Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Control Tower] Support and documentation for using CDK with Control Tower

See original GitHub issue

❓ General Issue

Have AWS Control Tower enabled. This has multiple S3 SCP guardrails.

When doing a cdk deploy pipeline the artifact and supporting S3 buckets are not able to be created.

Error is

API: s3:SetBucketEncryption Access Denied

The Question

Need documentation, guidance, and relevant fixes to be able to use CDK pipelines within AWS Control Tower managed accounts.

Environment

AWS Control Tower

CDK CLI Version: cdk version 1.74.0 (build e86602f)
Module Version:
Node.js Version:
OS:
Language (Version):

Other information

Issue Analytics

State:
Created 3 years ago
Reactions:8
Comments:10 (4 by maintainers)

Top GitHub Comments

7reactions

JohnPolanskycommented, Aug 11, 2021

@dannyburke1 - To answer your question the GuardRails that I found blocking me were these:

Disallow Changes to Encryption Configuration for Amazon S3 Buckets
Disallow Changes to Bucket Policy for Amazon S3 Buckets

bootstrap won’t work with those enabled, we’ve disabled them temporarily to allow work, I’ve opened an AWS Support ticket as well to ask what the recommended course of action. that said there are plenty other guardrails that will likely block CDK work, but not the bootstrap process:

Disallow Changes to Logging Configuration for Amazon S3 Buckets
Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets
Disallow changes to replication configuration for Amazon S3 buckets
Disallow delete actions on S3 buckets without MFA

and others… we really need some recommended best practices for using CDK with Control Tower + SCPs it appears. It seems like we’ll need an easy way to exclude CDK from SCP control and while assumerole idea works, it’s not a very good automation friendly way in my view.

5reactions

redbaroncommented, Dec 7, 2020

Doesn’t update to SCPs managed by Control Tower cause configuration drift and will be overwritten on a next CT template version update?

Top Results From Across the Web

aws-cdk/aws-controltower module - AWS Documentation

For more information on the resources and properties available for this service, see the CloudFormation documentation for AWS::ControlTower. (Read the CDK ...

@aws-cdk/aws-controltower - npm

Start using @aws-cdk/aws-controltower in your project by running `npm i ... available for this service, see the CloudFormation documentation ...

Control tower & cdk bootstrap : r/aws - Reddit

Control tower doesn't have an api, so basically it needs to be the source of creation and you can do 'global' after market...

Building and governing multi-accounts using AWS Control ...

Many AWS customers are implementing multi-account strategies in order to more easily manage their cloud infrastructure and improve their ...

Customizations for Control Tower (CfCT)

This solution enables customers to easily add customizations to their AWS Control Tower landing zone using an AWS CloudFormation template and service ......