We are in the process of setting up a new AWS Organization for my customer. We chose to create it using AWS Control Tower; the experience has been smooth so far and has saved us from many efforts compared to other approaches – great!
Until now.
Setting up user access, especially setting the policies, is time-consuming. To keep our effort minimized, we decided to take the path to use AWS IAM Access Analyzer and its policy generation feature. Only to learn it is not, or maybe not, possible in our setup?
To use AWS Control Tower, you must not modify or delete these AWS Control Tower managed resources outside of the supported methods described in this guide.
And that's where the problem lies. – The s3 bucket containing Organization CloudTrail is created and managed by AWS Control Tower, and to enable the policy generation, the bucket policy of this bucket should be modified to allow the Access Analyzer roles on member accounts, and thus the access-analyzer.amazonaws.com service, to get objects from the bucket.
I'm seeking to answer this question: what can we do to fix or work around this issue and get the policy generation working?
The required change itself is relatively simple: add another policy statement, described in Access Analyzer policy generation documentation to the AWSControlTowerLoggingResources StackSet template and add another StackSet to deploy the required service role to Organization member accounts.
But what is the risk: "Deleting or modifying these resources will cause your landing zone to enter an unknown state." which the Control Tower documentation warns me about?
What do I break by doing it anyway? How the AWS Control Tower handles the StackSet template update on its version updates? – It would not be a big deal if policy generation functionality stops working when Control Tower applies its update, and I'd need to patch the StackSet template again, but is it just that or something else? – That's something the documentation doesn't tell, and I'd be more than happy to learn.
Sincerely,
your local Cloud Gardener /niko
ps. Enabling AWS IAM Access Analyzer and policy generation would be a great feature on AWS Control Tower :)