for this. I added those principals to the policy but got the following error: "You have exceeded the maximum policy size." – Tegue Morrison Jan 30 '23 at 13:14
  • Yeah that policy is already pretty big. SCP has a maximum size. Try moving that bucket policy statement to the other guardrail. – Amir Asyraf Jan 30 '23 at 13:34
  • Ok, I just temporarily removed that statement and I seem to be able to update the bucket policy now, I've tried going with a simple allow statement to the principal "athena.amazonaws.com", I get an "invalid principal" error, any thoughts? – Tegue Morrison Jan 30 '23 at 16:56
  • Sorry, you don't need to add athena principal. Your policy should allow your current user access to the S3 bucket – Amir Asyraf Jan 31 '23 at 06:42