Describe the bug
With Control Tower version 4.0 aws moved out the config logs into it's own bucket in the audit account.
And the cloudtrail logs in a specific bucket for cloudtrail logs.
The old bucket with its naming does not exist anymore for new landing zones.
Config is required in the management account for SecurityHub to deploy successfull via sra.
With that deployments via SRA fails:
No such s3 bucket with name 'aws-controltower-logs-123456789012-eu-central-1'
To Reproduce
Steps to reproduce the behavior:
- CFCT
- Deploy SRA and enable config
- wait for deployment
- See error
Expected behavior
Deployment successful
Deployment Environment (please complete the following information)
- Control Tower 4.0
- CFCT
- SRA
Additional context
Workaround would be to deploy Config manually in the management account...
On a sidenote, the templates are not up to date.
Like maximum Cis standard available is 1.4.0 but we already have 3.0.0 and 5.0.0 in place
Describe the bug
With Control Tower version 4.0 aws moved out the config logs into it's own bucket in the audit account.
And the cloudtrail logs in a specific bucket for cloudtrail logs.
The old bucket with its naming does not exist anymore for new landing zones.
Config is required in the management account for SecurityHub to deploy successfull via sra.
With that deployments via SRA fails:
No such s3 bucket with name 'aws-controltower-logs-123456789012-eu-central-1'
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Deployment successful
Deployment Environment (please complete the following information)
Additional context
Workaround would be to deploy Config manually in the management account...
On a sidenote, the templates are not up to date.
Like maximum Cis standard available is 1.4.0 but we already have 3.0.0 and 5.0.0 in place