- 新しい順
- 投票が多い順
- コメントが多い順
This has been addressed in our latest Control Tower Landing Zone version 3.3. Release note here;
We have modified the Amazon S3 Audit bucket policy that AWS Control Tower deploys in accounts, so that an aws:SourceOrgID condition must be met for any write permissions. With this release, AWS services have access to your resources only when the request originates from your organization or organizational unit (OU). You can use the aws:SourceOrgID condition key and set the value to your organization ID in the condition element of your S3 bucket policy. This condition ensures that CloudTrail only can write logs on behalf of accounts within your organization to your S3 bucket; it prevents CloudTrail logs outside your organization from writing to your AWS Control Tower S3 bucket.
関連するコンテンツ
- AWS公式更新しました 3年前
- AWS公式更新しました 4ヶ月前
- AWS公式更新しました 2年前