- 最新
- 最多得票
- 最多評論
This has been addressed in our latest Control Tower Landing Zone version 3.3. Release note here;
We have modified the Amazon S3 Audit bucket policy that AWS Control Tower deploys in accounts, so that an aws:SourceOrgID condition must be met for any write permissions. With this release, AWS services have access to your resources only when the request originates from your organization or organizational unit (OU). You can use the aws:SourceOrgID condition key and set the value to your organization ID in the condition element of your S3 bucket policy. This condition ensures that CloudTrail only can write logs on behalf of accounts within your organization to your S3 bucket; it prevents CloudTrail logs outside your organization from writing to your AWS Control Tower S3 bucket.
相關內容
- 已提問 1 年前
- AWS 官方已更新 3 年前
- AWS 官方已更新 4 個月前
- AWS 官方已更新 3 年前
- AWS 官方已更新 1 年前