we have a multi-account setup where we deployed an organizational-level CloudTrail in our root account's Control Tower.
Organizational-level CloudTrail allows us to deploy CloudTrail in each of our respective accounts and provides them the ability to send logs to CloudWatch in our Root account and to an S3 logging bucket in our central logging account.
Now I have AWS Athena set up in our logging account to try and run queries on the logs generated through our organizational-level CloudTrail deployment. So far, I have managed to create the Athena Table that is built on the mentioned logging bucket and I also created a destination bucket for the query results.
When I try to run a simple "preview table" query, I get the following error:
Permission denied on S3 path: s3://BUCKET_NAME/PREFIX/AWSLogs/LOGGING_ACCOUNT_NUMBER/CloudTrail/LOGS_DESTINATION This query ran against the "default" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: f72e7dbf-929c-4096-bd29-b55c6c41f582
I figured that the error is caused by the logging bucket's policy lacking any statement allowing Athena access, but when I try to edit the bucket policy I get the following error:
Your bucket policy changes can’t be saved: You either don’t have permissions to edit the bucket policy, or your bucket policy grants a level of public access that conflicts with your Block Public Access settings. To edit a bucket policy, you need s3:PutBucketPolicy permissions. To review which Block Public Access settings are turned on, view your account and bucket settings. Learn more about Identity and access management in Amazon S3
This is strange since the role I am using has full admin access to this account.
Please advise.
Thanks in advance!
CodePudding user response:
For First error message:- This error message indicates that you are trying to access the specified S3 path (s3://BUCKET_NAME/PREFIX/AWSLogs/LOGGING_ACCOUNT_NUMBER/CloudTrail/LOGS_DESTINATION) does not have sufficient permissions.
To resolve the issue, you will need to adjust the IAM policies for the user or role associated with the query. Here are the steps:
Log in to the AWS Management Console.
Go to the IAM Console.
Select the user or role associated with the query.
Click on the Permissions tab.
Click on the Edit Policy button.
Add a new statement to the policy that grants s3:GetObject access to the specified S3 path.
Save the changes.
If you still have issues, you may want to consider consulting with an AWS professional or posting your question on the AWS forums for further assistance.
For second error message:- This error message is indicating that you do not have the required permissions (s3:PutBucketPolicy) to edit the bucket policy for the specified S3 bucket. It could also be due to a conflict between your Block Public Access settings and the changes you are trying to make to the bucket policy.
To resolve the issue, you need to make sure that you have the necessary permissions to edit the bucket policy. Here are the steps to do this:
Log in to the AWS Management Console.
Go to the IAM Console.
Select the user or role associated with the error.
Click on the Permissions tab.
Add the s3:PutBucketPolicy permission to the user or role.
Save the changes.
Alternatively, you may need to review and adjust your Block Public Access settings. Here are the steps:
Log in to the AWS Management Console.
Go to the S3 Console.
Select the bucket for which you are trying to edit the policy.
Click on the Permissions tab.
Click on the Block Public Access Settings button.
Review the settings and make any necessary changes.
Save the changes.
Once you have the necessary permissions and any conflicts with the Block Public Access settings have been resolved, you should be able to save your changes to the bucket policy.
CodePudding user response:
I see this is is a follow up question to your previous one:
One of them will contain this policy:
{
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
}
},
"Action": [
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy"
],
"Resource": [
"arn:aws:s3:::aws-controltower*"
],
"Effect": "Deny",
"Sid": "GRCTAUDITBUCKETPOLICYCHANGESPROHIBITED"
},
Add these principals below AWSControlTowerExecution:
arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess*
arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AdministratorAccess*
Your condition should look like this:
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/AWSControlTowerExecution",
"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess*",
"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AdministratorAccess*"
]
}
},
You shoulld be able to update the bucket after this is applied.