I'm using AWS Control Tower for the first time to setup an new environment. I need to provide an organizational unit with access to QuickSight. Under AWS Organization I found an SCP named aws-guardrails-oFLbdq which Deny's access to a list of services so I edited this, adding "quicksight:*" to the list of "NotAction" services. This edit allowed me access to QuickSight.
However - AWS Control Tower is now reporting the following:
AWS Control Tower has detected drift in one or more preventive controls. A managed SCP was deleted, detached, or modified, so AWS Control Tower cannot enforce control compliance for accounts in OU... To fix this, re-register the OU.
I've looked at the documentation but I can't work this out. Can someone tell me how I can allow QuickSight access for a specific Organizational Unit without upsetting Control Tower?
Things I've tried:
I created a new SCP with the following policy, then I attached it to the OU. But it didn't work - I still see a 'not authorized to perform: quicksight:DescribeAccountSubscription on resource: arn:aws:quicksight:... with an explicit deny in a service control policy':
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*"
],
"Resource": [
"*"
]
}
]
}
Looking at the SCP which I'd tried to edit, I noticed it had "Sid": "GRREGIONDENY". I traced this identifier to the AWS-GR_REGION_DENY control in the AWS Control Tower Controls Library.
The control has this description:
Disallows access to unlisted operations in global and regional services outside of the specified Regions. To configure the Region deny control, go to the Landing zone settings page and select Modify settings. When enabled, the Region deny control applies to the entire landing zone and all registered OUs. It cannot be configured for individual OUs
This caused me to head to the Landing Zone settings
In the Landing zone settings I noted that the 'Region deny setting' was enabled with no apparent configuration options that might allow me to modify the SCP. I took the following steps:
I scripted the statement in the SCP where "Sid": "GRREGIONDENY"
Changed the Landing Zone settings to set the 'Region deny setting' to 'Not Enabled'
Applied the change, taking about an hour
Confirmed that QuickSight was now available in the account
I created a new SCP in the AWS Organizations Policies section, using the statement from the scripted "Sid": "GRREGIONDENY". To this I added "quicksight:*". My SCP looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-west-1"
]
},
"ArnNotLike": {
"aws:PrincipalARN": [
"arn:aws:iam::*:role/AWSControlTowerExecution"
]
}
},
"Resource": "*",
"Effect": "Deny",
"NotAction": [
"a4b:*",
...(snip for brevity)...
"pricing:*",
"quicksight:*",
"resource-explorer-2:*",
...(snip)..
"wafv2:*"
],
"Sid": "ModifiedGRREGIONDENY"
}
]
}
I attached this new SCP to the appropriate OUs
Success! The SCP 'region deny' rules remain in place and QuickSight is now permitted in the account