When trying to deploy in a Control Tower - Audit account we get Access denied on PutBucketEncryption

[jesperalmstrom]

To get it to work we had to uncomment the following

        # Create S3 bucket to store the report
        inspector_report_bucket = s3.Bucket(
            self, bucket_name,
            bucket_name=f'{bucket_name}.{self.region}.{self.account}',
            # encryption=s3.BucketEncryption.S3_MANAGED, # Gives Access Denied error because of Control Tower - GuardRail policy for the Audit account
            # enforce_ssl=True,
            block_public_access=s3.BlockPublicAccess.BLOCK_ALL
        )

Otherwise we got a Access Denied on the bucket creation because of Control Tower have default GuardRails for changing bucket encryption. After a lot of searching we found this: https://github.com/aws-amplify/amplify-hosting/issues/3014 It lead us in the right direction finding the cause.

[zenttic-aws]

hi @jesperalmstrom , thanks sharing this info. As a security best practice, it is strongly recommended to keep this S3 bucket storing Inspector report encrypted and also only accept TLS connection.

In the case of Control Tower, during the deployment or making changes to this solution, please consider to add an temporary exception to the SCP policy causing this issue. After the change is complete, please revert back to the guardrail, so that it won't cause Control Tower drift.