I am following the documented procedure to use a delegated administrator to deploy organisation-wide conformance packs:
https://aws.amazon.com/blogs/mt/deploy-aws-config-rules-and-conformance-packs-using-a-delegated-admin/
When using the delegated account to put the packs I get an error:
An error occurred (InsufficientPermissionsException) when calling the PutOrganizationConformancePack operation: Insufficient permission to get S3 bucket ACL for awsconfigconforms-company-org
The only way to make it work so far is to add this policy statement to allow the delegated account access to the ACL on the bucket:
"Sid": "DelegatedAdministratorAllowGetBucketAcl",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::awsconfigconforms-company-org",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-123456"
}
}
}
Is this how I can resolve the permission issue? Or is there a better way to give cross account access to the bucket in the master account?
Also: is it expected that the conformancePacks are created in the delegated account and not in the master account? aws configservice describe-organization-conformance-packs
lists them for the delegated one, I guess that's expected as I'm delegating?
AWS Config is listed as a compatible service.
AWSServiceRoleForConfigMultiAccountSetup is a
service-linked
role - so I cannot change it's permissions/policies.I guess I can modify the permissions/policies of the user executing
PutOrganizationConformancePack
- however that's a running through SSO in our case. So I believe my user is assuming a role that's then assuming the service linked role.I'll need to do more reading on that topic.