如何编辑组织级 CloudTrail 部署的存储桶策略

我发现这是您上一个问题的后续问题：使用 Athena 时 S3 权限被拒绝

Control Tower Guardrail 自动部署一个 Guardrail，禁止更新 aws-controltower 存储桶策略。

在您的主账户中，转到 AWS Organizations。然后，转到您的安全 OU。然后转到策略选项卡。您应该看到 2 个护栏策略：

其中一个将包含此政策：

{
  "Condition": {
    "ArnNotLike": {
      "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
    }
  },
  "Action": [
    "s3:PutBucketPolicy",
    "s3:DeleteBucketPolicy"
  ],
  "Resource": [
    "arn:aws:s3:::aws-controltower*"
  ],
  "Effect": "Deny",
  "Sid": "GRCTAUDITBUCKETPOLICYCHANGESPROHIBITED"
},

在 AWSControlTowerExecution 下面添加这些主体：

arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess*

arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AdministratorAccess*

你的情况应该是这样的：

"Condition": {
  "ArnNotLike": {
    "aws:PrincipalArn": [
      "arn:aws:iam::*:role/AWSControlTowerExecution",
      "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AWSAdministratorAccess*",
      "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_AdministratorAccess*"
    ]
  }
},

应用此功能后，您应该能够更新存储桶。

我建议 AWS Support 给出不同的答案。您应该使用切换角色选项并使用 AWSControlTowerExecution 角色，然后您可以修改策略，而不是修改护栏，这会导致发生漂移。